4 Replies Latest reply on Dec 8, 2005 1:34 AM by golubec

    Net communication over HTTPS.  (Safe to disable JRMP?)

      I am looking at some production deployment options and had a few questions.

      We want all communications to be over SSL. One mechanism for doing this would be to run JNDI, EJB Invocations, etc over HTTPS. It seems fairly straightforward to perform lookups using HttpNamingContextFactory and to use the HttpInvoker service over SSL for EJB invocations. I have a few questions though:

      1) Is the HttpInvoker slower than the RMI/JRMP invoker? Any drawbacks to the HttpInvoker?

      2) I really want to lock down the server and not allow anyone to mistakenly use non-SSL sockets. Would it be safe (is it possible?) to disable the JRMPInvoker and use only the LocalInvoker and the HttpInvoker for calling EJBs?

      3) The docs mention creating a stateless-http-invoker invoker-proxy-binding and binding it directly to the beans you are deploying. Would there be any issues with just changing the definition of the "Standard Stateless SessionBean" container-configuration so it uses the stateless-http-invoker instead of the stateless-rmi-invoker?

      Can the server run with just the HTTPs port open? If naming, invocation are running over HTTPS, and JMS is only used locally on the server, it would seem feasible to turn off all of the remote access ports other the HTTPS. Has anyone ever attempted operation in such a fashion?