Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-14257

(7.2.z) IIOP always requires SSL

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • 7.1.0.GA
    • IIOP
    • None
    • Hide

      Lets have two server, 7.0 having client role, 7.1 having server role

      1. deploy client-side.war to EAP 7.0
      2. deploy server-side.jar to EAP 7.1
      3. start server 7.0 with command "./bin/standalone.sh -c standalone-full.xml -Djboss.node.name=1"
      4. start EAP 7.1 with command "./bin/standalone.sh -c standalone-full.xml -Djboss.node.name=2 -Djboss.socket.binding.port-offset=100"
      5. access localhost:8080 to run the scenario

      You can see in EAP 7.0 stdout that it has got into infinite loop trying to connect to IIOP SSL socket which is not accessible.

      Show
      Lets have two server, 7.0 having client role, 7.1 having server role deploy client-side.war to EAP 7.0 deploy server-side.jar to EAP 7.1 start server 7.0 with command "./bin/standalone.sh -c standalone-full.xml -Djboss.node.name=1" start EAP 7.1 with command "./bin/standalone.sh -c standalone-full.xml -Djboss.node.name=2 -Djboss.socket.binding.port-offset=100" access localhost:8080 to run the scenario You can see in EAP 7.0 stdout that it has got into infinite loop trying to connect to IIOP SSL socket which is not accessible.

      When app deployed to EAP7.0 calls an EJB deployed to EAP7.1 via IIOP, the call will fail because EAP 7.1 responds (Location Forward message - GIOP protocol) that It requires SSL even if It does not (to the best of my knowledge).

      EAP 7.1 standard IIOP subystem configuration:

              <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.0">
                  <orb socket-binding="iiop"/>
                  <initializers security="identity" transactions="spec"/>
                  <security server-requires-ssl="false" client-requires-ssl="false"/>
              </subsystem>
      

      It is observable here (client side). ssl.target_requires is true and ssl.target_supports is false.

      This does not happen when

      • server side is EAP 7.0 - ssl.target_requires is false and ssl.target_supports is true.
      • client side is EAP 7.1 - it works due to better condition at client side here which results to not using SSL

      If IIOP subsystem is configured to use iiop ssl socket, It will work - EAP just does not responds correctly if ssl is not configured.

      It is possible that I have malconfigured server side EAP and I am missing something.

      Deployments used as reproducers are simple.

      client-side: simple servlet that calls an EJB

      @WebServlet(urlPatterns = "/")
      public class ClientServlet extends HttpServlet {
      
          @Override
          protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                  throws ServletException, IOException {
              try {
      
                  Context ctx = new InitialContext(new Properties());
                  Object iiopObj = ctx.lookup("corbaname:iiop:127.0.0.1:3628#Bean");
                  BeanHome home = (BeanHome) PortableRemoteObject.narrow(iiopObj, BeanHome.class);
                  BeanRemote beanRemote = home.create();
                  String string = beanRemote.invoke();
                  System.out.println("Bean obtained by IIOP returned: " + string);
                  resp.getWriter().append("Bean obtained by IIOP returned: ").append(string).append("\n");
              } catch (Exception e) {
                  resp.getWriter().append("Calling bean failed: ");
                  e.printStackTrace(resp.getWriter());
                  throw new RuntimeException(e);
              }
          }
      }
      

      server-side: simple EJB

      public class Bean {
          public String invoke() {
              return "server side invocation: success";
          }
      }
      

        1. client-side.war
          4 kB
          Ivan Straka
        2. server-side.war
          4 kB
          Ivan Straka

              istudens@redhat.com Ivo Studensky
              istraka@redhat.com Ivan Straka
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: