Re: pax-web-8: handling security for non-existent resources?
Hello Robert! Right, and this I think is actually a bug in Jolokia. I think it should > set its context path to /jolokia and use urlPatterns=/*, right? > It's not a bug in Jolokia, but a limitation of the method to register a servlet... If you `git blame` related lines, you'll see: https://github.com/rhuss/jolokia/blame/v1.7.2/agent/osgi/src/main/java/org/jolokia/osgi/JolokiaActivator.java#L322-L325 This code was added ... 12 years ago and the only method back then was to use OSGi CMPN HttpService specification, which allowed to do these: - register a servlet - register resources That's all. No filters, *no contexts other than "/"!*, no listeners, no nothing... Whiteboard specification is more flexible and I think this is what should be done: - please create a rhuss/jolokia GH issue with your problem, let me know and I'll add my comments there (and PR to turn it into whiteboard) - for now, you have to live with what we have. I agree that Jolokia "takes over" the "/" context, but is it possible that you use different context? and register a servlet to "/" that redirects all (but "/jolokia/*") URIs to your context? regards Grzegorz Grzybek niedz., 8 sty 2023 o 01:04 Robert Varga napisał(a): > On 17/08/2022 08:31, Grzegorz Grzybek wrote: > > Hello > > Hello Grzegorz, > > sorry for the late reply. I needed some time to get into this entire > business. > > > Is this expected behaviour? I would have expected to hit > >> ServiceAuthenticationHttpContext only when servicing /jolokia... > >> > > > > /jolokia/* mapping (actually a one-element array of URL patterns) is a > > mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/" > > (default), ROOT) context. See this in logs: > > > > Adding servlet > >> > ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6 > >> ,contexts=[{HS,OCM-4,context:570736934,/}]} > >> > > Right, and this I think is actually a bug in Jolokia. I think it should > set its context path to /jolokia and use urlPatterns=/*, right? > > That way... > > > > > toString() method for ServletModel shows the associated (as in Whiteboard > > specification) _contexts_. The single associated context is: > > > > {HS,OCM-4,context:570736934,/} > >> > > > > HS means "Http Service", OCM-4 is an internal ID of the context and > > "context:570736934" is generated name, because Jolokia's provided > > "ServiceAuthenticationHttpContext" > > is wrapped to match the API consistency internally. This > > "ServiceAuthenticationHttpContext" is used by Jolokia to register the > > servlet: > > > > service.registerServlet(getServletAlias(), > > new > > JolokiaServlet(context,restrictor), > > getConfiguration(), > > getHttpContext()); > > > > (see 4th parameter - result of getHttpContext()). > > > > What's more important is that such context replaces default "/" context > > from Whiteboard specification: > > it would just not do this... > > >> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > >> JettyServerWrapper | 474 - > org.ops4j.pax.web.pax-web-jetty - > >> 8.0.2 | Changing default OSGi context model for > >> o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED} > >>> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > >> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - > >> 8.0.2 | Unegistering > >> > OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} > >> as OSGi service for "/" context path > >>> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > >> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - > >> 8.0.2 | Registering > >> > OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 > >> > [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126 > }}} > >> as OSGi service for "/" context path > > > > > > See > > > {WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} > > > > was replaced b: > > > {HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 > > > [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126 > }}} > > > > > > So the context (in terms of org.osgi.service.http.HttpContext and > > org.osgi.service.http.context.ServletContextHelper) was switched from the > > one provided (by default) by > org.ops4j.pax.web.pax-web-extend
Re: pax-web-8: handling security for non-existent resources?
On 17/08/2022 08:31, Grzegorz Grzybek wrote: Hello Hello Grzegorz, sorry for the late reply. I needed some time to get into this entire business. Is this expected behaviour? I would have expected to hit ServiceAuthenticationHttpContext only when servicing /jolokia... /jolokia/* mapping (actually a one-element array of URL patterns) is a mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/" (default), ROOT) context. See this in logs: Adding servlet ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6 ,contexts=[{HS,OCM-4,context:570736934,/}]} Right, and this I think is actually a bug in Jolokia. I think it should set its context path to /jolokia and use urlPatterns=/*, right? That way... toString() method for ServletModel shows the associated (as in Whiteboard specification) _contexts_. The single associated context is: {HS,OCM-4,context:570736934,/} HS means "Http Service", OCM-4 is an internal ID of the context and "context:570736934" is generated name, because Jolokia's provided "ServiceAuthenticationHttpContext" is wrapped to match the API consistency internally. This "ServiceAuthenticationHttpContext" is used by Jolokia to register the servlet: service.registerServlet(getServletAlias(), new JolokiaServlet(context,restrictor), getConfiguration(), getHttpContext()); (see 4th parameter - result of getHttpContext()). What's more important is that such context replaces default "/" context from Whiteboard specification: it would just not do this... 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Changing default OSGi context model for o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED} 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Unegistering OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} as OSGi service for "/" context path 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Registering OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}} as OSGi service for "/" context path See {WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} was replaced b: {HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}} So the context (in terms of org.osgi.service.http.HttpContext and org.osgi.service.http.context.ServletContextHelper) was switched from the one provided (by default) by org.ops4j.pax.web.pax-web-extender-whiteboard bundle to the one provided by Jolokia. ... and then the context for '/' ... And now the final part of the explanation - what is used to handle /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology URL? Pax Web delegates to the underlying container (Jetty, Tomcat and Undertow) to handle the mapping - and according to Servlets specification, first, the context is chosen using the longest possible path. From the logs you've provided, I see that in addition to "/" context (now managed by Jolokia) you have two more contexts: - /auth - {WB,id=OCM-8,name='/auth.id ',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={ service.id=464, osgi.http.whiteboard.context.name=/auth.id, service.bundleid=181, service.scope=singleton, osgi.http.whiteboard.context.path=/auth}} - /yanglib - {WB,id=OCM-13,name='/yanglib.id ',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={ service.id=472, osgi.http.whiteboard.context.name=/yanglib.id, service.bundleid=370, service.scope=singleton, osgi.http.whiteboard.context.path=/yanglib}} There are no contexts with paths like: - /restconf/operational/network-topology:network-topology - /restconf/operational - /restconf Right, and the answer is 404, no matter auth result, because the endpoint has been removed (same development iteration, previous patch, but since it us
Re: pax-web-8: handling security for non-existent resources?
Hello Is this expected behaviour? I would have expected to hit > ServiceAuthenticationHttpContext only when servicing /jolokia... > /jolokia/* mapping (actually a one-element array of URL patterns) is a mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/" (default), ROOT) context. See this in logs: Adding servlet > ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6 > ,contexts=[{HS,OCM-4,context:570736934,/}]} > toString() method for ServletModel shows the associated (as in Whiteboard specification) _contexts_. The single associated context is: {HS,OCM-4,context:570736934,/} > HS means "Http Service", OCM-4 is an internal ID of the context and "context:570736934" is generated name, because Jolokia's provided "ServiceAuthenticationHttpContext" is wrapped to match the API consistency internally. This "ServiceAuthenticationHttpContext" is used by Jolokia to register the servlet: service.registerServlet(getServletAlias(), new JolokiaServlet(context,restrictor), getConfiguration(), getHttpContext()); (see 4th parameter - result of getHttpContext()). What's more important is that such context replaces default "/" context from Whiteboard specification: > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - > 8.0.2 | Changing default OSGi context model for > o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED} > > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - > 8.0.2 | Unegistering > OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} > as OSGi service for "/" context path > > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - > 8.0.2 | Registering > OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 > [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}} > as OSGi service for "/" context path See {WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} was replaced b: {HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}} So the context (in terms of org.osgi.service.http.HttpContext and org.osgi.service.http.context.ServletContextHelper) was switched from the one provided (by default) by org.ops4j.pax.web.pax-web-extender-whiteboard bundle to the one provided by Jolokia. And now the final part of the explanation - what is used to handle /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology URL? Pax Web delegates to the underlying container (Jetty, Tomcat and Undertow) to handle the mapping - and according to Servlets specification, first, the context is chosen using the longest possible path. >From the logs you've provided, I see that in addition to "/" context (now managed by Jolokia) you have two more contexts: - /auth - {WB,id=OCM-8,name='/auth.id ',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={ service.id=464, osgi.http.whiteboard.context.name=/auth.id, service.bundleid=181, service.scope=singleton, osgi.http.whiteboard.context.path=/auth}} - /yanglib - {WB,id=OCM-13,name='/yanglib.id ',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={ service.id=472, osgi.http.whiteboard.context.name=/yanglib.id, service.bundleid=370, service.scope=singleton, osgi.http.whiteboard.context.path=/yanglib}} There are no contexts with paths like: - /restconf/operational/network-topology:network-topology - /restconf/operational - /restconf (at least I don't see them). So the context that handles /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology is simply "/" with Jolokia's provided security handled by org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity(). Can you check Karaf's web:context-list command? regards Grzegorz Grzybek wt., 16 sie 2022 o 20:03 Robert Varga napisał(a): > Hello, > > while integrating karaf-4.4.0 into OpenDaylight I ran across a bit of > strangeness. > > We a
pax-web-8: handling security for non-existent resources?
Hello, while integrating karaf-4.4.0 into OpenDaylight I ran across a bit of strangeness. We are using Jetty as the implementation and register things through both HTTP Service and also via HTTP Whiteboard, with Shiro in the mix for good measure (via a an indirection, but let's not go into that for sanity's sake). Due to the way system works together, we end up with Jolokia registering via HttpService, which prompts the creation of a default Jetty context: 2022-08-16T08:09:51,791 | INFO | features-3-thread-1 | FeaturesServiceImpl | 16 - org.apache.karaf.features.core - 4.4.0 | org.jolokia.osgi/1.7.1 2022-08-16T08:09:51,793 | INFO | features-3-thread-1 | StoppableHttpServiceFactory | 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Binding HTTP Service for bundle: [org.jolokia.osgi_1.7.1 [166]] 2022-08-16T08:09:51,802 | INFO | paxweb-config-1-thread-1 | HttpServiceEnabled | 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Registering ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]} 2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 | JettyServerController | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Receiving Batch{"Registration of ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=null}", size=3} 2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}} to o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED} 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Changing default OSGi context model for o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED} 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Unegistering OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} as OSGi service for "/" context path 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Registering OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}} as OSGi service for "/" context path 2022-08-16T08:09:51,805 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding servlet ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]} 2022-08-16T08:09:51,808 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context "/" with default Osgi Context OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}} This is driven by this bit of code: https://github.com/rhuss/jolokia/blob/33ee8be04aedacf9af2d1ca917dd6c89b119c628/agent/osgi/src/main/java/org/jolokia/osgi/JolokiaActivator.java#L322-L325 We then proceed to start a ton of other services, like: 2022-08-16T08:09:57,729 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context "/auth" with default Osgi Context OsgiContextModel{WB,id=OCM-8,name='/auth.id',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={service.id=464, osgi.http.whiteboard.context.name=/auth.id, service.bundleid=181, service.scope=singleton, osgi.http.whiteboard.context.path=/auth}} 2022-08-16T08:09:57,738 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context "/yanglib" with default Osgi Co