Re: pax-web-8: handling security for non-existent resources?
Hello
Is this expected behaviour? I would have expected to hit
> ServiceAuthenticationHttpContext only when servicing /jolokia...
>
/jolokia/* mapping (actually a one-element array of URL patterns) is a
mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/"
(default), ROOT) context. See this in logs:
Adding servlet
> ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6
> ,contexts=[{HS,OCM-4,context:570736934,/}]}
>
toString() method for ServletModel shows the associated (as in Whiteboard
specification) _contexts_. The single associated context is:
{HS,OCM-4,context:570736934,/}
>
HS means "Http Service", OCM-4 is an internal ID of the context and
"context:570736934" is generated name, because Jolokia's provided
"ServiceAuthenticationHttpContext"
is wrapped to match the API consistency internally. This
"ServiceAuthenticationHttpContext" is used by Jolokia to register the
servlet:
service.registerServlet(getServletAlias(),
new
JolokiaServlet(context,restrictor),
getConfiguration(),
getHttpContext());
(see 4th parameter - result of getHttpContext()).
What's more important is that such context replaces default "/" context
from Whiteboard specification:
> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
> 8.0.2 | Changing default OSGi context model for
> o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
> > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
> 8.0.2 | Unegistering
> OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
> as OSGi service for "/" context path
> > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
> 8.0.2 | Registering
> OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
> [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
> as OSGi service for "/" context path
See
{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
was replaced b:
{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
So the context (in terms of org.osgi.service.http.HttpContext and
org.osgi.service.http.context.ServletContextHelper) was switched from the
one provided (by default) by org.ops4j.pax.web.pax-web-extender-whiteboard
bundle to the one provided by Jolokia.
And now the final part of the explanation - what is used to handle
/restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
URL? Pax Web delegates to the underlying container (Jetty, Tomcat and
Undertow) to handle the mapping - and according to Servlets specification,
first, the context is chosen using the longest possible path.
>From the logs you've provided, I see that in addition to "/" context (now
managed by Jolokia) you have two more contexts:
- /auth - {WB,id=OCM-8,name='/auth.id
',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={
service.id=464, osgi.http.whiteboard.context.name=/auth.id,
service.bundleid=181, service.scope=singleton,
osgi.http.whiteboard.context.path=/auth}}
- /yanglib - {WB,id=OCM-13,name='/yanglib.id
',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={
service.id=472, osgi.http.whiteboard.context.name=/yanglib.id,
service.bundleid=370, service.scope=singleton,
osgi.http.whiteboard.context.path=/yanglib}}
There are no contexts with paths like:
- /restconf/operational/network-topology:network-topology
- /restconf/operational
- /restconf
(at least I don't see them). So the context that handles
/restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
is simply "/" with Jolokia's provided security handled by
org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity().
Can you check Karaf's web:context-list command?
regards
Grzegorz Grzybek
wt., 16 sie 2022 o 20:03 Robert Varga napisaĆ(a):
> Hello,
>
> while integrating karaf-4.4.0 into OpenDaylight I ran across a bit of
> strangeness.
>
> We a
pax-web-8: handling security for non-existent resources?
Hello,
while integrating karaf-4.4.0 into OpenDaylight I ran across a bit of
strangeness.
We are using Jetty as the implementation and register things through
both HTTP Service and also via HTTP Whiteboard, with Shiro in the mix
for good measure (via a an indirection, but let's not go into that for
sanity's sake).
Due to the way system works together, we end up with Jolokia registering
via HttpService, which prompts the creation of a default Jetty context:
2022-08-16T08:09:51,791 | INFO | features-3-thread-1 | FeaturesServiceImpl
| 16 - org.apache.karaf.features.core - 4.4.0 |
org.jolokia.osgi/1.7.1
2022-08-16T08:09:51,793 | INFO | features-3-thread-1 |
StoppableHttpServiceFactory | 476 - org.ops4j.pax.web.pax-web-runtime -
8.0.2 | Binding HTTP Service for bundle: [org.jolokia.osgi_1.7.1 [166]]
2022-08-16T08:09:51,802 | INFO | paxweb-config-1-thread-1 | HttpServiceEnabled
| 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Registering
ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]}
2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 | JettyServerController
| 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Receiving Batch{"Registration
of
ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=null}",
size=3}
2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper
| 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding
OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}
to o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper
| 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Changing
default OSGi context model for
o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext
| 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Unegistering
OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
as OSGi service for "/" context path
2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext
| 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Registering
OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
as OSGi service for "/" context path
2022-08-16T08:09:51,805 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper
| 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding servlet
ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]}
2022-08-16T08:09:51,808 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper
| 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context
"/" with default Osgi Context
OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}
This is driven by this bit of code:
https://github.com/rhuss/jolokia/blob/33ee8be04aedacf9af2d1ca917dd6c89b119c628/agent/osgi/src/main/java/org/jolokia/osgi/JolokiaActivator.java#L322-L325
We then proceed to start a ton of other services, like:
2022-08-16T08:09:57,729 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper
| 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context
"/auth" with default Osgi Context
OsgiContextModel{WB,id=OCM-8,name='/auth.id',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={service.id=464,
osgi.http.whiteboard.context.name=/auth.id, service.bundleid=181,
service.scope=singleton, osgi.http.whiteboard.context.path=/auth}}
2022-08-16T08:09:57,738 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper
| 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context
"/yanglib" with default Osgi Co
