You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@karaf.apache.org by Robert Varga <ni...@hq.sk> on 2022/08/16 18:02:37 UTC
pax-web-8: handling security for non-existent resources?
Hello,
while integrating karaf-4.4.0 into OpenDaylight I ran across a bit of
strangeness.
We are using Jetty as the implementation and register things through
both HTTP Service and also via HTTP Whiteboard, with Shiro in the mix
for good measure (via a an indirection, but let's not go into that for
sanity's sake).
Due to the way system works together, we end up with Jolokia registering
via HttpService, which prompts the creation of a default Jetty context:
> 2022-08-16T08:09:51,791 | INFO | features-3-thread-1 | FeaturesServiceImpl | 16 - org.apache.karaf.features.core - 4.4.0 | org.jolokia.osgi/1.7.1
> 2022-08-16T08:09:51,793 | INFO | features-3-thread-1 | StoppableHttpServiceFactory | 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Binding HTTP Service for bundle: [org.jolokia.osgi_1.7.1 [166]]
> 2022-08-16T08:09:51,802 | INFO | paxweb-config-1-thread-1 | HttpServiceEnabled | 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Registering ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]}
> 2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 | JettyServerController | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Receiving Batch{"Registration of ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=null}", size=3}
> 2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}} to o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Changing default OSGi context model for o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Unegistering OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}} as OSGi service for "/" context path
> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 | OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi - 8.0.2 | Registering OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}} as OSGi service for "/" context path
> 2022-08-16T08:09:51,805 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Adding servlet ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=[{HS,OCM-4,context:570736934,/}]}
> 2022-08-16T08:09:51,808 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context "/" with default Osgi Context OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1 [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}
This is driven by this bit of code:
https://github.com/rhuss/jolokia/blob/33ee8be04aedacf9af2d1ca917dd6c89b119c628/agent/osgi/src/main/java/org/jolokia/osgi/JolokiaActivator.java#L322-L325
We then proceed to start a ton of other services, like:
> 2022-08-16T08:09:57,729 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context "/auth" with default Osgi Context OsgiContextModel{WB,id=OCM-8,name='/auth.id',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={service.id=464, osgi.http.whiteboard.context.name=/auth.id, service.bundleid=181, service.scope=singleton, osgi.http.whiteboard.context.path=/auth}}
> 2022-08-16T08:09:57,738 | INFO | paxweb-config-1-thread-1 | JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty - 8.0.2 | Starting Jetty context "/yanglib" with default Osgi Context OsgiContextModel{WB,id=OCM-13,name='/yanglib.id',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={service.id=472, osgi.http.whiteboard.context.name=/yanglib.id, service.bundleid=370, service.scope=singleton, osgi.http.whiteboard.context.path=/yanglib}}
> 2022-08-16T08:09:57,800 | INFO | paxweb-config-1-thread-1 | HttpServiceEnabled | 476 - org.ops4j.pax.web.pax-web-runtime - 8.0.2 | Registering ServletModel{id=ServletModel-29,name='org.glassfish.jersey.servlet.ServletContainer',urlPatterns=[/rests/*],contexts=[{WB,OCM-26,/.id,/}]}
Now, due to a screw up on my part ServiceAuthenticationHttpContext ends
up not working, so this error is very much expected:
> 2022-08-16T08:10:04,226 | WARN | qtp874199530-623 | HttpChannel | 146 - org.eclipse.jetty.util - 9.4.46.v20220331 | /jolokia/read/org.opendaylight.controller:Category=Shards,name=member-1-shard-default-config,type=DistributedConfigDatastore
> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.
> at org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) ~[?:?]
> at org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) ~[?:?]
> at org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) ~[?:?]
> at org.opendaylight.aaa.authenticator.ODLAuthenticator.login(ODLAuthenticator.java:87) ~[?:?]
> at org.opendaylight.aaa.authenticator.ODLAuthenticator.authenticate(ODLAuthenticator.java:59) ~[?:?]
> at org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity(ServiceAuthenticationHttpContext.java:72) ~[?:?]
> at org.ops4j.pax.web.service.spi.context.WebContainerContextWrapper.handleSecurity(WebContainerContextWrapper.java:85) ~[?:?]
> at org.ops4j.pax.web.service.spi.servlet.OsgiFilterChain.doFilter(OsgiFilterChain.java:98) ~[?:?]
> at org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler.doHandle(PaxWebServletHandler.java:310) ~[?:?]
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[bundleFile:9.4.46.v20220331]
What is weird, though, is that ServiceAuthenticationHttpContext is also
consulted for resources which do not exist, i.e. if it worked, this
request would have resulted in a 404:
> 2022-08-16T08:10:06,851 | WARN | qtp874199530-146 | HttpChannel | 146 - org.eclipse.jetty.util - 9.4.46.v20220331 | /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.
> at org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) ~[?:?]
> at org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) ~[?:?]
> at org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) ~[?:?]
> at org.opendaylight.aaa.authenticator.ODLAuthenticator.login(ODLAuthenticator.java:87) ~[?:?]
> at org.opendaylight.aaa.authenticator.ODLAuthenticator.authenticate(ODLAuthenticator.java:59) ~[?:?]
> at org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity(ServiceAuthenticationHttpContext.java:72) ~[?:?]
> at org.ops4j.pax.web.service.spi.context.WebContainerContextWrapper.handleSecurity(WebContainerContextWrapper.java:85) ~[?:?]
> at org.ops4j.pax.web.service.spi.servlet.OsgiFilterChain.doFilter(OsgiFilterChain.java:98) ~[?:?]
> at org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler.doHandle(PaxWebServletHandler.java:310) ~[?:?]
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[?:?]
Is this expected behaviour? I would have expected to hit
ServiceAuthenticationHttpContext only when servicing /jolokia...
Thanks,
Robert
Re: pax-web-8: handling security for non-existent resources?
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello Robert!
Right, and this I think is actually a bug in Jolokia. I think it should
> set its context path to /jolokia and use urlPatterns=/*, right?
>
It's not a bug in Jolokia, but a limitation of the method to register a
servlet...
If you `git blame` related lines, you'll see:
https://github.com/rhuss/jolokia/blame/v1.7.2/agent/osgi/src/main/java/org/jolokia/osgi/JolokiaActivator.java#L322-L325
This code was added ... 12 years ago and the only method back then was to
use OSGi CMPN HttpService specification, which allowed to do these:
- register a servlet
- register resources
That's all. No filters, *no contexts other than "/"!*, no listeners, no
nothing...
Whiteboard specification is more flexible and I think this is what should
be done:
- please create a rhuss/jolokia GH issue with your problem, let me know
and I'll add my comments there (and PR to turn it into whiteboard)
- for now, you have to live with what we have. I agree that Jolokia
"takes over" the "/" context, but is it possible that you use different
context? and register a servlet to "/" that redirects all (but
"/jolokia/*") URIs to your context?
regards
Grzegorz Grzybek
niedz., 8 sty 2023 o 01:04 Robert Varga <ni...@hq.sk> napisał(a):
> On 17/08/2022 08:31, Grzegorz Grzybek wrote:
> > Hello
>
> Hello Grzegorz,
>
> sorry for the late reply. I needed some time to get into this entire
> business.
>
> > Is this expected behaviour? I would have expected to hit
> >> ServiceAuthenticationHttpContext only when servicing /jolokia...
> >>
> >
> > /jolokia/* mapping (actually a one-element array of URL patterns) is a
> > mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/"
> > (default), ROOT) context. See this in logs:
> >
> > Adding servlet
> >>
> ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6
> >> ,contexts=[{HS,OCM-4,context:570736934,/}]}
> >>
>
> Right, and this I think is actually a bug in Jolokia. I think it should
> set its context path to /jolokia and use urlPatterns=/*, right?
>
> That way...
>
> >
> > toString() method for ServletModel shows the associated (as in Whiteboard
> > specification) _contexts_. The single associated context is:
> >
> > {HS,OCM-4,context:570736934,/}
> >>
> >
> > HS means "Http Service", OCM-4 is an internal ID of the context and
> > "context:570736934" is generated name, because Jolokia's provided
> > "ServiceAuthenticationHttpContext"
> > is wrapped to match the API consistency internally. This
> > "ServiceAuthenticationHttpContext" is used by Jolokia to register the
> > servlet:
> >
> > service.registerServlet(getServletAlias(),
> > new
> > JolokiaServlet(context,restrictor),
> > getConfiguration(),
> > getHttpContext());
> >
> > (see 4th parameter - result of getHttpContext()).
> >
> > What's more important is that such context replaces default "/" context
> > from Whiteboard specification:
>
> it would just not do this...
>
> >> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> >> JettyServerWrapper | 474 -
> org.ops4j.pax.web.pax-web-jetty -
> >> 8.0.2 | Changing default OSGi context model for
> >> o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
> >>> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> >> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
> >> 8.0.2 | Unegistering
> >>
> OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
> >> as OSGi service for "/" context path
> >>> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> >> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
> >> 8.0.2 | Registering
> >>
> OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
> >>
> [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126
> }}}
> >> as OSGi service for "/" context path
> >
> >
> > See
> >
> {WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
> >
> > was replaced b:
> >
> {HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
> >
> [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126
> }}}
> >
> >
> > So the context (in terms of org.osgi.service.http.HttpContext and
> > org.osgi.service.http.context.ServletContextHelper) was switched from the
> > one provided (by default) by
> org.ops4j.pax.web.pax-web-extender-whiteboard
> > bundle to the one provided by Jolokia.
>
> ... and then the context for '/' ...
>
> > And now the final part of the explanation - what is used to handle
> >
> /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
> > URL? Pax Web delegates to the underlying container (Jetty, Tomcat and
> > Undertow) to handle the mapping - and according to Servlets
> specification,
> > first, the context is chosen using the longest possible path.
> >
> > From the logs you've provided, I see that in addition to "/" context
> (now
> > managed by Jolokia) you have two more contexts:
> >
> > - /auth - {WB,id=OCM-8,name='/auth.id
> >
> ',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={
> > service.id=464, osgi.http.whiteboard.context.name=/auth.id,
> > service.bundleid=181, service.scope=singleton,
> > osgi.http.whiteboard.context.path=/auth}}
> > - /yanglib - {WB,id=OCM-13,name='/yanglib.id
> >
> ',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={
> > service.id=472, osgi.http.whiteboard.context.name=/yanglib.id,
> > service.bundleid=370, service.scope=singleton,
> > osgi.http.whiteboard.context.path=/yanglib}}
> >
> > There are no contexts with paths like:
> >
> > - /restconf/operational/network-topology:network-topology
> > - /restconf/operational
> > - /restconf
>
> Right, and the answer is 404, no matter auth result, because the
> endpoint has been removed (same development iteration, previous patch,
> but since it used to pass auth, it went to 404).
>
> The problem here is that Jolokia taking over default auth (and Jolokia
> auth not working) is turning the 404 into a 5xx.
>
> > (at least I don't see them). So the context that handles
> >
> /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
> > is simply "/" with Jolokia's provided security handled by
> >
> org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity().
> >
> > Can you check Karaf's web:context-list command?
>
> Sure, here it is:
>
> > pendaylight-user@root>web:context-list
> > Bundle ID │ Symbolic Name │ Context Path
> │ Context Name │ Rank │ Service ID │ Type │ Scope │
> Registration Properties
> >
> ──────────┼───────────────────────────────────────────────┼──────────────┼────────────────────┼──────┼────────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────
> > 164 │ org.jolokia.osgi │ /
> │ context:1315411419 │ MAX │ 0 │ HttpService │ static* │
> httpContext.id=context:1315411419
> > │ │
> │ │ │ │ │ │
> httpContext.path=/
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.httpservice=context:1315411419
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/
> > 308 │ org.ops4j.pax.web.pax-web-extender-whiteboard │ /
> │ default │ 0 │ 0 │ Whiteboard │ static* │
> osgi.http.whiteboard.context.name=default
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/
> > 254 │ org.opendaylight.netconf.restconf-nb │ /
> │ /.id │ 0 │ 273 │ Whiteboard │ singleton │
> osgi.http.whiteboard.context.name=/.id
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/
> > 337 │ org.opendaylight.netconf.sal-rest-docgen │ /apidoc
> │ /apidoc.id │ 0 │ 281 │ Whiteboard │ singleton │
> osgi.http.whiteboard.context.name=/apidoc.id
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/apidoc
> > 174 │ org.opendaylight.aaa.shiro │ /auth
> │ /auth.id │ 0 │ 263 │ Whiteboard │ singleton │
> osgi.http.whiteboard.context.name=/auth.id
>
> but, in the mean time, with my better understanding of context path
> (thanks a lot for that!), it now looks like this:
>
> > opendaylight-user@root>web:context-list
> > Bundle ID │ Symbolic Name │ Context Path
> │ Context Name │ Rank │ Service ID │ Type │ Scope │
> Registration Properties
> >
> ──────────┼───────────────────────────────────────────────┼──────────────┼───────────────────┼──────┼────────────┼─────────────┼───────────┼───────────────────────────────────────────────────────────
> > 164 │ org.jolokia.osgi │ /
> │ context:534196305 │ MAX │ 0 │ HttpService │ static* │
> httpContext.id=context:534196305
> > │ │
> │ │ │ │ │ │
> httpContext.path=/
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.httpservice=context:534196305
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/
> > 312 │ org.ops4j.pax.web.pax-web-extender-whiteboard │ /
> │ default │ 0 │ 0 │ Whiteboard │ static* │
> osgi.http.whiteboard.context.name=default
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/
> > 256 │ org.opendaylight.netconf.restconf-nb │ /.well-known
> │ /.well-known.id │ 0 │ 286 │ Whiteboard │ singleton │
> osgi.http.whiteboard.context.name=/.well-known.id
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/.well-known
> > 342 │ org.opendaylight.netconf.sal-rest-docgen │ /apidoc
> │ /apidoc.id │ 0 │ 291 │ Whiteboard │ singleton │
> osgi.http.whiteboard.context.name=/apidoc.id
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/apidoc
> > 174 │ org.opendaylight.aaa.shiro │ /auth
> │ /auth.id │ 0 │ 270 │ Whiteboard │ singleton │
> osgi.http.whiteboard.context.name=/auth.id
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/auth
> > 256 │ org.opendaylight.netconf.restconf-nb │ /rests
> │ /rests.id │ 0 │ 279 │ Whiteboard │ singleton │
> osgi.http.whiteboard.context.name=/rests.id
> > │ │
> │ │ │ │ │ │
> osgi.http.whiteboard.context.path=/rests
> >
> > *) This context is using ServletContextHelper/HttpContext without
> resolving an org.osgi.framework.ServiceReference.
>
> Nevertheless, I think things are less then optimal -- Jolokia should not
> be taking over default auth.
>
> This was the case for restconf-nb above, where it was serving /rests and
> /.well-known, but registered both as servlets under the default context
> path, thus causing the double auth in above logs (and /restconf it used
> to handle). With that bit correct, things do not double-auth, except for
> the case highlighted above, where Jolokia auth triggers for requests
> which result in 404.
>
> Now the outlier is Jolokia, it is only the pax-web-extender-whiteboard
> should have contextPath=/ (for obvious reasons).
>
> Do you agree? I can raise a Jolokia PR to correct that.
>
> Thanks,
> Robert
>
Re: pax-web-8: handling security for non-existent resources?
Posted by Robert Varga <ni...@hq.sk>.
On 17/08/2022 08:31, Grzegorz Grzybek wrote:
> Hello
Hello Grzegorz,
sorry for the late reply. I needed some time to get into this entire
business.
> Is this expected behaviour? I would have expected to hit
>> ServiceAuthenticationHttpContext only when servicing /jolokia...
>>
>
> /jolokia/* mapping (actually a one-element array of URL patterns) is a
> mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/"
> (default), ROOT) context. See this in logs:
>
> Adding servlet
>> ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6
>> ,contexts=[{HS,OCM-4,context:570736934,/}]}
>>
Right, and this I think is actually a bug in Jolokia. I think it should
set its context path to /jolokia and use urlPatterns=/*, right?
That way...
>
> toString() method for ServletModel shows the associated (as in Whiteboard
> specification) _contexts_. The single associated context is:
>
> {HS,OCM-4,context:570736934,/}
>>
>
> HS means "Http Service", OCM-4 is an internal ID of the context and
> "context:570736934" is generated name, because Jolokia's provided
> "ServiceAuthenticationHttpContext"
> is wrapped to match the API consistency internally. This
> "ServiceAuthenticationHttpContext" is used by Jolokia to register the
> servlet:
>
> service.registerServlet(getServletAlias(),
> new
> JolokiaServlet(context,restrictor),
> getConfiguration(),
> getHttpContext());
>
> (see 4th parameter - result of getHttpContext()).
>
> What's more important is that such context replaces default "/" context
> from Whiteboard specification:
it would just not do this...
>> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
>> JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
>> 8.0.2 | Changing default OSGi context model for
>> o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
>>> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
>> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
>> 8.0.2 | Unegistering
>> OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
>> as OSGi service for "/" context path
>>> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
>> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
>> 8.0.2 | Registering
>> OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
>> [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
>> as OSGi service for "/" context path
>
>
> See
> {WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
>
> was replaced b:
> {HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
> [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
>
>
> So the context (in terms of org.osgi.service.http.HttpContext and
> org.osgi.service.http.context.ServletContextHelper) was switched from the
> one provided (by default) by org.ops4j.pax.web.pax-web-extender-whiteboard
> bundle to the one provided by Jolokia.
... and then the context for '/' ...
> And now the final part of the explanation - what is used to handle
> /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
> URL? Pax Web delegates to the underlying container (Jetty, Tomcat and
> Undertow) to handle the mapping - and according to Servlets specification,
> first, the context is chosen using the longest possible path.
>
> From the logs you've provided, I see that in addition to "/" context (now
> managed by Jolokia) you have two more contexts:
>
> - /auth - {WB,id=OCM-8,name='/auth.id
> ',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={
> service.id=464, osgi.http.whiteboard.context.name=/auth.id,
> service.bundleid=181, service.scope=singleton,
> osgi.http.whiteboard.context.path=/auth}}
> - /yanglib - {WB,id=OCM-13,name='/yanglib.id
> ',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={
> service.id=472, osgi.http.whiteboard.context.name=/yanglib.id,
> service.bundleid=370, service.scope=singleton,
> osgi.http.whiteboard.context.path=/yanglib}}
>
> There are no contexts with paths like:
>
> - /restconf/operational/network-topology:network-topology
> - /restconf/operational
> - /restconf
Right, and the answer is 404, no matter auth result, because the
endpoint has been removed (same development iteration, previous patch,
but since it used to pass auth, it went to 404).
The problem here is that Jolokia taking over default auth (and Jolokia
auth not working) is turning the 404 into a 5xx.
> (at least I don't see them). So the context that handles
> /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
> is simply "/" with Jolokia's provided security handled by
> org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity().
>
> Can you check Karaf's web:context-list command?
Sure, here it is:
> pendaylight-user@root>web:context-list
> Bundle ID │ Symbolic Name │ Context Path │ Context Name │ Rank │ Service ID │ Type │ Scope │ Registration Properties
> ──────────┼───────────────────────────────────────────────┼──────────────┼────────────────────┼──────┼────────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────
> 164 │ org.jolokia.osgi │ / │ context:1315411419 │ MAX │ 0 │ HttpService │ static* │ httpContext.id=context:1315411419
> │ │ │ │ │ │ │ │ httpContext.path=/
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.httpservice=context:1315411419
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/
> 308 │ org.ops4j.pax.web.pax-web-extender-whiteboard │ / │ default │ 0 │ 0 │ Whiteboard │ static* │ osgi.http.whiteboard.context.name=default
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/
> 254 │ org.opendaylight.netconf.restconf-nb │ / │ /.id │ 0 │ 273 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/.id
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/
> 337 │ org.opendaylight.netconf.sal-rest-docgen │ /apidoc │ /apidoc.id │ 0 │ 281 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/apidoc.id
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/apidoc
> 174 │ org.opendaylight.aaa.shiro │ /auth │ /auth.id │ 0 │ 263 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/auth.id
but, in the mean time, with my better understanding of context path
(thanks a lot for that!), it now looks like this:
> opendaylight-user@root>web:context-list
> Bundle ID │ Symbolic Name │ Context Path │ Context Name │ Rank │ Service ID │ Type │ Scope │ Registration Properties
> ──────────┼───────────────────────────────────────────────┼──────────────┼───────────────────┼──────┼────────────┼─────────────┼───────────┼───────────────────────────────────────────────────────────
> 164 │ org.jolokia.osgi │ / │ context:534196305 │ MAX │ 0 │ HttpService │ static* │ httpContext.id=context:534196305
> │ │ │ │ │ │ │ │ httpContext.path=/
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.httpservice=context:534196305
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/
> 312 │ org.ops4j.pax.web.pax-web-extender-whiteboard │ / │ default │ 0 │ 0 │ Whiteboard │ static* │ osgi.http.whiteboard.context.name=default
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/
> 256 │ org.opendaylight.netconf.restconf-nb │ /.well-known │ /.well-known.id │ 0 │ 286 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/.well-known.id
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/.well-known
> 342 │ org.opendaylight.netconf.sal-rest-docgen │ /apidoc │ /apidoc.id │ 0 │ 291 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/apidoc.id
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/apidoc
> 174 │ org.opendaylight.aaa.shiro │ /auth │ /auth.id │ 0 │ 270 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/auth.id
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/auth
> 256 │ org.opendaylight.netconf.restconf-nb │ /rests │ /rests.id │ 0 │ 279 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/rests.id
> │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/rests
>
> *) This context is using ServletContextHelper/HttpContext without resolving an org.osgi.framework.ServiceReference.
Nevertheless, I think things are less then optimal -- Jolokia should not
be taking over default auth.
This was the case for restconf-nb above, where it was serving /rests and
/.well-known, but registered both as servlets under the default context
path, thus causing the double auth in above logs (and /restconf it used
to handle). With that bit correct, things do not double-auth, except for
the case highlighted above, where Jolokia auth triggers for requests
which result in 404.
Now the outlier is Jolokia, it is only the pax-web-extender-whiteboard
should have contextPath=/ (for obvious reasons).
Do you agree? I can raise a Jolokia PR to correct that.
Thanks,
Robert
Re: pax-web-8: handling security for non-existent resources?
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello
Is this expected behaviour? I would have expected to hit
> ServiceAuthenticationHttpContext only when servicing /jolokia...
>
/jolokia/* mapping (actually a one-element array of URL patterns) is a
mapping for org.jolokia.osgi.servlet.JolokiaServlet registered into "/"
(default), ROOT) context. See this in logs:
Adding servlet
> ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6
> ,contexts=[{HS,OCM-4,context:570736934,/}]}
>
toString() method for ServletModel shows the associated (as in Whiteboard
specification) _contexts_. The single associated context is:
{HS,OCM-4,context:570736934,/}
>
HS means "Http Service", OCM-4 is an internal ID of the context and
"context:570736934" is generated name, because Jolokia's provided
"ServiceAuthenticationHttpContext"
is wrapped to match the API consistency internally. This
"ServiceAuthenticationHttpContext" is used by Jolokia to register the
servlet:
service.registerServlet(getServletAlias(),
new
JolokiaServlet(context,restrictor),
getConfiguration(),
getHttpContext());
(see 4th parameter - result of getHttpContext()).
What's more important is that such context replaces default "/" context
from Whiteboard specification:
> 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
> 8.0.2 | Changing default OSGi context model for
> o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
> > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
> 8.0.2 | Unegistering
> OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
> as OSGi service for "/" context path
> > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
> 8.0.2 | Registering
> OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
> [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
> as OSGi service for "/" context path
See
{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
was replaced b:
{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
[166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
So the context (in terms of org.osgi.service.http.HttpContext and
org.osgi.service.http.context.ServletContextHelper) was switched from the
one provided (by default) by org.ops4j.pax.web.pax-web-extender-whiteboard
bundle to the one provided by Jolokia.
And now the final part of the explanation - what is used to handle
/restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
URL? Pax Web delegates to the underlying container (Jetty, Tomcat and
Undertow) to handle the mapping - and according to Servlets specification,
first, the context is chosen using the longest possible path.
From the logs you've provided, I see that in addition to "/" context (now
managed by Jolokia) you have two more contexts:
- /auth - {WB,id=OCM-8,name='/auth.id
',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={
service.id=464, osgi.http.whiteboard.context.name=/auth.id,
service.bundleid=181, service.scope=singleton,
osgi.http.whiteboard.context.path=/auth}}
- /yanglib - {WB,id=OCM-13,name='/yanglib.id
',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={
service.id=472, osgi.http.whiteboard.context.name=/yanglib.id,
service.bundleid=370, service.scope=singleton,
osgi.http.whiteboard.context.path=/yanglib}}
There are no contexts with paths like:
- /restconf/operational/network-topology:network-topology
- /restconf/operational
- /restconf
(at least I don't see them). So the context that handles
/restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
is simply "/" with Jolokia's provided security handled by
org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity().
Can you check Karaf's web:context-list command?
regards
Grzegorz Grzybek
wt., 16 sie 2022 o 20:03 Robert Varga <ni...@hq.sk> napisał(a):
> Hello,
>
> while integrating karaf-4.4.0 into OpenDaylight I ran across a bit of
> strangeness.
>
> We are using Jetty as the implementation and register things through
> both HTTP Service and also via HTTP Whiteboard, with Shiro in the mix
> for good measure (via a an indirection, but let's not go into that for
> sanity's sake).
>
> Due to the way system works together, we end up with Jolokia registering
> via HttpService, which prompts the creation of a default Jetty context:
>
> > 2022-08-16T08:09:51,791 | INFO | features-3-thread-1 |
> FeaturesServiceImpl | 16 - org.apache.karaf.features.core -
> 4.4.0 | org.jolokia.osgi/1.7.1
> > 2022-08-16T08:09:51,793 | INFO | features-3-thread-1 |
> StoppableHttpServiceFactory | 476 - org.ops4j.pax.web.pax-web-runtime
> - 8.0.2 | Binding HTTP Service for bundle: [org.jolokia.osgi_1.7.1 [166]]
> > 2022-08-16T08:09:51,802 | INFO | paxweb-config-1-thread-1 |
> HttpServiceEnabled | 476 - org.ops4j.pax.web.pax-web-runtime
> - 8.0.2 | Registering
> ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6
> ,contexts=[{HS,OCM-4,context:570736934,/}]}
> > 2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 |
> JettyServerController | 474 - org.ops4j.pax.web.pax-web-jetty -
> 8.0.2 | Receiving Batch{"Registration of
> ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6,contexts=null}",
> size=3}
> > 2022-08-16T08:09:51,803 | INFO | paxweb-config-1-thread-1 |
> JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
> 8.0.2 | Adding
> OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
> [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}
> to o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
> > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
> 8.0.2 | Changing default OSGi context model for
> o.o.p.w.s.j.i.PaxWebServletContextHandler@14729e2e{/,null,STOPPED}
> > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
> 8.0.2 | Unegistering
> OsgiServletContext{model=OsgiContextModel{WB,id=OCM-1,name='default',path='/',bundle=org.ops4j.pax.web.pax-web-extender-whiteboard,context=(supplier)}}
> as OSGi service for "/" context path
> > 2022-08-16T08:09:51,804 | INFO | paxweb-config-1-thread-1 |
> OsgiServletContext | 477 - org.ops4j.pax.web.pax-web-spi -
> 8.0.2 | Registering
> OsgiServletContext{model=OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
> [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126}}}
> as OSGi service for "/" context path
> > 2022-08-16T08:09:51,805 | INFO | paxweb-config-1-thread-1 |
> JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
> 8.0.2 | Adding servlet
> ServletModel{id=ServletModel-3,name='org.jolokia.osgi.servlet.JolokiaServlet',alias='/jolokia',urlPatterns=[/jolokia/*],servlet=org.jolokia.osgi.servlet.JolokiaServlet@2d7892f6
> ,contexts=[{HS,OCM-4,context:570736934,/}]}
> > 2022-08-16T08:09:51,808 | INFO | paxweb-config-1-thread-1 |
> JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
> 8.0.2 | Starting Jetty context "/" with default Osgi Context
> OsgiContextModel{HS,id=OCM-4,name='context:570736934',path='/',bundle=org.jolokia.osgi,context=WebContainerContextWrapper{bundle=org.jolokia.osgi_1.7.1
> [166],contextId='context:570736934',delegate=org.jolokia.osgi.security.ServiceAuthenticationHttpContext@2204c126
> }}
>
> This is driven by this bit of code:
>
> https://github.com/rhuss/jolokia/blob/33ee8be04aedacf9af2d1ca917dd6c89b119c628/agent/osgi/src/main/java/org/jolokia/osgi/JolokiaActivator.java#L322-L325
>
> We then proceed to start a ton of other services, like:
>
> > 2022-08-16T08:09:57,729 | INFO | paxweb-config-1-thread-1 |
> JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
> 8.0.2 | Starting Jetty context "/auth" with default Osgi Context
> OsgiContextModel{WB,id=OCM-8,name='/auth.id
> ',path='/auth',bundle=org.opendaylight.aaa.shiro,ref={org.osgi.service.http.context.ServletContextHelper}={
> service.id=464, osgi.http.whiteboard.context.name=/auth.id,
> service.bundleid=181, service.scope=singleton,
> osgi.http.whiteboard.context.path=/auth}}
> > 2022-08-16T08:09:57,738 | INFO | paxweb-config-1-thread-1 |
> JettyServerWrapper | 474 - org.ops4j.pax.web.pax-web-jetty -
> 8.0.2 | Starting Jetty context "/yanglib" with default Osgi Context
> OsgiContextModel{WB,id=OCM-13,name='/yanglib.id
> ',path='/yanglib',bundle=org.opendaylight.netconf.yanglib,ref={org.osgi.service.http.context.ServletContextHelper}={
> service.id=472, osgi.http.whiteboard.context.name=/yanglib.id,
> service.bundleid=370, service.scope=singleton,
> osgi.http.whiteboard.context.path=/yanglib}}
> > 2022-08-16T08:09:57,800 | INFO | paxweb-config-1-thread-1 |
> HttpServiceEnabled | 476 - org.ops4j.pax.web.pax-web-runtime
> - 8.0.2 | Registering
> ServletModel{id=ServletModel-29,name='org.glassfish.jersey.servlet.ServletContainer',urlPatterns=[/rests/*],contexts=[{WB,OCM-26,/.id,/}]}
>
> Now, due to a screw up on my part ServiceAuthenticationHttpContext ends
> up not working, so this error is very much expected:
>
> > 2022-08-16T08:10:04,226 | WARN | qtp874199530-623 | HttpChannel
> | 146 - org.eclipse.jetty.util - 9.4.46.v20220331 |
> /jolokia/read/org.opendaylight.controller:Category=Shards,name=member-1-shard-default-config,type=DistributedConfigDatastore
> > org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
> accessible to the calling code, either bound to the
> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is
> an invalid application configuration.
> > at
> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
> ~[?:?]
> > at
> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) ~[?:?]
> > at
> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) ~[?:?]
> > at
> org.opendaylight.aaa.authenticator.ODLAuthenticator.login(ODLAuthenticator.java:87)
> ~[?:?]
> > at
> org.opendaylight.aaa.authenticator.ODLAuthenticator.authenticate(ODLAuthenticator.java:59)
> ~[?:?]
> > at
> org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity(ServiceAuthenticationHttpContext.java:72)
> ~[?:?]
> > at
> org.ops4j.pax.web.service.spi.context.WebContainerContextWrapper.handleSecurity(WebContainerContextWrapper.java:85)
> ~[?:?]
> > at
> org.ops4j.pax.web.service.spi.servlet.OsgiFilterChain.doFilter(OsgiFilterChain.java:98)
> ~[?:?]
> > at
> org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler.doHandle(PaxWebServletHandler.java:310)
> ~[?:?]
> > at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> ~[bundleFile:9.4.46.v20220331]
>
> What is weird, though, is that ServiceAuthenticationHttpContext is also
> consulted for resources which do not exist, i.e. if it worked, this
> request would have resulted in a 404:
>
> > 2022-08-16T08:10:06,851 | WARN | qtp874199530-146 | HttpChannel
> | 146 - org.eclipse.jetty.util - 9.4.46.v20220331 |
> /restconf/operational/network-topology:network-topology/topology/example-ipv4-topology
> > org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
> accessible to the calling code, either bound to the
> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is
> an invalid application configuration.
> > at
> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
> ~[?:?]
> > at
> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:626) ~[?:?]
> > at
> org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:56) ~[?:?]
> > at
> org.opendaylight.aaa.authenticator.ODLAuthenticator.login(ODLAuthenticator.java:87)
> ~[?:?]
> > at
> org.opendaylight.aaa.authenticator.ODLAuthenticator.authenticate(ODLAuthenticator.java:59)
> ~[?:?]
> > at
> org.jolokia.osgi.security.ServiceAuthenticationHttpContext.handleSecurity(ServiceAuthenticationHttpContext.java:72)
> ~[?:?]
> > at
> org.ops4j.pax.web.service.spi.context.WebContainerContextWrapper.handleSecurity(WebContainerContextWrapper.java:85)
> ~[?:?]
> > at
> org.ops4j.pax.web.service.spi.servlet.OsgiFilterChain.doFilter(OsgiFilterChain.java:98)
> ~[?:?]
> > at
> org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler.doHandle(PaxWebServletHandler.java:310)
> ~[?:?]
> > at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> ~[?:?]
>
> Is this expected behaviour? I would have expected to hit
> ServiceAuthenticationHttpContext only when servicing /jolokia...
>
> Thanks,
> Robert
>