On 17/08/2022 08:31, Grzegorz Grzybek wrote:
Hello
Hello Grzegorz,
sorry for the late reply. I needed some time to get into this entire
business.
Is this expected behaviour? I would have expected to hit
ServiceAuthenticationHttpContext only when servicing /jolokia...
/jolokia/* mapping (actually a one-element array of URL patterns) is a
mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/"
(default), ROOT) context. See this in logs:
Adding servlet
ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6
,contexts=[{HS,OCM-4,context:570736934,/}]}
Right, and this I think is actually a bug in Jolokia. I think it should
set its context path to /jolokia and use urlPatterns=/*, right?
That way...
toString() method for ServletModel shows the associated (as in Whiteboard
specification) _contexts_. The single associated context is:
{HS,OCM-4,context:570736934,/}
HS means "Http Service", OCM-4 is an internal ID of the context and
"context:570736934" is generated name, because Jolokia's provided
"ServiceAuthenticationHttpContext"
is wrapped to match the API consistency internally. This
"ServiceAuthenticationHttpContext" is used by Jolokia to register the
servlet:
service.registerServlet(getServletAlias(),
new
JolokiaServlet(context,restrictor),
getConfiguration(),
getHttpContext());
(see 4th parameter - result of getHttpContext()).
What's more important is that such context replaces default "/" context
from Whiteboard specification:
it would just not do this...
2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
8.0.2 | Changing default OSGi context model for
o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
8.0.2 | Unegistering
OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
as OSGi service for "/" context path
2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
8.0.2 | Registering
OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
as OSGi service for "/" context path
See
{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
was replaced b:
{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
So the context (in terms of org.osgi.service.http.HttpContext and
org.osgi.service.http.context.ServletContextHelper) was switched from the
one provided (by default) by org.ops4j.pax.web.pax-web-extender-whiteboard
bundle to the one provided by Jolokia.
... and then the context for '/' ...
And now the final part of the explanation - what is used to handle
/restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
URL? Pax Web delegates to the underlying container (Jetty, Tomcat and
Undertow) to handle the mapping - and according to Servlets specification,
first, the context is chosen using the longest possible path.
From the logs you've provided, I see that in addition to "/" context (now
managed by Jolokia) you have two more contexts:
- /auth - {WB,id=OCM-8,name='/auth.id
',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={
service.id=464, osgi.http.whiteboard.context.name=/auth.id,
service.bundleid=181, service.scope=singleton,
osgi.http.whiteboard.context.path=/auth}}
- /yanglib - {WB,id=OCM-13,name='/yanglib.id
',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={
service.id=472, osgi.http.whiteboard.context.name=/yanglib.id,
service.bundleid=370, service.scope=singleton,
osgi.http.whiteboard.context.path=/yanglib}}
There are no contexts with paths like:
- /restconf/operational/network-topology:network-topology
- /restconf/operational
- /restconf
Right, and the answer is 404, no matter auth result, because the
endpoint has been removed (same development iteration, previous patch,
but since it used to pass auth, it went to 404).
The problem here is that Jolokia taking over default auth (and Jolokia
auth not working) is turning the 404 into a 5xx.
(at least I don't see them). So the context that handles
/restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
is simply "/" with Jolokia's provided security handled by
org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity().
Can you check Karaf's web:context-list command?
Sure, here it is:
pendaylight-user@root>web:context-list
Bundle ID │ Symbolic Name │ Context Path │
Context Name │ Rank │ Service ID │ Type │ Scope │ Registration
Properties
──────────┼───────────────────────────────────────────────┼──────────────┼────────────────────┼──────┼────────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────
164 │ org.jolokia.osgi │ / │
context:1315411419 │ MAX │ 0 │ HttpService │ static* │
httpContext.id=context:1315411419
│ │ │
│ │ │ │ │ httpContext.path=/
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.httpservice=context:1315411419
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/
308 │ org.ops4j.pax.web.pax-web-extender-whiteboard │ / │
default │ 0 │ 0 │ Whiteboard │ static* │
osgi.http.whiteboard.context.name=default
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/
254 │ org.opendaylight.netconf.restconf-nb │ / │ /.id
│ 0 │ 273 │ Whiteboard │ singleton │
osgi.http.whiteboard.context.name=/.id
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/
337 │ org.opendaylight.netconf.sal-rest-docgen │ /apidoc │
/apidoc.id │ 0 │ 281 │ Whiteboard │ singleton │
osgi.http.whiteboard.context.name=/apidoc.id
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/apidoc
174 │ org.opendaylight.aaa.shiro │ /auth │
/auth.id │ 0 │ 263 │ Whiteboard │ singleton │
osgi.http.whiteboard.context.name=/auth.id
but, in the mean time, with my better understanding of context path
(thanks a lot for that!), it now looks like this:
opendaylight-user@root>web:context-list
Bundle ID │ Symbolic Name │ Context Path │
Context Name │ Rank │ Service ID │ Type │ Scope │ Registration
Properties
──────────┼───────────────────────────────────────────────┼──────────────┼───────────────────┼──────┼────────────┼─────────────┼───────────┼───────────────────────────────────────────────────────────
164 │ org.jolokia.osgi │ / │
context:534196305 │ MAX │ 0 │ HttpService │ static* │
httpContext.id=context:534196305
│ │ │
│ │ │ │ │ httpContext.path=/
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.httpservice=context:534196305
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/
312 │ org.ops4j.pax.web.pax-web-extender-whiteboard │ / │
default │ 0 │ 0 │ Whiteboard │ static* │
osgi.http.whiteboard.context.name=default
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/
256 │ org.opendaylight.netconf.restconf-nb │ /.well-known │
/.well-known.id │ 0 │ 286 │ Whiteboard │ singleton │
osgi.http.whiteboard.context.name=/.well-known.id
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/.well-known
342 │ org.opendaylight.netconf.sal-rest-docgen │ /apidoc │
/apidoc.id │ 0 │ 291 │ Whiteboard │ singleton │
osgi.http.whiteboard.context.name=/apidoc.id
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/apidoc
174 │ org.opendaylight.aaa.shiro │ /auth │
/auth.id │ 0 │ 270 │ Whiteboard │ singleton │
osgi.http.whiteboard.context.name=/auth.id
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/auth
256 │ org.opendaylight.netconf.restconf-nb │ /rests │
/rests.id │ 0 │ 279 │ Whiteboard │ singleton │
osgi.http.whiteboard.context.name=/rests.id
│ │ │
│ │ │ │ │
osgi.http.whiteboard.context.path=/rests
*) This context is using ServletContextHelper/HttpContext without resolving an
org.osgi.framework.ServiceReference.
Nevertheless, I think things are less then optimal -- Jolokia should not
be taking over default auth.
This was the case for restconf-nb above, where it was serving /rests and
/.well-known, but registered both as servlets under the default context
path, thus causing the double auth in above logs (and /restconf it used
to handle). With that bit correct, things do not double-auth, except for
the case highlighted above, where Jolokia auth triggers for requests
which result in 404.
Now the outlier is Jolokia, it is only the pax-web-extender-whiteboard
should have contextPath=/ (for obvious reasons).
Do you agree? I can raise a Jolokia PR to correct that.
Thanks,
Robert
