-
Improvement
-
Resolution: Unresolved
-
Medium
-
None
-
None
Our current implementation takes over the entire /.well-known namespace. This leads bad interaction with other HTTP endpoints discovery, as we end up leaking auth requirement. This is evidenced by:
opendaylight-user@root>web:context-list Bundle ID │ Symbolic Name │ Context Path │ Context Name │ Rank │ Service ID │ Type │ Scope │ Registration Properties ──────────┼───────────────────────────────────────────────┼──────────────┼───────────────────┼──────┼────────────┼─────────────┼───────────┼─────────────────────────────────────────────────────────── 164 │ org.jolokia.osgi │ / │ context:534196305 │ MAX │ 0 │ HttpService │ static* │ httpContext.id=context:534196305 │ │ │ │ │ │ │ │ httpContext.path=/ │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.httpservice=context:534196305 │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/ 312 │ org.ops4j.pax.web.pax-web-extender-whiteboard │ / │ default │ 0 │ 0 │ Whiteboard │ static* │ osgi.http.whiteboard.context.name=default │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/ 256 │ org.opendaylight.netconf.restconf-nb │ /.well-known │ /.well-known.id │ 0 │ 286 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/.well-known.id │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/.well-known 342 │ org.opendaylight.netconf.sal-rest-docgen │ /apidoc │ /apidoc.id │ 0 │ 291 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/apidoc.id │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/apidoc 174 │ org.opendaylight.aaa.shiro │ /auth │ /auth.id │ 0 │ 270 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/auth.id │ │ │ │ │ │ │ │ osgi.http.whiteboard.context.path=/auth 256 │ org.opendaylight.netconf.restconf-nb │ /rests │ /rests.id │ 0 │ 279 │ Whiteboard │ singleton │ osgi.http.whiteboard.context.name=/rests.id
This has interplay with other protocols, for example OpenAPI. As such we should only be contributing to resource discovery resources and not place auth requirements – those should be set by default handler policy, really.
Separate out the two resources we provide (/.well-known/host-meta and /.well-known/host-meta.json) and disable authentication on them.