I've been experiencing an AccessControlException in the STS which I can only reproduce after reinstalling the security-sts-server feature. It seems the bundles in this feature don't behave consistently across refreshes. This is an issue because installing features that depend on the sts server (token validators, claims handlers, etc.) without disabling bundle refreshes puts DDF in a bad state.
1. Perform a standard install of DDF. I used the standard profile from the Karaf shell.
2. Log into the Admin UI.
3. Navigate to the session renew endpoint: https://localhost:8993/services/internal/session/renew. The request should succeed and you should see a page containing only a number indicating the number of milliseconds until the session expires.
4. Now, from the Karaf shell, reinstall the security-sts-server feature (Note: don't disable bundle refreshing)
admin@root()> feature:install security-sts-server
5. In a fresh browser session (e.g. new Incognito window), again log into the Admin UI.
6. Once again, navigate to the session renew endpoint: https://localhost:8993/services/internal/session/renew. This time, you should see the error message shown in the attached image.
7. Attach the acdebugger to view the AccessControlException