The background of this issue is:
cxf-rt-transports-http bundle registers /cxf servlet using plain org.osgi.service.http.HttpService#registerServlet() call
there's no easy way to, for example, configure BASIC authentication for /cxf
Keycloak project provides a tricky way to change this situation - by re-registering CXF servlet in http Service scoped for different (Keycloak's) bundle after registering login configuration (org.ops4j.pax.web.service.WebContainer#registerLoginConfig()) and adding security constraints (org.ops4j.pax.web.service.WebContainer#registerConstraintMapping). However, when org.apache.cxf.osgi PID changes, the Keycloak's re-registration is broken, because CXF registers another /cxf servlet in its own http service (risking duplicate alias mapping).
My idea is:
pax-web-runtime bundle registers ManagedServiceFactory that tracks org.ops4j.pax.web.context factory PIDs
each such PID from the above factory contains a declarative configuration (properties) that are used to register additional items (login config, context params, security constraints and e.g., filters - but that'd require classloading of filters' classes) inside any other bundle's WebContainer
source bundle, that called registerServlet() in its own bundle-scoped HttpService/WebContainer doesn't have to be aware of our additional configuration
Here's example of PID:
Having such facility inside pax-web-runtime gives me access to ServerController instance, so I can for example stop the context before adding context params / login configuration. Also some of the methods of should stop throwing IllegalStateException if the context has some already registered servlets. Instead the context should simply be restarted (just like its done currently if one simply registers two servlets in a row using HttpService).