Chris Russell [http://community.jboss.org/people/crussell42] replied to the discussion
"JBOSS 5.1.0GA + EJB/JNDI over HTTPS" To view the discussion, visit: http://community.jboss.org/message/547833#547833 -------------------------------------------------------------- As per http://community.jboss.org/message/518953#518953 http://community.jboss.org/message/518953#518953 And http://community.jboss.org/docs/DOC-13276 http://community.jboss.org/wiki/EJB3overHTTPHTTPSinJBossAS-5 I am able to make it work in both 5.0.1GA and 5.0.0EAP and 5.0.1SOA. I use iptables to block everything except 8443 then use wire shark and all communication takes place over 8443. I have only every used the @RemoteBinding method however not the xml config file. Here is the abreviated config and code *The bean* *{code} * @RemoteBinding(clientBindUrl = " https://10.0.0.75:8443/servlet-invoker/SSLServerInvokerServlet/?timeout=300000&invokerDestructionDelay=300000 https://10.0.0.75:8443/servlet-invoker/SSLServerInvokerServlet/?timeout=300000&invokerDestructionDelay=300000") public class AgencyManagerProxyBean implements AgencyManagerProxyRemote, AgencyManagerProxyLocal { {code} *The thick client connection part looks like this* {code} securityClient = SecurityClientFactory.getSecurityClient(); securityClient.setVmwideAssociation(true); boolean loggedIn=false; int tryCount=0; while (!loggedIn) { try { tryCount++; // Ask for username and password this sets AgencyManagerPrefs values new LoginDialog(agencyManagerFrame); //The username and password were set in the LoginDialog String username = AgencyManagerPrefs.getProperty(AgencyManagerConstants.USERNAME_KEY); String password = AgencyManagerPrefs.getProperty(AgencyManagerConstants.PASSWORD_KEY); //NOTE all this does is set some variables no actual login occurs //that happens in the jndi lookup and initial ejb invocation level. securityClient.setSimple(username, password); securityClient.login(); logger.info("SecurityClient data set"); Properties props = new Properties(); props.put("java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory"); String providerUrl = " https:// https://"+AgencyManagerPrefs.getProperty(AgencyManagerConstants.AMPROXY_HOST_KEY)+":8443/invoker/JNDIFactory"; props.put("java.naming.provider.url", providerUrl); //JBOSS claims we need this rather than security client. props.put(Context.SECURITY_PRINCIPAL, username); props.put(Context.SECURITY_CREDENTIALS, password); props.put("java.naming.factory.url.pkgs", "org.jboss.naming"); Context ctx = new InitialContext(props); logger.info("Created context"); logger.info(ctx); //logger.info(props); logger.info("End Created context"); logger.info("Lookup amproxyservice"); AgencyManagerProxyInterface bean = (AgencyManagerProxyInterface) ctx.lookup("sec-amproxyservice/AgencyManagerProxyBean/remote"); logger.info("Got reference to bean"); {code} *The jboss 5.1 ga, 5.0eap, 5.0.1soa config changes* == Open the SSL socket == {noformat} edit server/default/deploy/jbossweb.sar/server.xml uncomment section "SSL/TLS Connector" to enable Connector port="8443" replace keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" with your keystore name replace keystorePass="rmi+ssl" sslProtocol = "TLS" /> with keystorePass="<your new secure password>" sslProtocol = "TLS" /> {noformat} == Expose JNDI Naming service via HTTPS == Edit /opt/java/jboss/server/default/deploy/http-invoker.sar/META-INF/jboss-service.xml It needs to contain the following 2 entries. '''NOTE''' the http one below is commented out and should replace the '''matching un-commented''' one that is in the file by default. {code:xml} <pre> <!-- Expose the Naming service interface via HTTP <mbean code="org.jboss.invocation.http.server.HttpProxyFactory" name="jboss:service=invoker,type=http,target=Naming"> <attribute name="InvokerName">jboss:service=Naming</attribute> <attribute name="InvokerURLPrefix"> http:// http://</attribute> <attribute name="InvokerURLSuffix"> <value-factory bean="ServiceBindingManager" method="getStringBinding"> <parameter>jboss.web:service=WebServer</parameter> <parameter>:${port}/invoker/JMXInvokerServlet</parameter> </value-factory> </attribute> <attribute name="UseHostName">true</attribute> <attribute name="ExportedInterface">org.jnp.interfaces.Naming</attribute> <attribute name="JndiName"></attribute> <attribute name="ClientInterceptors"> <interceptors> <interceptor>org.jboss.proxy.ClientMethodInterceptor</interceptor> <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor> <interceptor>org.jboss.naming.interceptors.ExceptionInterceptor</interceptor> <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor> </interceptors> </attribute> </mbean> --> <!-- Expose the Naming service interface via HTTPS --> <mbean code="org.jboss.invocation.http.server.HttpProxyFactory" name="jboss:service=invoker,type=http,target=Naming"> <attribute name="InvokerName">jboss:service=Naming</attribute> <attribute name="InvokerURLPrefix"> https:// https://</attribute> <attribute name="InvokerURLSuffix">:8443/invoker/JMXInvokerServlet</attribute> <attribute name="UseHostName">true</attribute> <attribute name="ExportedInterface">org.jnp.interfaces.Naming</attribute> <attribute name="JndiName"></attribute> <attribute name="ClientInterceptors"> <interceptors> <interceptor>org.jboss.proxy.ClientMethodInterceptor</interceptor> <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor> <interceptor>org.jboss.naming.interceptors.ExceptionInterceptor</interceptor> <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor> </interceptors> </attribute> </mbean> </pre> {code:xml} == Add the Servlet Invoker == This will add the servlet invoker that allows us to do https jndi lookups and ejb invocations from clients over https. {noformat} $ cd /opt/java/jboss/server/default/deploy {noformat} Then create a file servlet-invoker-service.xml and a directory and file servlet-invoker.war/WEB-INF/web.xml The contents of these are as follows '''servlet-invoker-service.xml''' {code:xml} <pre> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" " http://java.sun.com/dtd/web-app_2_3.dtd http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <servlet> <servlet-name>ServerInvokerServlet</servlet-name> <description>The ServerInvokerServlet receives requests via HTTP protocol from within a web container and passes it onto the ServletServerInvoker for processing. </description> <servlet-class>org.jboss.remoting.transport.servlet.web.ServerInvokerServlet</servlet-class> <init-param> <param-name>locatorUrl</param-name> <param-value>servlet://${jboss.bind.address}:8080/servlet-invoker/ServerInvokerServlet</param-value> <description>The servlet server invoker</description> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet> <servlet-name>SSLServerInvokerServlet</servlet-name> <description>The ServerInvokerServlet receives requests via HTTPS protocol from within a web container and passes it onto the ServletServerInvoker for processing. </description> <servlet-class>org.jboss.remoting.transport.servlet.web.ServerInvokerServlet</servlet-class> <init-param> <param-name>locatorUrl</param-name> <param-value>sslservlet://${jboss.bind.address}:8443/servlet-invoker/SSLServerInvokerServlet</param-value> <description>The servlet server invoker</description> </init-param> <load-on-startup>2</load-on-startup> </servlet> <servlet-mapping> <servlet-name>ServerInvokerServlet</servlet-name> <url-pattern>/ServerInvokerServlet/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>SSLServerInvokerServlet</servlet-name> <url-pattern>/SSLServerInvokerServlet/*</url-pattern> </servlet-mapping> </web-app> {code:xml} *'''servlet-invoker.war/WEB-INF/web.xml'''* {code:xml} <?xml version="1.0" encoding="UTF-8"?> <server> <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:service=connector,transport=servlet" display-name="Servlet transport Connector"> <attribute name="InvokerLocator">servlet://${jboss.bind.address}:8080/servlet-invoker/ServerInvokerServlet</attribute> <attribute name="Configuration"> <handlers> <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler> </handlers> </attribute> </mbean> <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:service=connector,transport=sslservlet" display-name="Servlet transport Connector"> <attribute name="InvokerLocator">sslservlet://${jboss.bind.address}:8443/servlet-invoker/SSLServerInvokerServlet</attribute> <attribute name="Configuration"> <handlers> <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler> </handlers> </attribute> </mbean> </server> {code:xml} == FIX EAP 5.0== If you dont do this clients will get the dreaded Caused by: java.net.ProtocolException: Server redirected too many times (20) As per [ http://community.jboss.org/thread/146840 http://community.jboss.org/thread/146840 Jira CR created] So to fix this particular issue I edited '''server/default/deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml''' And commented out the url-pattern stuff at the bottom. Note I did try just setting the roles.properties to have my user have a HttpInvoker role but that did not work. {code:xml} <!-- An example security constraint that restricts access to the HTTP invoker to users with the role HttpInvoker Edit the roles to what you want and configure the WEB-INF/jboss-web.xml/security-domain element to reference the security domain you want. --> <security-constraint> <web-resource-collection> <web-resource-name>HttpInvokers</web-resource-name> <description>An example security config that only allows users with the role HttpInvoker to access the HTTP invoker servlets </description> <url-pattern>/restricted/*</url-pattern> <!-- COMMENT OUT THIS AND 5.0 EAP works. <url-pattern>/JNDIFactory/*</url-pattern> <url-pattern>/EJBInvokerServlet/*</url-pattern> <url-pattern>/JMXInvokerServlet/*</url-pattern> --> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>HttpInvoker</role-name> </auth-constraint> </security-constraint> </pre> {code:xml} -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/547833#547833] Start a new discussion in JBoss Remoting at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2050]
_______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user