3 Replies Latest reply on Jul 18, 2009 12:36 PM by ron_sigal

    make ejb3 client use ServerAuthMode=false on sslsocket to jb

      My client works fine, but I don't want it to require the trust store. I've read how one can use SSLSocketFactory to somehow configure the client to use SSLSocketBuilder.REMOTING_SERVER_AUTH_MODE=false, but I also don't want the client to know about port 3873, only port 1099.

      How would I change my stand alone test client to make this work?

      I have changed jboss-4.2.3.GA/server/default/deploy/ejb3.deployer/META-INF/jboss-service.xml as follows:

       <mbean code="org.jboss.remoting.transport.Connector"
       name="jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3">
       <depends>jboss.aop:service=AspectDeployer</depends>
       <attribute name="InvokerLocator">sslsocket://${jboss.bind.address}:3873</attribute>
       <attribute name="Configuration">
       <handlers>
       <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
       </handlers>
       </attribute>
       </mbean>
      


      And I have this stand alone test client:

      import java.util.Hashtable;
      import javax.naming.InitialContext;
      import javax.naming.NamingException;
      public class TestClient {
       public static void main(String[] args) throws Exception {
       InitialContext ctx = null;
       Hashtable<String, String> props = new Hashtable<String, String>();
       props.put("java.naming.factory.initial", "org.jnp.interfaces.NamingContextFactory");
       props.put("java.naming.provider.url", "jnp://localhost:1099");
       props.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
       try {
       ctx = new InitialContext(props);
       } catch (NamingException e) {
       e.printStackTrace();
       }
       HelloWorld hello = null;
       try {
       hello = (HelloWorld) ctx.lookup("HelloWorldBean/remote");
       } catch (NamingException e) {
       e.printStackTrace();
       }
       System.setProperty("javax.net.ssl.trustStore", "/home/deckrider/jboss-4.2.3.GA-ssl/server/default/conf/localhost.keystore");
       System.setProperty("javax.net.ssl.trustStorePassword", "opensource");
      
       System.out.println(hello.getMessage());
       }
      }
      
      


      And just for reference, here's my EJBs:

      import javax.ejb.Remote;
      import javax.ejb.Stateless;
      @Stateless
      @Remote(HelloWorld.class)
      public class HelloWorldBean implements HelloWorld {
       public String getMessage() {
       return "Hello EJB World";
       }
      }
      


      import javax.ejb.Remote;
      @Remote
      public interface HelloWorld {
       public String getMessage();
      }
      


      My client works fine, but I don't want it to require the trust store. I've read how one can use SSLSocketFactory to somehow configure the client to use SSLSocketBuilder.REMOTING_SERVER_AUTH_MODE=false, but I also don't want the client to know about port 3873, only port 1099.

      How would I change my stand alone test client to make this work?

        • 1. Re: make ejb3 client use ServerAuthMode=false on sslsocket t
          ron_sigal

          I think there are two issues here.

          1.

          "deckrider" wrote:
          but I also don't want the client to know about port 3873


          If you mean "client" in the sense of your own application code, then don't worry. It doesn't need to know about port 3873. When you execute

          hello = (HelloWorld) ctx.lookup("HelloWorldBean/remote");
          


          you're bringing over a proxy object which knows about port 3873.

          2.
          "deckrider" wrote:
          I've read how one can use SSLSocketFactory to somehow configure the client to use SSLSocketBuilder.REMOTING_SERVER_AUTH_MODE=false ... . How would I change my stand alone test client to make this work?"


          I'd like to be able to say: just add "org.jboss.remoting.serverAuthMode=false" to the EJB3 InvokerLocator. That is:

          sslsocket://${jboss.bind.address}:3873/?org.jboss.remoting.serverAuthMode=false
          


          but, unfortunately, that doesn't work right now. I've created JBREM-1121 "Client SocketFactory should be configurable by InvokerLocator" to fix that.

          For now, there is one parameter that you could add to the InvokerLocator which will get used by the client: "socketFactoryClassName". That is, you could write your own SocketFactory and insure that it doesn't authenticate the server. The easiest way to do that, I think, is to write a MySocketFactory class that (1) uses SSLSocketBuilder to create an appropriate NoServerAuthenticateSocketFactory, and (2) just wraps the NoServerAuthenticateSocketFactory. That is, calls to MySocketFactory.createSocket() return the result of NoServerAuthenticateSocketFactory.createSocket(). Then modify the InvokerLocator:

          sslsocket://${jboss.bind.address}:3873/?socketFactoryClassName=org.deckrider.MySocketFactory
          


          For more information about SSLSocketBuilder, see Section "5.7.6 SSLSocketBuilder" of the Remoting Guide at http://www.jboss.org/jbossremoting/docs/guide/2.2/html/index.html .

          It's a pain, but it should work. Hope that helps.




          • 2. Re: make ejb3 client use ServerAuthMode=false on sslsocket t

            Thanks, ron.sigal, your suggestion indeed works. Also thanks, for proceeding with JBREM-1121, as I think that is an even better solution.

            • 3. Re: make ejb3 client use ServerAuthMode=false on sslsocket t
              ron_sigal

              For the record, JBREM-1121 "Client SocketFactory should be configurable by InvokerLocator" is fixed in Remoting release 2.2.3. The changes have also been applied to the Remoting 2.x branch and will appear in release 2.5.2.

              -Ron