15.4. EJB3 RMI via HTTPS Configuration
Procedure 15.5. Configure EJB3 RMI via HTTPS Overview
- Generate encryption keys and certificates.
- Configure RMI via HTTPS web connector.
- Configure Servlets.
- Configure secure remoting connector for RMI via HTTPS.
- Configure EJB3 beans for HTTPS transport.
- Configure clients for RMI via HTTPS.
Procedure 15.6. Configure RMI via HTTPS web connector
- Edit the file
jboss-as/server/$PROFILE/deploy/jbossweb.sar/server.xml
and uncomment the HTTPS connector.<!-- SSL/TLS Connector configuration using the admin devl guide keystore --> <Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore" keystorePass="KEYSTORE_PASSWORD" sslProtocol = "TLS" />
You create a web connector to accept SSL connections.
Procedure 15.7. Configure Servlets
ServletServerInvoker
.
- Create a directory named
servlet-invoker.war
injboss-as/server/$PROFILE/deploy/
. - Create a
WEB-INF
directory in theservlet-invoker.war
directory. - Create a file named
web.xml
in thatWEB-INF
directory, with the following content:<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <servlet> <servlet-name>ServerInvokerServlet</servlet-name> <description>The ServerInvokerServlet receives requests via HTTP protocol from within a web container and passes it onto the ServletServerInvoker for processing. </description> <servlet-class>org.jboss.remoting.transport.servlet.web.ServerInvokerServlet</servlet-class> <init-param> <param-name>locatorUrl</param-name> <param-value>servlet://${jboss.bind.address}:8080/servlet-invoker/ServerInvokerServlet</param-value> <description>The servlet server invoker</description> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet> <servlet-name>SSLServerInvokerServlet</servlet-name> <description>The ServerInvokerServlet receives requests via HTTPS protocol from within a web container and passes it onto the ServletServerInvoker for processing. </description> <servlet-class>org.jboss.remoting.transport.servlet.web.ServerInvokerServlet</servlet-class> <init-param> <param-name>locatorUrl</param-name> <param-value>sslservlet://${jboss.bind.address}:8443/servlet-invoker/SSLServerInvokerServlet</param-value> <description>The servlet server invoker</description> </init-param> <load-on-startup>2</load-on-startup> </servlet> <servlet-mapping> <servlet-name>ServerInvokerServlet</servlet-name> <url-pattern>/ServerInvokerServlet/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>SSLServerInvokerServlet</servlet-name> <url-pattern>/SSLServerInvokerServlet/*</url-pattern> </servlet-mapping> </web-app>
Result:You create a servlet to forward SSL requests from the web container to a server invoker.
locatorUrl
is used to connect the servlet to the remoting connector through the " InvokerLocator
attribute of the remoting connector we define in Procedure 15.8, “Configure secure remoting connector for RMI via HTTPS” .
Procedure 15.8. Configure secure remoting connector for RMI via HTTPS
- Create a file named
servlet-invoker-service.xml
injboss-as/server/$PROFILE/deploy/
, with the following content:<?xml version="1.0" encoding="UTF-8"?> <server> <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:service=connector,transport=servlet" display-name="Servlet transport Connector"> <attribute name="InvokerLocator">servlet://${jboss.bind.address}:8080/servlet-invoker/ServerInvokerServlet</attribute> <attribute name="Configuration"> <handlers> <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler> </handlers> </attribute> </mbean> <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:service=connector,transport=sslservlet" display-name="Servlet transport Connector"> <attribute name="InvokerLocator">sslservlet://${jboss.bind.address}:8443/servlet-invoker/SSLServerInvokerServlet</attribute> <attribute name="Configuration"> <handlers> <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler> </handlers> </attribute> </mbean> </server>
You create a remoting connector that can receive requests from a servlet, and invoke methods of an EJB3.
Procedure 15.9. Configure EJB3 beans for HTTPS transport
- Annotate the bean for RMI via HTTPS:
Example 15.5. Annotating an EJB3 for RMI via HTTPS
// RMI tunneled over HTTPS @Stateless @RemoteBinding(clientBindUrl = "https://0.0.0.0:8443/servlet-invoker/SSLServerInvokerServlet") @Remote(Calculator.class) @SecurityDomain("other") public class CalculatorHttpsBean implements Calculator { ....
Result:The EJB3 is now available for remote invocation via HTTPS.
Optionally, you can annotate the bean for invocation via RMI via HTTP. This can be useful for testing, as it allows you to tunnel RMI calls through firewalls that block RMI ports, but removes the extra layer of the security configuration.
Example 15.6. Annotating a bean for RMI via HTTP
// RMI tunneled over HTTP @Stateless @RemoteBinding(clientBindUrl = "http://0.0.0.0:8080/servlet-invoker/ServerInvokerServlet") @Remote(Calculator.class) @SecurityDomain("other") public class CalculatorHttpBean extends CalculatorImpl { ....
The EJB client should use the following properties for the JNDI lookup when looking up beans:
Client access to RMI via HTTP(S)
- HTTPS
Properties props = new Properties(); props.put("java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory"); props.put("java.naming.provider.url", "https://localhost:8443/invoker/JNDIFactory"); props.put("java.naming.factory.url.pkgs", "org.jboss.naming"); Context ctx = new InitialContext(props); props.put(Context.SECURITY_PRINCIPAL, username); props.put(Context.SECURITY_CREDENTIALS, password); Calculator calculator = (Calculator) ctx.lookup(jndiName); // use the bean to do any operations
- HTTP
Properties props = new Properties(); props.put("java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory"); props.put("java.naming.provider.url", "http://localhost:8080/invoker/JNDIFactory"); props.put("java.naming.factory.url.pkgs", "org.jboss.naming"); Context ctx = new InitialContext(props); props.put(Context.SECURITY_PRINCIPAL, username); props.put(Context.SECURITY_CREDENTIALS, password); Calculator calculator = (Calculator) ctx.lookup(jndiName); // use the bean to do any operations
jboss-as/$PROFILE/deploy/http-invoker.sar/invoker.war/WEB-INF/jboss-web.xml
.