More Books
JBoss 4.0 The Official Guide
JBoss® 4.0 The Official Guide
Table of Contents
Copyright
About the Authors
We Want to Hear from You!
Introduction
What This Book Covers
About JBoss
About Open Source
About Professional Open Source
What's New in JBoss 4.0
Chapter 1.  Installing and Building the JBoss Server
Getting the Binary Files
Installing the Binary Package
Basic Installation Testing
Booting from a Network Server
Building the Server from Source Code
Chapter 2.  The JBoss JMX Microkernel
JMX
The JBoss JMX Implementation Architecture
Connecting to the JMX Server
Using JMX as a Microkernel
The JBoss Deployer Architecture
Exposing MBean Events via SNMP
Remote Access to Services, Detached Invokers
Chapter 3.  Naming on JBoss
An Overview of JNDI
The JBossNS Architecture
Chapter 4.  Transactions on JBoss
Transaction and JTA Overview
JBoss Transaction Internals
Chapter 5.  EJBs on JBoss
The EJB Client-Side View
The EJB Server-Side View
The EJB Container
Entity Bean Locking and Deadlock Detection
Chapter 6.  Messaging on JBoss
JMS Examples
JBossMQ Overview
JBossMQ Configuration and MBeans
Specifying the MDB JMS Provider
Chapter 7.  Connectors on JBoss
JCA Overview
An Overview of the JBossCX Architecture
Configuring JDBC Datasources
Configuring Generic JCA Adaptors
Chapter 8.  Security on JBoss
J2EE Declarative Security Overview
An Introduction to JAAS
The JBoss Security Model
The JBossSX Architecture
The Secure Remote Password (SRP) Protocol
Running JBoss with a Java 2 Security Manager
Using SSL with JBoss and JSSE
Configuring JBoss for Use Behind a Firewall
Securing the JBoss Server
Chapter 9.  Web Applications
The Tomcat Service
The Tomcat server.xml File
The Engine Element
The Host Element
Using SSL with the JBoss/Tomcat Bundle
Setting the Context Root of a Web Application
Setting Up Virtual Hosts
Serving Static Content
Using Apache with Tomcat
Using Clustering
Integrating Third-Party Servlet Containers
Chapter 10.  MBean Services Miscellany
System Properties Management
Property Editor Management
Services Binding Management
Scheduling Tasks
The Log4j Service MBean
RMI Dynamic Class Loading
Chapter 11.  The CMP Engine
Example Code
The jbosscmp-jdbc Structure
Entity Beans
CMP Fields
Container-Managed Relationships
Declaring Queries
Optimized Loading
The Loading Process
Transactions
Optimistic Locking
Entity Commands and Primary Key Generation
JBoss Global Defaults
Datasource Customization
Chapter 12.  Web Services
JAX-RPC Service Endpoints
Enterprise JavaBean Endpoints
Web Services ClientsA JAX-RPC Client
Service References
Chapter 13.  Hibernate
The Hibernate MBean
Hibernate Archives
Using Hibernate Objects
Using a HAR File Inside an EAR File
The HAR Deployer
Chapter 14.  Aspect-Oriented Programming (AOP) Support
JBoss AOP: EJB-Style Services for Plain Java Objects
Why AOP?
Basic Concepts of AOP
Building JBoss AOP Applications
The JBoss AOP Deployer
Packaging and Deploying AOP Applications to JBoss
Appendix A.  The GNU Lesser General Public License (LGPL)
GNU General Public License
Appendix B.  Example Installation
Index
SYMBOL
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X

Using SSL with the JBoss/Tomcat Bundle

There are a few ways you can configure HTTP over SSL for the embedded Tomcat servlet container. The main difference between them is whether you use the JBoss-specific connector socket factory, which allows you to obtain the JSSE server certificate information from a JBossSX SecurityDomain. This requires establishing a SecurityDomain by using the org.jboss.security.plugins.JaasSecurityDomain MBean. These two steps are similar to the procedure used in Chapter 8, "Security on JBoss," to enable RMI with SSL encryption. The following is a server.xml configuration file that illustrates the setup of only an SSL connector via this approach:

<Server>
    <Service name="jboss.web" className=
"org.jboss.web.tomcat.tc5.StandardService">

        <Connector port="8080" address="${jboss.bind.address}" maxThreads="150"
            minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
            redirectPort="443" acceptCount="100" connectionTimeout="20000"
            disableUploadTimeout="true"/>

        <Connector port="443" address="${jboss.bind.address}" maxThreads="100"
            minSpareThreads="5" maxSpareThreads="15" scheme="https"
            secure="true" clientAuth="false"
            keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
            keystorePass="rmi+ssl" sslProtocol="TLS"/>

        <Engine name="jboss.web" defaultHost="localhost">
            <Realm
                className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
                certificatePrincipal="org.jboss.securia.Log4jLogger"
                verbosityLevel="WARNING" category=
"org.jboss.web.localhost.Engine"/>
            <Host name="localhost" autoDeploy="false" deployOnStartup="false"
                  deployXML="false">
                <DefaultContext cookies="true" crossContext="true"
override="true"/>
            </Host>
        </Engine>
    </Service>
</Server>

This configuration includes the same JaasSecurityDomain setup as in Chapter 8, but because the descriptor is not being deployed as part of a SAR that includes chap8.keystore, you need to copy chap8.keystore to the server/default/conf directory.

You can do a quick test of this configuration by accessing the JMX Console web application, using the URL https://localhost/jmx-console/index.jsp.

Note

If you're running on a Unix system (Linux, Solaris, or OS X) that allows only root to open ports below 1024, you need to change the port number in the preceding code to something like 8443.


The following are the factory configuration attributes:

  • algorithm This is the certificate encoding algorithm to be used. If it is not specified, the default value is SunX509.

  • className This is the fully qualified classname of the SSL server socket factory implementation class. You must specify org.apache.coyote.tomcat4.CoyoteServerSocketFactory here. Using any other socket factory will not cause an error, but the server socket will not be using SSL.

  • clientAuth You set this attribute to TRue if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. A false value (which is the default) does not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

  • keystoreFile This is the pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file.keystore in the operating system home directory of the user who is running Tomcat.

  • keystorePass This is the password used to access the server certificate from the specified keystore file. The default value is changeit.

  • keystoreType This is the type of keystore file to be used for the server certificate. If not specified, the default value is JKS.

  • protocol This is the version of the SSL protocol to use. If not specified, the default is TLS.

Note that if you try to test this configuration by using the self-signed certificate from the Chapter 8 chap8.keystore and attempt to access content over an HTTPS connection, your browser should display a warning dialog indicating that it does not trust the certificate authority that signed the certificate of the server you are connecting to. For example, when we tested the first configuration example, Internet Explorer 5.5 showed the initial security alert dialog listed in Figure 9.2. Figure 9.3 shows the server certificate details. This warning is important because anyone can generate a self-signed certificate with any information desired. Your only way to verify that the system on the other side really represents the party it claims to is by verifying that it is signed by a trusted third party.

Figure 9.2. The Internet Explorer 5.5 security alert dialog.


Figure 9.3. The Internet Explorer 5.5 SSL certificate details dialog.