Re: pax-web-8: handling security for non-existent resources?
Hello Is this expected behaviour? I would have expected to hit > ServiceAuthenticationHttpContext only when servicing /jolokia... > /jolokia/* mapping (actually a one-element array of URL patterns) is a mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/" (default), ROOT) context. See this in logs: Adding servlet > ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6 > ,contexts=[{HS,OCM-4,context:570736934,/}]} > toString() method for ServletModel shows the associated (as in Whiteboard specification) _contexts_. The single associated context is: {HS,OCM-4,context:570736934,/} > HS means "Http Service", OCM-4 is an internal ID of the context and "context:570736934" is generated name, because Jolokia's provided "ServiceAuthenticationHttpContext" is wrapped to match the API consistency internally. This "ServiceAuthenticationHttpContext" is used by Jolokia to register the servlet: service.registerServlet(getServletAlias(), new JolokiaServlet(context,restrictor), getConfiguration(), getHttpContext()); (see 4th parameter - result of getHttpContext()). What's more important is that such context replaces default "/" context from Whiteboard specification: > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - > 8.0.2 | Changing default OSGi context model for > o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED} > > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - > 8.0.2 | Unegistering > OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} > as OSGi service for "/" context path > > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | > OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - > 8.0.2 | Registering > OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 > [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}} > as OSGi service for "/" context path See {WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} was replaced b: {HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}} So the context (in terms of org.osgi.service.http.HttpContext and org.osgi.service.http.context.ServletContextHelper) was switched from the one provided (by default) by org.ops4j.pax.web.pax-web-extender-whiteboard bundle to the one provided by Jolokia. And now the final part of the explanation - what is used to handle /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology URL? Pax Web delegates to the underlying container (Jetty, Tomcat and Undertow) to handle the mapping - and according to Servlets specification, first, the context is chosen using the longest possible path. >From the logs you've provided, I see that in addition to "/" context (now managed by Jolokia) you have two more contexts: - /auth - {WB,id=OCM-8,name='/auth.id ',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={ service.id=464, osgi.http.whiteboard.context.name=/auth.id, service.bundleid=181, service.scope=singleton, osgi.http.whiteboard.context.path=/auth}} - /yanglib - {WB,id=OCM-13,name='/yanglib.id ',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={ service.id=472, osgi.http.whiteboard.context.name=/yanglib.id, service.bundleid=370, service.scope=singleton, osgi.http.whiteboard.context.path=/yanglib}} There are no contexts with paths like: - /restconf/operational/network-topology:network-topology - /restconf/operational - /restconf (at least I don't see them). So the context that handles /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology is simply "/" with Jolokia's provided security handled by org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity(). Can you check Karaf's web:context-list command? regards Grzegorz Grzybek wt., 16 sie 2022 o 20:03 Robert Varga napisaĆ(a): > Hello, > > while integrating karaf-4.4.0 into OpenDaylight I ran across a bit of > strangeness. > > We a
pax-web-8: handling security for non-existent resources?
Hello, while integrating karaf-4.4.0 into OpenDaylight I ran across a bit of strangeness. We are using Jetty as the implementation and register things through both HTTP Service and also via HTTP Whiteboard, with Shiro in the mix for good measure (via a an indirection, but let's not go into that for sanity's sake). Due to the way system works together, we end up with Jolokia registering via HttpService, which prompts the creation of a default Jetty context: 2022-08-16T08:09:51,791 | INFO | features-3-thread-1 | FeaturesServiceImpl | 16 - org.apache.karaf.features.core - 4.4.0 | org.jolokia.osgi/1.7.1 2022-08-16T08:09:51,793 | INFO | features-3-thread-1 | StoppableHttpServiceFactory | 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Binding HTTP Service for bundle: [org.jolokia.osgi_1.7.1 [166]] 2022-08-16T08:09:51,802 | INFO | paxweb-config-1-thread-1 | HttpServiceEnabled | 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Registering ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]} 2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 | JettyServerController | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Receiving Batch{"Registration of ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=null}", size=3} 2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}} to o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED} 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Changing default OSGi context model for o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED} 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Unegistering OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} as OSGi service for "/" context path 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Registering OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}} as OSGi service for "/" context path 2022-08-16T08:09:51,805 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding servlet ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]} 2022-08-16T08:09:51,808 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context "/" with default Osgi Context OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}} This is driven by this bit of code: https://github.com/rhuss/jolokia/blob/33ee8be04aedacf9af2d1ca917dd6c89b119c628/agent/osgi/src/main/java/org/jolokia/osgi/JolokiaActivator.java#L322-L325 We then proceed to start a ton of other services, like: 2022-08-16T08:09:57,729 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context "/auth" with default Osgi Context OsgiContextModel{WB,id=OCM-8,name='/auth.id',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={service.id=464, osgi.http.whiteboard.context.name=/auth.id, service.bundleid=181, service.scope=singleton, osgi.http.whiteboard.context.path=/auth}} 2022-08-16T08:09:57,738 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context "/yanglib" with default Osgi Co