4 Replies Latest reply on Jul 12, 2006 2:27 PM by Tom Elrod

    securing servlet invoker?

    mazz Master

      In the Remoting Users Guide at: http://labs.jboss.com/portal/jbossremoting/docs/guide/ch04.html#d0e858

      it says:

      An important point of configuration to note is that the value for the InvokerLocator attribute is the exact url used to access the servlet for the servlet invoker (more on how to define this below), with the exception of the protocol being servlet instead of http

      From that, I assume the client needs to use the "servlet:" locator URI. But then the question remains, what if I want to secure the traffic via SSL? I can't specify "https" vs. "http" in the locator URI. So I'm not sure how I configure the client to use SSL.

        • 1. Re: securing servlet invoker?
          Tom Elrod Master

          The problem with the servlet invoker on the server side is that because it is deployed in a web container, remoting does not know all the configuration associated (such as ssl). Therefore, just assume lowest common denominator, which is plain old http (non ssl). This is really only important for discovery since locator url published in detection message would be something like (servlet://myhost:8080/bla).

          However, if are not using remoting discovery and can explicitly set the locator url on the client, then can use 'http' or 'https' as on the client side will be using the HTTPClientInvoker (or HTTPSClientInvoker) regardless of if is talking to http server invoker or servlet server invoker (which would be running within a web container). The HTTP(S)ClientInvoker has no implicit knowledge of what implementation it is sending and receiving http requests to/responses from.

          • 2. Re: securing servlet invoker?
            Tom Elrod Master

            Have added a jira issue to include a sslservlet transport.


            • 3. Re: securing servlet invoker?
              mazz Master

              Because this servlet transport (and the new sslservlet one) will really be using HTTP/HTTPS transport under the covers, I'm assuming I will need all the extra jars that are required for that (I haven't played with the http/https transport yet - isn't there some tomcat jars that are required for those to work?)

              • 4. Re: securing servlet invoker?
                Tom Elrod Master

                Only need the tomcat jars for the server side. The client side (HTTP(S)ClientInvoker) should not need any extra jars.