To clarify, what happens is that when the EJB call is made (look up home and remote interface, call the method), using the Login/InitialContext, on the network the communication first takes place on the "normal" rmi port (1098). This is where you can see some cleartext information such as class names and such.
The communication is then moved to the secure port (14445) and at that point it is ssl encrypted of course.
So, is there some way to ensure that *all* communication takes place over SSL port, or is this simply how it works??
Oh maaan, is there noone with some input here?
Hmm, I've done some more thinking and I might have a theory.
In the client, I do an InitialContext, using the normal jndi port (1099) to look up home interfaces for the beans.
I haven't configured anything special for the JNDI service, so that would probably mean that that information is sent unencrypted, but then the securitydomain of the EJB's kick in and the usage of the beans is encrypted.
I sure would like some confirmation, and if someone has any pointer about how to, in that case, configure the jndi remote service, I'd be a happy camper.
Yes, jndi must also be setup to use ssl if you want its data encrypted.
Thanks scott, as i thought then. But it still means that the logincontext's usr/pwd is sent encrypted right? I mean, they are not passed when the initialcontext is looked up? Reason i think so is because i could see them before setting up SSL for the EJB's, but not after...
hey Scott or anyone, can someone please agree with me.... :)
Also, is there a good guide somewhere on securing JNDI in JBOSS?