IGNITE-28670 Add support for custom REST HTTP endpoint extensions

modules/core/src/main/java/org/apache/ignite/internal/processors/rest/GridRestProcessor.java

@@ -89,6 +89,7 @@
 import org.apache.ignite.plugin.security.SecurityException;
 import org.apache.ignite.plugin.security.SecurityPermission;
 import org.apache.ignite.thread.IgniteThread;
+import org.jetbrains.annotations.Nullable;
 
 import static org.apache.ignite.IgniteSystemProperties.IGNITE_REST_SECURITY_TOKEN_TIMEOUT;
 import static org.apache.ignite.IgniteSystemProperties.IGNITE_REST_SESSION_TIMEOUT;
@@ -234,6 +235,13 @@ protected IgniteInternalFuture<GridRestResponse> handleAsync0(final GridRestRequ
         }
     }
 
+    /** @return Security context for given session token, or {@code null} if none found. */
+    @Nullable public SecurityContext securityContext(UUID sesId) {
+        Session ses = sesId2Ses.get(sesId);
+
+        return ses == null ? null : ses.secCtx;
+    }
+
     /**
      * @param req Request.
      * @return Future.

modules/rest-http/pom.xml

@@ -82,6 +82,18 @@
             <version>${jetty.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-servlet</artifactId>
+            <version>${jetty.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-security</artifactId>
+            <version>${jetty.version}</version>
+        </dependency>
+
         <dependency>
             <groupId>org.eclipse.jetty.toolchain</groupId>
             <artifactId>jetty-jakarta-servlet-api</artifactId>

modules/rest-http/src/main/java/org/apache/ignite/internal/processors/rest/protocols/http/jetty/AuthenticationFilter.java

@@ -0,0 +1,78 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.rest.protocols.http.jetty;
+
+import java.io.IOException;
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.apache.ignite.internal.GridKernalContext;
+import org.apache.ignite.internal.processors.rest.GridRestProcessor;
+import org.apache.ignite.internal.processors.security.SecurityContext;
+import org.apache.ignite.internal.thread.context.Scope;
+import org.apache.ignite.internal.util.typedef.internal.U;
+import org.jetbrains.annotations.Nullable;
+
+import static org.apache.ignite.internal.processors.rest.protocols.http.jetty.GridJettyRestHandler.sessionToken;
+
+/**
+ * Servlet filter that authenticates REST requests via session token.
+ */
+public class AuthenticationFilter implements Filter {
+    /** */
+    private final GridKernalContext ctx;
+
+    /** */
+    public AuthenticationFilter(GridKernalContext ctx) {
+        this.ctx = ctx;
+    }
+
+    /** {@inheritDoc} */
+    @Override public void doFilter(
+        ServletRequest req,
+        ServletResponse res,
+        FilterChain chain
+    ) throws IOException, ServletException {
+        SecurityContext secCtx = resolveSession((HttpServletRequest)req);
+
+        if (secCtx == null) {
+            ((HttpServletResponse)res).sendError(HttpServletResponse.SC_UNAUTHORIZED,
+                "Missing or invalid authentication token (maybe expired session)");
+
+            return;
+        }
+
+        try (Scope ignored = ctx.security().withContext(secCtx)) {
+            chain.doFilter(req, res);
+        }
+    }
+
+    /** @return Security context for given session token, or {@code null} if none found. */
+    @Nullable private SecurityContext resolveSession(HttpServletRequest req) {
+        byte[] token = sessionToken(req.getParameter("sessionToken"));
+
+        if (token == null)
+            return null;
+
+        return ((GridRestProcessor)ctx.rest()).securityContext(U.bytesToUuid(token, 0));
+    }
+}

modules/rest-http/src/main/java/org/apache/ignite/internal/processors/rest/protocols/http/jetty/GridJettyRestHandler.java

@@ -95,7 +95,7 @@
  */
 public class GridJettyRestHandler extends AbstractHandler {
     /** */
-    private static final String IGNITE_CMD_PATH = "/ignite";
+    public static final String IGNITE_CMD_PATH = "/ignite";
 
     /** */
     private static final String FAILED_TO_PARSE_FORMAT = "Failed to parse parameter of %s type [%s=%s]";
@@ -829,20 +829,7 @@
             // Don't fail - try to execute locally.
         }
 
-        String sesTokStr = params.get("sessionToken");
-
-        try {
-            if (sesTokStr != null) {
-                // Token is a UUID encoded as 16 bytes as HEX.
-                byte[] bytes = U.hexString2ByteArray(sesTokStr);
-
-                if (bytes.length == 16)
-                    restReq.sessionToken(bytes);
-            }
-        }
-        catch (IllegalArgumentException ignored) {
-            // Ignore invalid session token.
-        }
+        restReq.sessionToken(sessionToken(params.get("sessionToken")));
 
         return restReq;
     }
@@ -911,6 +898,25 @@
         return null;
     }
 
+    /** @return Bytes representation of the session token. */
+    public static byte[] sessionToken(String sesToken) {
+        if (sesToken == null)
+            return null;
+
+        try {
+            // Token is a UUID encoded as 16 bytes as HEX.
+            byte[] token = U.hexString2ByteArray(sesToken);
+
+            if (token.length == 16)
+                return token;
+        }
+        catch (IllegalArgumentException ignored) {
+            // Ignore invalid session token.
+        }
+
+        return null;
+    }
+
     /**
      * Converter from string into specified type.
      */

modules/rest-http/src/main/java/org/apache/ignite/internal/processors/rest/protocols/http/jetty/GridJettyRestProtocol.java

@@ -23,27 +23,39 @@
 import java.net.SocketException;
 import java.net.URL;
 import java.net.UnknownHostException;
+import java.util.Collection;
+import java.util.EnumSet;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.concurrent.CopyOnWriteArrayList;
+import jakarta.servlet.DispatcherType;
 import org.apache.ignite.IgniteCheckedException;
+import org.apache.ignite.IgniteException;
 import org.apache.ignite.IgniteSystemProperties;
 import org.apache.ignite.internal.GridKernalContext;
 import org.apache.ignite.internal.IgniteNodeAttributes;
 import org.apache.ignite.internal.processors.rest.GridRestProtocolHandler;
 import org.apache.ignite.internal.processors.rest.protocols.GridRestProtocolAdapter;
+import org.apache.ignite.internal.util.CommonUtils;
 import org.apache.ignite.internal.util.typedef.C1;
 import org.apache.ignite.internal.util.typedef.F;
 import org.apache.ignite.internal.util.typedef.X;
+import org.apache.ignite.internal.util.typedef.internal.A;
 import org.apache.ignite.internal.util.typedef.internal.S;
 import org.apache.ignite.internal.util.typedef.internal.U;
 import org.apache.ignite.spi.IgniteSpiException;
 import org.eclipse.jetty.server.AbstractNetworkConnector;
 import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.NetworkConnector;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.server.handler.HandlerList;
+import org.eclipse.jetty.servlet.FilterHolder;
+import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.eclipse.jetty.util.MultiException;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
@@ -55,6 +67,7 @@
 import static org.apache.ignite.IgniteSystemProperties.IGNITE_JETTY_HOST;
 import static org.apache.ignite.IgniteSystemProperties.IGNITE_JETTY_LOG_NO_OVERRIDE;
 import static org.apache.ignite.IgniteSystemProperties.IGNITE_JETTY_PORT;
+import static org.apache.ignite.internal.processors.rest.protocols.http.jetty.GridJettyRestHandler.IGNITE_CMD_PATH;
 import static org.apache.ignite.spi.IgnitePortProtocol.TCP;
 
 /**
@@ -71,6 +84,9 @@ public class GridJettyRestProtocol extends GridRestProtocolAdapter {
         }
     }
 
+    /** Default Jetty port. */
+    public static final String DFLT_JETTY_PORT = "8080";
+
     /** Object mapper class name. */
     private static final String IGNITE_OBJECT_MAPPER = "org.apache.ignite.internal.jackson.IgniteObjectMapper";
 
@@ -80,6 +96,9 @@ public class GridJettyRestProtocol extends GridRestProtocolAdapter {
     /** HTTP server. */
     private Server httpSrv;
 
+    /** Registered REST extensions. */
+    private final Collection<IgniteRestExtension> exts = new CopyOnWriteArrayList<>();
+
     /**
      * @param ctx Context.
      */
@@ -261,7 +280,7 @@ private void loadJettyConfiguration(@Nullable URL cfgUrl) throws IgniteCheckedEx
             httpCfg.setSendServerVersion(true);
             httpCfg.setSendDateHeader(true);
 
-            String srvPortStr = System.getProperty(IGNITE_JETTY_PORT, "8080");
+            String srvPortStr = System.getProperty(IGNITE_JETTY_PORT, DFLT_JETTY_PORT);
 
             int srvPort;
 
@@ -317,13 +336,51 @@ private void loadJettyConfiguration(@Nullable URL cfgUrl) throws IgniteCheckedEx
 
         assert httpSrv != null;
 
+        Handler extsHnd = loadExtensions();
         WelcomeHandler welcomeHnd = new WelcomeHandler(log);
 
-        httpSrv.setHandler(new HandlerList(jettyHnd, welcomeHnd));
+        httpSrv.setHandler(new HandlerList(jettyHnd, extsHnd, welcomeHnd));
 
         override(getJettyConnector());
     }
 
+    /** */
+    private Handler loadExtensions() throws IgniteCheckedException {
+        HandlerList extsHnd = new HandlerList();
+
+        CommonUtils.loadService(IgniteRestExtension.class).forEach(exts::add);
+
+        Set<String> paths = new HashSet<>();
+
+        paths.add(IGNITE_CMD_PATH);
+
+        for (IgniteRestExtension ext : exts) {
+            ctx.resource().injectGeneric(ext);
+
+            ServletContextHandler extCtx = new ServletContextHandler(ServletContextHandler.NO_SESSIONS);
+
+            if (ctx.security().enabled())
+                extCtx.addFilter(new FilterHolder(new AuthenticationFilter(ctx)), "/*", EnumSet.allOf(DispatcherType.class));
+
+            try {
+                ext.configure(extCtx);
+            }
+            catch (Exception e) {
+                throw new IgniteCheckedException("Failed to configure REST extension: " + ext.getClass().getName(), e);
+            }
+
+            A.ensure(!extCtx.isContextPathDefault(), "The context path must be configured: " + ext.getClass().getName());
+            A.ensure(paths.add(extCtx.getContextPath()), "Duplicate REST context path: " + extCtx.getContextPath());
+
+            extsHnd.addHandler(extCtx);
+
+            if (log.isInfoEnabled())
+                log.info("Configured REST extension: " + ext.getClass().getName());
+        }
+
+        return extsHnd;
+    }
+
     /**
      * Checks that the only connector configured for the current jetty instance
      * and returns it.
@@ -395,10 +452,22 @@ private void stopJetty() {
         }
     }
 
+    /** {@inheritDoc} */
+    @Override public void onProcessorStart() {
+        try {
+            U.startLifecycleAware(exts);
+        }
+        catch (IgniteCheckedException e) {
+            throw new IgniteException("Failed to start REST extensions.", e);
+        }
+    }
+
     /** {@inheritDoc} */
     @Override public void stop() {
         stopJetty();
 
+        U.stopLifecycleAware(log, exts);
+
         httpSrv = null;
         jettyHnd = null;
 

modules/rest-http/src/main/java/org/apache/ignite/internal/processors/rest/protocols/http/jetty/IgniteRestExtension.java

@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.rest.protocols.http.jetty;
+
+import org.eclipse.jetty.servlet.ServletContextHandler;
+
+/**
+ * Extension point for registering custom HTTP REST endpoints in the Jetty REST protocol.
+ * <p>
+ * Each extension is configured within an isolated {@link ServletContextHandler} instance
+ * managed by the Ignite REST subsystem.
+ * Extensions are discovered using Java {@link java.util.ServiceLoader}.
+ * <p>
+ * Implementations are responsible for:
+ * <ul>
+ *     <li>Configuring the servlet context path via
+ *     {@link ServletContextHandler#setContextPath(String)}.</li>
+ *     <li>Registering servlets, filters, and related HTTP components.</li>
+ * </ul>
+ * <p>
+ * Context paths must be unique across all registered extensions.
+ * <p>
+ * Authentication and other common infrastructure are configured by Ignite.
+ */
+public interface IgniteRestExtension {
+    /**
+     * Configures the REST extension.
+     *
+     * @param ctx Servlet context handler dedicated to this extension.
+     * @throws Exception If configuration failed.
+     */
+    void configure(ServletContextHandler ctx) throws Exception;
+}

modules/rest-http/src/test/java/org/apache/ignite/internal/processors/rest/protocols/http/jetty/GridRestSuite.java

@@ -25,7 +25,8 @@
 @RunWith(Suite.class)
 @Suite.SuiteClasses({
     RestProcessorAuthorizationTest.class,
-    RestSetupSimpleTest.class
+    RestSetupSimpleTest.class,
+    IgniteRestExtensionTest.class
 })
 public class GridRestSuite {
 }