nope

The issue is not the hard coding on the client side

The client being used is asp.net and php

We could "hack" the

${jboss.bind.address}

To have the name of our load balancer rather than the ${jboss.bind.address} but that is a rather ugly hack

no further suggestions ? or still not really understanding our needs ?

PeterJ:

If you re-read my first post, you will see that i already explained that some of our jboss servers are directly accessible and some are not.

This means that for the servers that are directly accessible, using the ${jboss.bind.address} is a reasonable guess when trying to construct the full url for the soap address.

For example

http://123.123.123.123:8080/myapp/mySoapService

or if @WebContext(transportGuarantee="CONFIDENTIAL") then jboss will guess

https://123.123.123.123:8443/myapp/mySoapService

Now, as I have already stated this is not applicable for all servers. If a jboss server is behind a firewall then the bind address might not be publicly accessible.

This leaves a bit of an issue, if you leave true then you would end up with an address like

https://192.168.1.123:8443/myapp/mySoapService

which is unless unless your clients have a VPN in place, in which case the firewall is redundant as you would be side-stepping the firewall by using the VPN tunnel to get behind it !!

The old way was use false. If this by itself then just breaks your service as your wsdl now just contains the litteral value REPLACE_WITH_ACTUAL_URL. To get round this, we had modified our build system so when building copies of our app that were destined for use on our servers that are not directly accessible, we used to replace the REPLACE_WITH_ACTUAL_URL with the correct address as compilation time. We are happy to continue with this model, but are unable to as we have yet to find a way to effect the construction of the soap address within the wsdl that is created at runtime

What client code is being used to consume a given web service is irrelevant as when consuming a soap webservice you need wsdl that defines a url for it to actually perform a given action, which if it it contains a private ip, as per RFC1918 is not going to be much use to you unless you are also inside the same address space. Also the fact that our "firewall" is infact a SSL off-loader is again irrelevant to the construction of the URL

I have found very little in the way of documentation for the virtualHosts option, but this is in effect what we want to define as it is the host part of the url we wish to override (we already use the context to set the filepath aspect of the url)

Can anyone spread any further light on virtualHosts and confirm (or deny) if JBoss AS 4.2.3 supports it's usage ?

There are two totally different setups

123.123.123.123 is the dummy ip for a server that runs on a global ip address

192.168.1.123 is the private ip address of a server sitting behind the unspecified ip address of the firewall

If the client accesses a url of

https://456.456.456.456:8443/myapp/mySoapService?wsdl

they the wsdl should list the location as <soap:address location='https://456.456.456.456:8443/myapp/mySoapService'/>

ideally it should be HTTP 1.1 compliant, so rather than use a hard coded hostname or ${jboss.bind.address} it builds the url based on the url used for the wsdl request (which is just as simple as stripping the ?wsdl from the end)

please read http://www.jboss.org/community/docs/DOC-12519 as this is basically the same problem as that of the creation of RMI stubs

This document details the use of these attributes to ensure that jndi returns the correct url for rmi invocations, just in the same way as the wsdl needs to return the correct url for soap invocations

-Djava.rmi.server.hostname=<external_host_name>
-Djava.rmi.server.useLocalHostname=true

In both cases, you are making a call to a given address, which is then forwarded on the the real jboss server, which is on a different address. When jboss is then creating anything that gives any kind or addressing details, by default it guesses it should use it's own address as it's unaware of the publicly accessible address.

The comment about HTTP 1.1 is that jboss should never be guessing the value for url in the first place. when the call for the WSDL is made, the HTTP connection provides the hostname as well as the filepath that was requested, this can then be used to build the response.

i,e

Current model

https://${webServiceHost}:${webServiceSecurePort}/${path.to.sevice}

where webServiceHost and webServiceSecurePort are hard coced values in WSServerConfig


Ideal Model

https://${http.request.hostname}:${http.request.port}/${path.to.sevice}

where the http.request values are populated based on the HTTP headers as part of the call for the WSDL


e.g

if I call https://myserver1.cust1,example.com:8443/myservice?wsl then the soap location should come back as https://myserver1.cust1,example.com:8443/myservice

if i have a dns record so that soap.example.com resolves to a http load balancer the if i call https://soap.example.com/myservice?wsdl then i get back a location of https://soap.example.com/myservice no matter whether it goes to myserver1.cust1,example.com, myserver2.cust1,example.com or even myserver9.cust4,example.com



As i say, this is the ideal. I would be happy with the old method whereby i hard-code the <soap:address location=''/> within the automatically created WSDL

what happens if you comment out the webServiceHost ? does it then use the HOST value of the HTTP 1.1 request ?

This works, but it's still a hack

There is no reason at all to use a hard coded hostname unless you are looking to support ancient HTTP 1.0 clients, of which given SOAP comes years after 1.1 was released, I'm pretty sure all client support 1.1

Also this hack does not work as well as the way I used to do it as this will still re-write the url to include a port number, where my old method defined the full url so the access address doesn't have the nasty 8443 in there that can cause issues for clients accessing who might be behind firewalls