pax-web-8: handling security for non-existent resources?

Tue, 16 Aug 2022 11:03:11 -0700 

Hello,
while integrating karaf-4.4.0 into OpenDaylight I ran across a bit of strangeness. 


We are using Jetty as the implementation and register things through 
both HTTP Service and also via HTTP Whiteboard, with Shiro in the mix 
for good measure (via a an indirection, but let's not go into that for 
sanity's sake).



Due to the way system works together, we end up with Jolokia registering 
via HttpService, which prompts the creation of a default Jetty context:



2022-08-16T08:09:51,791 | INFO  | features-3-thread-1 | FeaturesServiceImpl     
         | 16 - org.apache.karaf.features.core - 4.4.0 |   
org.jolokia.osgi/1.7.1
2022-08-16T08:09:51,793 | INFO  | features-3-thread-1 | 
StoppableHttpServiceFactory      | 476 - org.ops4j.pax.web.pax-web-runtime - 
8.0.2 | Binding HTTP Service for bundle: [org.jolokia.osgi_1.7.1 [166]]
2022-08-16T08:09:51,802 | INFO  | paxweb-config-1-thread-1 | HttpServiceEnabled 
              | 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Registering 
ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]}
2022-08-16T08:09:51,803 | INFO  | paxweb-config-1-thread-1 | JettyServerController        
    | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Receiving Batch{"Registration 
of 
ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=null}",
 size=3}
2022-08-16T08:09:51,803 | INFO  | paxweb-config-1-thread-1 | JettyServerWrapper 
              | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding 
OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
 
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}
 to o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
2022-08-16T08:09:51,804 | INFO  | paxweb-config-1-thread-1 | JettyServerWrapper 
              | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Changing 
default OSGi context model for 
o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
2022-08-16T08:09:51,804 | INFO  | paxweb-config-1-thread-1 | OsgiServletContext           
    | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Unegistering 
OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
 as OSGi service for "/" context path
2022-08-16T08:09:51,804 | INFO  | paxweb-config-1-thread-1 | OsgiServletContext           
    | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Registering 
OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
 
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
 as OSGi service for "/" context path
2022-08-16T08:09:51,805 | INFO  | paxweb-config-1-thread-1 | JettyServerWrapper 
              | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding servlet 
ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]}
2022-08-16T08:09:51,808 | INFO  | paxweb-config-1-thread-1 | JettyServerWrapper           
    | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context 
"/" with default Osgi Context 
OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
 
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}



This is driven by this bit of code: 
https://github.com/rhuss/jolokia/blob/33ee8be04aedacf9af2d1ca917dd6c89b119c628/agent/osgi/src/main/java/org/jolokia/osgi/JolokiaActivator.java#L322-L325


We then proceed to start a ton of other services, like:


2022-08-16T08:09:57,729 | INFO  | paxweb-config-1-thread-1 | JettyServerWrapper           
    | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context 
"/auth" with default Osgi Context 
OsgiContextModel{WB,id=OCM-8,name='/auth.id',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={service.id=464,
 osgi.http.whiteboard.context.name=/auth.id, service.bundleid=181, 
service.scope=singleton, osgi.http.whiteboard.context.path=/auth}}
2022-08-16T08:09:57,738 | INFO  | paxweb-config-1-thread-1 | JettyServerWrapper           
    | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context 
"/yanglib" with default Osgi Context 
OsgiContextModel{WB,id=OCM-13,name='/yanglib.id',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={service.id=472,
 osgi.http.whiteboard.context.name=/yanglib.id, service.bundleid=370, 
service.scope=singleton, osgi.http.whiteboard.context.path=/yanglib}}
2022-08-16T08:09:57,800 | INFO  | paxweb-config-1-thread-1 | HttpServiceEnabled 
              | 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Registering 
ServletModel{id=ServletModel-29,name='org.glassfish.jersey.servlet.ServletContainer',urlPatterns=[/rests/*],contexts=[{WB,OCM-26,/.id,/}]}



Now, due to a screw up on my part ServiceAuthenticationHttpContext ends 
up not working, so this error is very much expected:



2022-08-16T08:10:04,226 | WARN  | qtp874199530-623 | HttpChannel                
      | 146 - org.eclipse.jetty.util - 9.4.46.v20220331 | 
/jolokia/read/org.opendaylight.controller:Category=Shards,name=member-1-shard-default-config,type=DistributedConfigDatastore
org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager 
accessible to the calling code, either bound to the 
org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an 
invalid application configuration.
        at 
org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) ~[?:?]
        at org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) 
~[?:?]
        at org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) 
~[?:?]
        at 
org.opendaylight.aaa.authenticator.ODLAuthenticator.login(ODLAuthenticator.java:87)
 ~[?:?]
        at 
org.opendaylight.aaa.authenticator.ODLAuthenticator.authenticate(ODLAuthenticator.java:59)
 ~[?:?]
        at 
org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity(ServiceAuthenticationHttpContext.java:72)
 ~[?:?]
        at 
org.ops4j.pax.web.service.spi.context.WebContainerContextWrapper.handleSecurity(WebContainerContextWrapper.java:85)
 ~[?:?]
        at 
org.ops4j.pax.web.service.spi.servlet.OsgiFilterChain.doFilter(OsgiFilterChain.java:98)
 ~[?:?]
        at 
org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler.doHandle(PaxWebServletHandler.java:310)
 ~[?:?]
        at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) 
~[bundleFile:9.4.46.v20220331]



What is weird, though, is that ServiceAuthenticationHttpContext is also 
consulted for resources which do not exist, i.e. if it worked, this 
request would have resulted in a 404:



2022-08-16T08:10:06,851 | WARN  | qtp874199530-146 | HttpChannel                
      | 146 - org.eclipse.jetty.util - 9.4.46.v20220331 | 
/restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager 
accessible to the calling code, either bound to the 
org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an 
invalid application configuration.
        at 
org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) ~[?:?]
        at org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) 
~[?:?]
        at org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) 
~[?:?]
        at 
org.opendaylight.aaa.authenticator.ODLAuthenticator.login(ODLAuthenticator.java:87)
 ~[?:?]
        at 
org.opendaylight.aaa.authenticator.ODLAuthenticator.authenticate(ODLAuthenticator.java:59)
 ~[?:?]
        at 
org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity(ServiceAuthenticationHttpContext.java:72)
 ~[?:?]
        at 
org.ops4j.pax.web.service.spi.context.WebContainerContextWrapper.handleSecurity(WebContainerContextWrapper.java:85)
 ~[?:?]
        at 
org.ops4j.pax.web.service.spi.servlet.OsgiFilterChain.doFilter(OsgiFilterChain.java:98)
 ~[?:?]
        at 
org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler.doHandle(PaxWebServletHandler.java:310)
 ~[?:?]
        at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) 
~[?:?]



Is this expected behaviour? I would have expected to hit 
ServiceAuthenticationHttpContext only when servicing /jolokia...


Thanks,
Robert



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature






















					Reply via email to