6 Replies Latest reply on Jun 20, 2006 3:04 AM by mathias

    ssl encrypted rmi/ejb still sending unencrypted data?

    mathias Newbie


      I have a question that puzzles me and i do hope someone can help me out...

      I am securing a swing client that uses the jboss clientloginmodule, takes an initialcontext then looks up ejb's to do various things on my 4.0.3 jboss server.

      I have followed section 8.7 of the admin guide "using ssl with jboss". So, i have the securitycontext, I've set up keystores for client and server, all EJB's are configured with my "SSL-invoker" etc.

      Here's my concern: I have installed "windump" a TCP packet sniffing tool to ensure that the data is indeed encrypted... and SOME data is encrypted. For example, i tried before I set up any SSL and the clientloginmodule username and password could easily be read through the dumps.

      This is nolonger the case, however there are still lots of cleartext data being sent between the client and server. Mostly class names, like rmicontext, various jboss classnames, but, more worrying, some of my own implemented class names.

      To me, this is kind of a security issue. Have I got something wrong, is it supposed to be like this? I thought that configuring the socketfactories on the server according to the guide would make everything encrypted...

      As always, happy to be enlighted.