2 Replies Latest reply on Jan 28, 2002 8:36 AM by Alain Coetmeur

    Locking jboss to a single IP address

    Simon Newbie

      Hi
      This may seem silly but I can not find a way around it.
      I need to be able to setup JBoss such that it only accepts
      jndi calls from localhost, and indeed any type of connection. This is already done on weblogic when you install and you have to allow any other hosts directly, surely jboss has the same functionallity somewhere?

      Sorry if this has been covered elsewhere but at this point we will not be able to use the product if we cant find a soultion.

      Thanks
      Simon

        • 1. Re: Locking jboss to a single IP address
          Alain Coetmeur Newbie

          look about custom rmi factories

          http://java.sun.com./products/jdk/1.2/docs/guide/rmi/rmisocketfactory.doc.html

          it won't be terrible to create a RMIServerSocketFactory
          that create a RestrictedServerSocket
          which restrict the usual java.net.ServerSocket
          to a given kind of peer host or port...

          I've done the reverse job to create a custom
          client socket that bind only to a given port range,
          and that in a few hours (for jacorb)...


          • 2. Re: Locking jboss to a single IP address
            Alain Coetmeur Newbie

            as a complement,
            here is a message showing how to
            change the socketfactory
            (by wglozer )...
            instead of SSL sockets,
            create a server socket factory that create restricted server sockets...


            http://main.jboss.org/thread.jsp?forum=49&thread=2137&message=8875&q=RMIServerSocketFactory+#8875

            RMI over SSL, Tips and Code Posted: Sep 25, 2001 5:20 PM
            Reply

            RMIServerSocketFactory.java


            package jboss;

            import java.io.*;
            import java.net.*;
            import java.rmi.server.*;
            import java.security.*;
            import javax.net.*;
            import javax.net.ssl.*;
            import com.sun.net.ssl.*;

            /**
            * An RMIServerSocket factory that uses JSSE to produce SSL encrypted
            * sockets.
            *
            * @author Will
            * @version 1.00a 09/21/2001
            */
            public class RMISSLServerSocketFactory implements RMIServerSocketFactory,
            Serializable {

            protected transient static ServerSocketFactory socketFactory;

            static {
            Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

            try {
            char[] passphrase = "password".toCharArray();

            KeyStore ks = KeyStore.getInstance("JKS");
            ks.load(new FileInputStream(
            System.getProperty("user.home")+"/.keystore"),
            passphrase
            );

            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
            kmf.init(ks, passphrase);

            SSLContext ctx = SSLContext.getInstance("TLS");
            ctx.init(kmf.getKeyManagers(), null, null);

            socketFactory = ctx.getServerSocketFactory();
            } catch (Exception e) {
            throw new RuntimeException(e.toString());
            }

            }

            public ServerSocket createServerSocket(int port) throws IOException {
            return socketFactory.createServerSocket(port);
            }

            public boolean equals(Object o) {
            return o instanceof RMISSLServerSocketFactory;
            }

            public int hashCode() {
            return RMISSLServerSocketFactory.class.getName().hashCode();
            }
            }




            RMISSLClientSocketFactory.java


            package jboss;

            import java.io.*;
            import java.net.*;
            import java.rmi.server.*;
            import java.security.Security;
            import javax.net.*;
            import javax.net.ssl.*;

            /**
            * An RMIClientSocket factory that uses JSSE to produce SSL encrypted
            * sockets.
            *
            * @author Will
            * @version 1.00a 09/21/2001
            */
            public class RMISSLClientSocketFactory implements RMIClientSocketFactory,
            Serializable {

            protected transient static SocketFactory socketFactory;

            static {
            Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
            socketFactory = SSLSocketFactory.getDefault();

            }

            public Socket createSocket(String host, int port) throws IOException {
            return socketFactory.createSocket(host, port);
            }

            public boolean equals(Object o) {
            return o instanceof RMISSLClientSocketFactory;
            }

            public int hashCode() {
            return RMISSLClientSocketFactory.class.getName().hashCode();
            }
            }




            You'll have to edit the RMISSLServerSocketFactory.java to point to the right keystore with a valid certificate that the client will recognize.

            Compile these two classes and place them in the JBoss classpath, along with Sun's jsse.jar.

            Modify standardjboss.xml and add the following lines to the <container-invoker-conf> section for each container you want to use SSL:

            4446
            jboss.RMISSLClientSocketFactory
            jboss.RMISSLServerSocketFactory

            All of your containers configured like this can use the same RMIObjectPort, but non SSL containers must be on a different port.

            Thanks to Scott Stark for pointing out the trick of implementing equals(Object) and hashCode() for the underlying JRMP impl to reuse existing SocketFactories.