Hello Robert! Right, and this I think is actually a bug in Jolokia. I think it should > set its context path to /jolokia and use urlPatterns=/*, right? >
It's not a bug in Jolokia, but a limitation of the method to register a servlet... If you `git blame` related lines, you'll see: https://github.com/rhuss/jolokia/blame/v1.7.2/agent/osgi/src/main/java/org/jolokia/osgi/JolokiaActivator.java#L322-L325 This code was added ... 12 years ago and the only method back then was to use OSGi CMPN HttpService specification, which allowed to do these: - register a servlet - register resources That's all. No filters, *no contexts other than "/"!*, no listeners, no nothing... Whiteboard specification is more flexible and I think this is what should be done: - please create a rhuss/jolokia GH issue with your problem, let me know and I'll add my comments there (and PR to turn it into whiteboard) - for now, you have to live with what we have. I agree that Jolokia "takes over" the "/" context, but is it possible that you use different context? and register a servlet to "/" that redirects all (but "/jolokia/*") URIs to your context? regards Grzegorz Grzybek niedz., 8 sty 2023 o 01:04 Robert Varga <n...@hq.sk> napisał(a): > On 17/08/2022 08:31, Grzegorz Grzybek wrote: > > Hello > > Hello Grzegorz, > > sorry for the late reply. I needed some time to get into this entire > business. > > > Is this expected behaviour? I would have expected to hit > >> ServiceAuthenticationHttpContext only when servicing /jolokia... > >> > > > > /jolokia/* mapping (actually a one-element array of URL patterns) is a > > mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/" > > (default), ROOT) context. See this in logs: > > > > Adding servlet > >> > ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6 > >> ,contexts=[{HS,OCM-4,context:570736934,/}]} > >> > > Right, and this I think is actually a bug in Jolokia. I think it should > set its context path to /jolokia and use urlPatterns=/*, right? > > That way... > > > > > toString() method for ServletModel shows the associated (as in Whiteboard > > specification) _contexts_. The single associated context is: > > > > {HS,OCM-4,context:570736934,/} > >> > > > > HS means "Http Service", OCM-4 is an internal ID of the context and > > "context:570736934" is generated name, because Jolokia's provided > > "ServiceAuthenticationHttpContext" > > is wrapped to match the API consistency internally. This > > "ServiceAuthenticationHttpContext" is used by Jolokia to register the > > servlet: > > > > service.registerServlet(getServletAlias(), > > new > > JolokiaServlet(context,restrictor), > > getConfiguration(), > > getHttpContext()); > > > > (see 4th parameter - result of getHttpContext()). > > > > What's more important is that such context replaces default "/" context > > from Whiteboard specification: > > it would just not do this... > > >> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > >> JettyServerWrapper | 474 - > org.ops4j.pax.web.pax-web-jetty - > >> 8.0.2 | Changing default OSGi context model for > >> o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED} > >>> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > >> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - > >> 8.0.2 | Unegistering > >> > OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} > >> as OSGi service for "/" context path > >>> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > >> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - > >> 8.0.2 | Registering > >> > OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 > >> > [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126 > }}} > >> as OSGi service for "/" context path > > > > > > See > > > {WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} > > > > was replaced b: > > > {HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 > > > [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126 > }}} > > > > > > So the context (in terms of org.osgi.service.http.HttpContext and > > org.osgi.service.http.context.ServletContextHelper) was switched from the > > one provided (by default) by > org.ops4j.pax.web.pax-web-extender-whiteboard > > bundle to the one provided by Jolokia. > > ... and then the context for '/' ... > > > And now the final part of the explanation - what is used to handle > > > /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology > > URL? Pax Web delegates to the underlying container (Jetty, Tomcat and > > Undertow) to handle the mapping - and according to Servlets > specification, > > first, the context is chosen using the longest possible path. > > > > From the logs you've provided, I see that in addition to "/" context > (now > > managed by Jolokia) you have two more contexts: > > > > - /auth - {WB,id=OCM-8,name='/auth.id > > > > ',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={ > > service.id=464, osgi.http.whiteboard.context.name=/auth.id, > > service.bundleid=181, service.scope=singleton, > > osgi.http.whiteboard.context.path=/auth}} > > - /yanglib - {WB,id=OCM-13,name='/yanglib.id > > > > ',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={ > > service.id=472, osgi.http.whiteboard.context.name=/yanglib.id, > > service.bundleid=370, service.scope=singleton, > > osgi.http.whiteboard.context.path=/yanglib}} > > > > There are no contexts with paths like: > > > > - /restconf/operational/network-topology:network-topology > > - /restconf/operational > > - /restconf > > Right, and the answer is 404, no matter auth result, because the > endpoint has been removed (same development iteration, previous patch, > but since it used to pass auth, it went to 404). > > The problem here is that Jolokia taking over default auth (and Jolokia > auth not working) is turning the 404 into a 5xx. > > > (at least I don't see them). So the context that handles > > > /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology > > is simply "/" with Jolokia's provided security handled by > > > org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity(). > > > > Can you check Karaf's web:context-list command? > > Sure, here it is: > > > pendaylight-user@root>web:context-list > > Bundle ID │ Symbolic Name │ Context Path > │ Context Name │ Rank │ Service ID │ Type │ Scope │ > Registration Properties > > > ──────────┼───────────────────────────────────────────────┼──────────────┼────────────────────┼──────┼────────────┼─────────────┼───────────┼──────────────────────────────────────────────────────────── > > 164 │ org.jolokia.osgi │ / > │ context:1315411419 │ MAX │ 0 │ HttpService │ static* │ > httpContext.id=context:1315411419 > > │ │ > │ │ │ │ │ │ > httpContext.path=/ > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.httpservice=context:1315411419 > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/ > > 308 │ org.ops4j.pax.web.pax-web-extender-whiteboard │ / > │ default │ 0 │ 0 │ Whiteboard │ static* │ > osgi.http.whiteboard.context.name=default > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/ > > 254 │ org.opendaylight.netconf.restconf-nb │ / > │ /.id │ 0 │ 273 │ Whiteboard │ singleton │ > osgi.http.whiteboard.context.name=/.id > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/ > > 337 │ org.opendaylight.netconf.sal-rest-docgen │ /apidoc > │ /apidoc.id │ 0 │ 281 │ Whiteboard │ singleton │ > osgi.http.whiteboard.context.name=/apidoc.id > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/apidoc > > 174 │ org.opendaylight.aaa.shiro │ /auth > │ /auth.id │ 0 │ 263 │ Whiteboard │ singleton │ > osgi.http.whiteboard.context.name=/auth.id > > but, in the mean time, with my better understanding of context path > (thanks a lot for that!), it now looks like this: > > > opendaylight-user@root>web:context-list > > Bundle ID │ Symbolic Name │ Context Path > │ Context Name │ Rank │ Service ID │ Type │ Scope │ > Registration Properties > > > ──────────┼───────────────────────────────────────────────┼──────────────┼───────────────────┼──────┼────────────┼─────────────┼───────────┼─────────────────────────────────────────────────────────── > > 164 │ org.jolokia.osgi │ / > │ context:534196305 │ MAX │ 0 │ HttpService │ static* │ > httpContext.id=context:534196305 > > │ │ > │ │ │ │ │ │ > httpContext.path=/ > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.httpservice=context:534196305 > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/ > > 312 │ org.ops4j.pax.web.pax-web-extender-whiteboard │ / > │ default │ 0 │ 0 │ Whiteboard │ static* │ > osgi.http.whiteboard.context.name=default > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/ > > 256 │ org.opendaylight.netconf.restconf-nb │ /.well-known > │ /.well-known.id │ 0 │ 286 │ Whiteboard │ singleton │ > osgi.http.whiteboard.context.name=/.well-known.id > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/.well-known > > 342 │ org.opendaylight.netconf.sal-rest-docgen │ /apidoc > │ /apidoc.id │ 0 │ 291 │ Whiteboard │ singleton │ > osgi.http.whiteboard.context.name=/apidoc.id > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/apidoc > > 174 │ org.opendaylight.aaa.shiro │ /auth > │ /auth.id │ 0 │ 270 │ Whiteboard │ singleton │ > osgi.http.whiteboard.context.name=/auth.id > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/auth > > 256 │ org.opendaylight.netconf.restconf-nb │ /rests > │ /rests.id │ 0 │ 279 │ Whiteboard │ singleton │ > osgi.http.whiteboard.context.name=/rests.id > > │ │ > │ │ │ │ │ │ > osgi.http.whiteboard.context.path=/rests > > > > *) This context is using ServletContextHelper/HttpContext without > resolving an org.osgi.framework.ServiceReference. > > Nevertheless, I think things are less then optimal -- Jolokia should not > be taking over default auth. > > This was the case for restconf-nb above, where it was serving /rests and > /.well-known, but registered both as servlets under the default context > path, thus causing the double auth in above logs (and /restconf it used > to handle). With that bit correct, things do not double-auth, except for > the case highlighted above, where Jolokia auth triggers for requests > which result in 404. > > Now the outlier is Jolokia, it is only the pax-web-extender-whiteboard > should have contextPath=/ (for obvious reasons). > > Do you agree? I can raise a Jolokia PR to correct that. > > Thanks, > Robert >