Using SSL with the JBoss/Tomcat BundleThere are a few ways you can configure HTTP over SSL for the embedded Tomcat servlet container. The main difference between them is whether you use the JBoss-specific connector socket factory, which allows you to obtain the JSSE server certificate information from a JBossSX SecurityDomain. This requires establishing a SecurityDomain by using the org.jboss.security.plugins.JaasSecurityDomain MBean. These two steps are similar to the procedure used in Chapter 8, "Security on JBoss," to enable RMI with SSL encryption. The following is a server.xml configuration file that illustrates the setup of only an SSL connector via this approach: <Server> <Service name="jboss.web" className= "org.jboss.web.tomcat.tc5.StandardService"> <Connector port="8080" address="${jboss.bind.address}" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"/> <Connector port="443" address="${jboss.bind.address}" maxThreads="100" minSpareThreads="5" maxSpareThreads="15" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" keystorePass="rmi+ssl" sslProtocol="TLS"/> <Engine name="jboss.web" defaultHost="localhost"> <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm" certificatePrincipal="org.jboss.securia.Log4jLogger" verbosityLevel="WARNING" category= "org.jboss.web.localhost.Engine"/> <Host name="localhost" autoDeploy="false" deployOnStartup="false" deployXML="false"> <DefaultContext cookies="true" crossContext="true" override="true"/> </Host> </Engine> </Service> </Server> This configuration includes the same JaasSecurityDomain setup as in Chapter 8, but because the descriptor is not being deployed as part of a SAR that includes chap8.keystore, you need to copy chap8.keystore to the server/default/conf directory. You can do a quick test of this configuration by accessing the JMX Console web application, using the URL https://localhost/jmx-console/index.jsp. Note If you're running on a Unix system (Linux, Solaris, or OS X) that allows only root to open ports below 1024, you need to change the port number in the preceding code to something like 8443. The following are the factory configuration attributes:
Note that if you try to test this configuration by using the self-signed certificate from the Chapter 8 chap8.keystore and attempt to access content over an HTTPS connection, your browser should display a warning dialog indicating that it does not trust the certificate authority that signed the certificate of the server you are connecting to. For example, when we tested the first configuration example, Internet Explorer 5.5 showed the initial security alert dialog listed in Figure 9.2. Figure 9.3 shows the server certificate details. This warning is important because anyone can generate a self-signed certificate with any information desired. Your only way to verify that the system on the other side really represents the party it claims to is by verifying that it is signed by a trusted third party. Figure 9.2. The Internet Explorer 5.5 security alert dialog.
Figure 9.3. The Internet Explorer 5.5 SSL certificate details dialog.
|