With silicon-SR1 the problem seems to be the javax.servlet:javax.servlet-api:4.0.1 bundle which seems to be only partly used by opendaylight components.

So in the odl repo version 3.1.0 and 4.0.1 are available. Our parents are up to now only managing 4.0.1 (always the latest) version, so every ccsdk artifact is using 4.0.1

At least:

 * org.eclipse.jetty:jetty-util
 * org.eclispe.jetty:jetty-http
 * org.eclispe.jetty:jetty-jaspi
 * org.eclispe.jetty:jetty-security
 * org.eclispe.jetty:jetty-server
 * org.eclispe.jetty:jetty-servlet
 * org.eclispe.jetty:jetty-servlets
 * org.eclipse.jetty.websocket:websocket-servlet
 * org.opendaylight.aaa:aaa-authn-api
 * org.opendaylight.aaa:aaa-shiro 
 * org.opendaylight.aaa.web:web-api 
 * org.opendaylight.aaa.web:servlet-api
 * org.opendaylight.aaa.web:servlet-jersey2
 * org.opendaylight.aaa.web:web-osgi-impl
 * org.opendaylight.netconf:sal-rest-docgen 
 * org.opendaylight.netconf:restconf-nb-bierman02
 * org.opendaylight.netconf:restconf-nb-rfc8040

are still using 3.1.0 and have in their Manifest the restriction for javax.servlet with [3.1.0,4)

solution 1:

fallback in ccsdk/parent to javax.servlet-api to version 3.1.0

security concerns?

solution 2:

patching the manifest import-packages???