JBoss Application Server

What is J2EE
J2EE is a standard based platform to develop,deploy and manage multi-tier,web enabled,server centric and component based enterprise applications. As a super set of J2SE ,J2EE adds additional specifications,libraries,documentation and tools.
2

Multi-Tier Architecture

Client Tier

Web Tier

Messaging Tier

Legacy/ External Tier

Client Tier (B2B)

Business Tier

Data access Tier

Data Tier

J2EE Application Server

Component based architecture

Web Container EJB Container

Web browser, Web Pages, Applets

JSP/Servlet

Session Bean,Entity bean,Message driven bean

Data Tier

J2EE Application Server

Server Centric
J2EE apps run within a J2EE application server that provides all middle-tier services Clients are thin Support for rich clients through RMI, Web services,etc -The design of such clients is beyond the scope of J2EE
5

Web enabled
Thanks to Servlet/JSP technology,J2EE applications are automatically webenabled

Some of j2EE App Servers available in the market

Apache Tomcat JBOSS AS BEA Weblogic IBM Websphere ATG Dynamo

JBoss Organization
The professional Open Source Company Focuses on middleware software and services-JBoss Enterprise Middleware Suite(JEMS)
Software is open source and free.

Server Configurations
Fundamentally, the JBoss architecture consists of the JMX MBean server, the microkernel, and a set of pluggable component services, the MBeans. This makes it easy to assemble different configurations and gives you the flexibility to tailor them to meet your requirements You dont have to run a large, monolithic server all the time; you can remove the components you dont need

you can also integrate additional services into JBoss by writing your own MBeans. You certainly dont need to do this to be able to run standard J2EE applications.

Microkernel Layer
Based on JMX architecture Defines lifecycle configuration and management of services --Standard mechanism for assembling service components for consistent access management and integration

10

Java Management eXtension

Management and Monitoring standard Both local and remote management Change setting at runtime Event notification/timer Portable across application servers Integrate with third party components

11

What is MBean
An MBean is a Java object that implements one of the standard MBean interfaces and follows the associated design patterns. The MBean for a resource exposes all necessary information and operations that a management application needs to control the resource.

12

JMX Architecture
Management Applications Distributed Services Layer Connectors and Protocol Adapters

MBean Server
Agent Layer Agent Service MBeans

Resource MBeans Instrumentation Layer JVM

13

JMX on Jboss AS
JTA MBean
Servlet Container MBean

JMS MBean

EJB Container MBean

Jboss Microkernel (JMX Mbean Server)

DB Bean

Remote Mgr MBean

Security MBean

JNDI MBean

14

Url: http://localhost:8080/jmx-console/

15

JMX Console

16

17

Service Layer
Each service is defined as a JMX Managed Bean Services are hot Pluggable Makes it possible to tune the system for just the required service to lower the footprint Easy to define new services and package them as SARs(service archive)
Examples: Servlet/JSP container,EJB Container,transaction management,messaging,connection pooling,Security

18

Application Layer
This is where the enterprise(J2EE) applications reside This layer deals with the business logic while leaving the container services up to Jboss AS Portable-Independent of Jboss AS

19

Getting and Installing Java

Download from http://java.sun.com -Get J2SE SDL(JDK), not J2EE or JRE!

Avoid installing java into a directory that contains spaces or other special characters (e.g C:\Program Files)

21

Configuring Java
Set JAVA_HOME to point to the directory where you installed java Add $JAVA_HOME/bin to your PATH
Test that java version prints the expected java version

In unix make these changes in the shells configuration file (~/.bashrc).

22

Installing Jboss AS
Download pacakeged community distribution from: http://labs.jboss.com/jbossas/download Unpack the compressed archive

23

Directory Structure
bin: contains startup and shutdown and other system-specific scripts. The scripts which starts JBoss. client: stores configuration and JAR files which may be needed by a client which runs outside the Jboss AS container such as: Webservice client EJB Client JMX Console This is used by external applications that need to access JNDI resources To get the client classpath run: $JBOSS_HOME/bin/classpath.sh c docs: contains the XML DTDs used in JBoss for reference (these are also a useful source of documentation on JBoss configuration specifics). There are also example JCA (Java Connector Architecture) configuration files for setting up datasources for different databases (such as MySQL, Oracle, Postgres). lib: JAR files which are needed to run the JBoss microkernel. You should never add any of your own JAR files here. Applications running on Jboss do not have access to the libraries placed in this directory.
24

The Server Directory

each of the subdirectories in here is a different server configuration. The configuration sets contain the actual Jboss service. To Change the configuration set that Jboss AS runs with ,execute: bin/run.sh c minimal/all/default Each configuration set has to have the following directories: conf/ , deploy/ , lib/ Other directories such as data/ ,log/ , tmp/, and work/ are automatically created on Jboss AS startup if they do not exist.

25

Server Configurationscontd
Within the server directory, there are three example server configurations: minimal: The minimal configuration contains the bare minimum services required to start JBoss. It starts the logging service, a JNDI server and a URL deployment scanner to find new deployments. This is what you would use if you want to use JMX/JBoss to start your own services without any other J2EE technologies. This is just the bare server. There is no web container, no EJB or JMS support. default: The default configuration consists of the standard services needed by most J2EE applications. It does not include the JAXR service, the IIOP service, or any of the clustering services. all: The all configuration starts all the available services. This includes the RMI/IIOP and clustering services, which arent loaded in the default configuration.

26

The default/conf directory

jboss-srvice.xml: The conf directory contains the bootstrap descriptor, jboss-service.xml by default, for a given server configuration. This defines the core services that are fixed for the lifetime of the server jboss-log4j.xml: Configuration file for the logging service defining log filters, priorities, and destinations. jndi.properties: Specifies a set of properties that are passed to JNDI login-config.xml : defines security realms used for authentication and authorization. Props/*.properties: java property file standardjboss.xml: configuration file for the standard EJB container

27

The default/data directory

The data directory is a location available for use by services that want to store content in the file system This directory is not accessible to end users.

28

The default/deploy directory

Dynamic deployment content directory This is where applications and services are deployed. Default location used by hot deployment service Contains code and configuration files for all services.

29

The default/lib directory

Contains shared java libraries(JAR files) needed by the server configuration The libraries are not hot-re/deployed All libraries are automatically added to the shared classpath on server start-up.

If you have java libraries that you need to be made available to all your applications/services, these can be placed in this directory.
Similarly, you would also use this directory for java libraries that need to be used by both your applications/services and Jboss AS services. For Example JDBC Driver that is need by JBoss AS to manage a pool of database connections as well as your code which implicitly uses it to interact with the database server.

30

The default/log directory

The log directory is the default directory into which the bootstrap logging service places its logs. This may be overridden through the conf/log4j.xml configuration file. boot.log- Logs boot process Server.log- takes over once the logging service is initialized from log4j.xml Default startup log priority: DEBUG STDOUT and STDERR are logged to console By default server.log is rolled over daily. Existing logs are overwritten by [re]start. Old log files are not automatically cleaned by the server during runtime. The log system can be easily configured to: Roll over logs hourly Roll Over logs by size 31 Automatically remove old logs

The default/work directory

Directory where compiled JSP , ..java and .class file reside

Very useful for debugging problems in JSP

32

Starting Jboss AS
Execute $JBOSS_HOME/bin/run.sh(run.bat) The script figures out JBOSS_HOME by itself To start JBOSS as a service on unix use the script jboss_init_redhat.sh To bind Jboss to a specific address execute: run.sh Djboss.bind.address=10.1.2.3 or run.sh b 10.1.2.3

34

Starting Jboss AS On All IPs

Jboss AS 4.2 by default binds all of its services to 127.0.01 ip address -i.e jboss.bind.address=127.0.0.1 -Restricted to localhost for security reasons To start Jboss AS such that it binds to all IP addresses execute: -run.sh b 0.0.0.0 (run.bat for WIN)

35

Verifying Jboss AS Startup

Jboss is successfully started when in its console window you can see: 20:15:34,593 INFO [AjpProtocol] Starting Coyote AJP/1.3 on ajp-0.0.0.0-8009 20:15:34,593 INFO [Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBos s_4_2_3_GA date=200807181439)] Started in 9s:765ms Point your browser to http://localhost:8080/status to verify the server startup.

36

Stopping Jboss AS
If started in foreground using the run script, simply hit CTRL+C If running in the background as an OS service stop it just like any other OS service -kill TERM <jboss-pid> -NET STOP Jboss(on Windows)

Use the shutdown script(remote shutdown): $JBOSS_HOME/bin/shutdown.sh S To shutdown a remote Jboss AS instance use: ./shutdown.sh s jnp://remoteHostOrIP:1099 S

Remote instances IP address and port are specified by its Naming Service configured in ${jboss.server.config.url}/jboss-service.xml

37

Starting from a Remote server

Jboss can load itself from a network server using run scripts -netboot=<url> option To boot Jboss AS from a remote server execute: ./run.sh netboot=http://192.168.0.1:8080/jboss/

38

Running AS as a Service
On Linux, Of course you can start the Jboss in background by using & .i.e. running it as a background service On Windows, Utility called Javaservice can be used to do that.

39

To Add your own Configuration

copy an existing one that is closest to your needs and modify the contents. For example, if you werent interested in using messaging, you could copy the default directory, renaming it as myconfig, remove the jms subdirectory and then start JBoss with the new configuration. run -c myconfig

The directory server configuration youre using, is effectively the server root while JBoss is running. It contains all the code and configuration information for the services provided by the particular configuration. Its where the log output goes, and its where you deploy your applications.
40

Deployment on JBoss AS
Deploy by copying components to /deploy directory Undeploy be removing the components that are not needed The main deployment process is managed by /conf/jboss-service.xml. By default this scans the deploy directory every 5000ms for added, removed or modified components.
41

Hot vs. Cold Deployment

Hot deployment is cool but there is a risk of: -Class-Loader exception -Unrecognized configuration setting -Lost session/application scoped data Cold deployment is slow but stable -Stop Jboss AS -Delete data/ , log/ , tmp/ , work/ -Redeploy application -Start Jboss AS
42

JMX-Console
You can get a live view of the server by going to the JMX console application at http://localhost:8080/jmx-console It allows you to modify its configuration, start and stop components and so on. For example, find the service=JNDIView link and click on it. This particular MBean provides a service to allow you to view the structure of the JNDI namespaces within the server. Now find the operation called list. click the invoke. The operation returns a view of the current names bound into the JNDI tree, which is very useful when you start deploying your own applications and want to know why you cant resolve a particular EJB name.

43

Configuration Issues
core services specified in the conf/jboss-service.xml.This is the bootstarp descriptor that defines core services that are fixed for the lifetime of the server. Several MBeans are being configured like logging, security, JNDI Naming and View, Thread Pool etc. Comment the JNDIView Service in jboss-service.xml & Restart the Appln server. <! <mbean code="org.jboss.naming.JNDIView" name="jboss:service=JNDIView" xmbean-dd="resource:xmdesc/JNDIView-xmbean.xml"> </mbean> --> Now if you see in JMX console you will not be able to find JNDIView service 44 being deployed.

Services Configuring JBoss AS services

45

Tomcat Web Container

Apache tomcat is a free and open source servlet(2.4) and JSP(2.0) container Embedded in Jboss AS as deploy/jboss-web.deployer Jboss AS configuration for Tomcat integration is done by META-INF/jboss-service.xml

46

Tomcats server.xml
Tomcats own configuration file: jboss-web.deployer/server.xml Configures -Connectors(HTTP,HTTPS,AJP) -Security realms(Inherits from Jboss) -logging (Tomcat Service) -Valves(Request/Response interceptor) -Virtual Hosts(Name Based)

-Web application Context

47

Tomcats web.xml
Default web descriptor for all web apps jboss-web.deployer/conf/web.xml Configures -common filters -servlets for handling static content,JSP,CGI Scripts -Default session timeout -MIME type mappings -Welcome File List:index.html,index.jsp -Error documents

48

Session Configuration
Configure <session-config> <session-timeout>30</session-timeout> </session-config> The value (in minutes) indicated how long the servlet container will maintain an idle session(in memory or in disk) before timimg out Value<=0 indicates that session never expires-unless destroyed explicitly through users logout Significant impact on server memory usage and end users dissatisfaction with time outs.
49

Error Documents
Configured through <error-page> Defines mapping between an <error-code> or <exception-type> and a <location> of the error document to be served on those errors

50

<! ELEMENT error-page ((error-code | exception-type) , location)> <error-page> <error-code>404</error-code> <location>/FileNotFoundError.jsp</location> </error-page>

<error-page> <exception-type> java.lang.IllegalArgumentException </exception-type> <location>/IllegalInputError.jsp</location> </error-page>

Note that <location> is relative to the root of the application and it must start with a /

51

<! ELEMENT error-page ((error-code | exception-type) , location)> <error-page> <error-code>404</error-code> <location>/FileNotFoundError.jsp</location> </error-page>

<error-page> <exception-type> java.lang.IllegalArgumentException </exception-type> <location>/IllegalInputError.jsp</location> </error-page>

Note that <location> is relative to the root of the application and it must start with a /

52

Virtual Hosting with Tomcat

Add hosts and aliases to jboss-web.deployer/server.xml <Host name=myhost.com> <alias>www.myhost.com</Alias> </Host> Register applications for virtual hosts in their WEBINF/jboss-web.xml file <jboss-web> </context-root>/myapp</context-root> <virtual-host>myhost.com</virtual-host> </jboss-web>
53

Web Access Logging

In Jboss_Home\ default\deploy\jboss-web.deployer\server.xml define a <valve> in -<Engine> - global for the entire server -<Host>- per virtual host -<Context>- per application Automatic Rotation of logs Conditional logging

<Engine name="jboss.web" defaultHost="localhost"> <Host name="localhost autoDeploy="false" deployOnStartup="false" deployXML="false"configClass="org.jboss.web.tomcat.security.config.JBossCo ntextConfig">

<Valve className="org.apache.catalina.valves.AccessLogValve" prefix="localhost_access_log." suffix=".log pattern="common" directory="${jboss.server.log.dir}" resolveHosts="false" /> 54

JNDI on JBoss
Configured in Jboss_Home\server\default\conf\ jboss-service.xml
<mbean code="org.jboss.naming.NamingService

name="jboss:service=Naming"
xmbean-dd="resource:xmdesc/NamingService-xmbean.xml"> <attribute name="CallByValue">false</attribute> <!-- The listening port for the bootstrap JNP service. Set this to -1 to run the NamingService without the JNP invoker listening port. --> <attribute name="Port">1099</attribute>

<!-- The bootstrap JNP server bind address. This also sets the default
RMI service bind address. Empty == all addresses--> <attribute name="BindAddress">${jboss.bind.address}</attribute> <!-- The port of the RMI naming service, 0 == anonymous --> <attribute name="RmiPort">1098</attribute> <!-- The RMI service bind address. Empty == all addresses --> <attribute name="RmiBindAddress">${jboss.bind.address}</attribute> <!-- The thread pool service used to control the bootstrap lookups --> <depends optional-attribute-name="LookupPool" proxy-type="attribute">jboss.system:service=ThreadPool</depends> <!-- An example of using the unifed invoker as the transport. <depends optional-attribute-name="InvokerProxyFactory" proxy-type="attribute">jboss:service=proxyFactory,type=unified,target=Naming</depends> --> <depends optional-attribute-name="Naming" proxy-type="attribute">jboss:service=NamingBeanImpl</depends> </mbean>

56

Configuring java mail service

Configured by deploy/mail-service.xml Shared connection information for sending email messages over SMTP Can also configure the defaults for receiving mail over POP/IMAP4 Can enable debugging to STDOUT

57

<?xml version="1.0" encoding="UTF-8"?> <!-- $Id: mail-service.xml 62349 2007-04-15 16:48:15Z dimitris@jboss.org $ --> <server> <!-- ==================================================================== --> <!-- Mail Connection Factory --> <!-- ==================================================================== --> <mbean code="org.jboss.mail.MailService" name="jboss:service=Mail"> <attribute name="JNDIName">java:/Mail</attribute> <attribute name="User">nobody</attribute> <attribute name="Password">password</attribute> <attribute name="Configuration"> <!-- A test configuration --> <configuration> <!-- Change to your mail server prototocol --> <property name="mail.store.protocol" value="pop3"/> <property name="mail.transport.protocol" value="smtp"/> <!-- Change to the user who will receive mail --> <property name="mail.user" value="nobody"/> <!-- Change to the mail server --> <property name="mail.pop3.host" value="pop3.nosuchhost.nosuchdomain.com"/> <!-- Change to the SMTP gateway server --> <property name="mail.smtp.host" value="smtp.nosuchhost.nosuchdomain.com"/> <!-- The mail server port --> <property name="mail.smtp.port" value="25"/> <!-- Change to the address mail will be from --> <property name="mail.from" value="nobody@nosuchhost.nosuchdomain.com"/>

<!-- Enable debugging output from the javamail classes --> <property name="mail.debug" value="false"/> </configuration> </attribute> <depends>jboss:service=Naming</depends> </mbean>

58

In the applications WEB-INF/web.xml <resource-ref> <description>Default Mail Session</description> <res-ref-name>mail/Session</res-ref-name> <res-type>javax.mail.Session</res-type> <res-auth>Container</res-auth> </resource-ref> In the applications WEB_INF/jboss-web.xml <jboss-web> <resource-ref> <res-ref-name>mail/Session</res-ref-name> <res-type>javax.mail.Session</res-type> <jndi-name>java:/Mail</jndi-name> </resource-ref>

59

Java Messaging Service

Framework for reliable sync/async comm. between distributed components Guaranteed push-based delivery Peer to peer One to One ,One to Many , Many to Many

In J2EE,JMS
Allows loosely coupled,reliable,asynchronous interactions among J2EE components and legacy systems capable of messaging Application clients, EJBs, and web components can send and receive JMS messages

Message driven beans enable the async consumption of messages, making it easy to plug in new business event handlers into an existing deployment

Message send and receive operation can participate in distributed transactions, which allow JMS operations and database accesses to take place within a single transaction.

When is JMS used

No dependency between components is importantCompile time dependency and runtime dependency (components run independently) Need asynchronous yet reliable communication

Inventory

Factory

Parts

Accounting

Inventory

JMS Architecture
JMS Clients are the programs or components wrtitten in java programming language that produce and comnsume messages.

A JMS provider is the messaging system that implements the JMS interfaces and provides administrative an control features. Messages are the objects that communicate information between JMS clients.

Administrative Tool

lookup

JNDI

bind

JMS Client

Logical connection

JMS Provider

JMS Messaging Domains

Point To Point
A sender sends message addressed to a specific queue. A receiver consumes the message from the queue established to hold its messages Queues retain all messages sent to them until the messages are consumed or the messages expire Each message has only one consumer

A sender and receiver of a message has no time dependency.A receiver can fetch the message whether or n it was running when the client sent the message. The receiver acknowledges the successful processing of a message

JMS Client1 (Producer)

Send message

JMS Queue

acknowledges

Consumes Message JMS Client2 (Consumer)

JMS Messaging Domains

Publish and Subscribe

Publisher clients publish messages to one or more message topics

Subscriber clients subscribe to one or more message message topics and receive messages when they are sent to them. The topics hold the messages as long as it takes to deliver them to all currently subscribed clients Each message can have multiple consumers

Publisher and subscribers have a timing dependency. A client that subscribes to a topic can consume only messages published after the client has created a subscription and the subscriber must continue to be activ order for it to consume messages

JMS Client1 (Publisher)

publish message

JMS Topic

Subscribe

Deliver Message JMS Client2 (Subscriber)

JMS Message Consumption

Sysnchronous: A subscriber or a receiver explicitly fetches the message from the destination by calling the blocking receive method

Asynchornous: A client can register a message listener with a consumer. Whenever a message arrives at the destination, the JMS provider delivers the message by calling the listener's on Message method, which acts on the contents of the message.

JMS on Jboss
JMS Services Invocation Layer-Bidirectional communication

Security manager-Enforces ACL to guard access to destination

Destination Manager-Central service of MQ Message cache: Messages waiting for pickup State Manager: logins,durable subscriptions Persistence manager: Persists to JDBC Destinations:Queues , Topics

Logging Service
Logging is controlled from a central conf/log4j.xmlfile. This file defines a set of appenders, specifying the log files, what categories of messages should go there, the message format and the level of filtering. By default, JBoss produces output to both the console and a log file (server.log in the log directory) There are 4 basic log levels used: DEBUG, INFO, WARN and ERROR.

The logging threshold on the console is INFO, which means that you will see informational messages, warning messages and error messages on the console but not general debug messages.

67

Logging Service
In contrast, there is no threshold set for the server.log file, so all generated logging messages will be logged there. Also that just because the logging threshold allows debug messages to be displayed, that doesn't mean that all of JBoss will produce detailed debug information for the log file. You will also have to boost the logging limits set for individual categories.

Eg:
<!-- Limit JBoss categories to INFO --> <category name="org.jboss"> <priority value="INFO"/> </category> This limits the level of logging to INFO for all JBoss classes, apart from those which have more specific overrides provided. If you were to change this to DEBUG, it would produce much more detailed logging output.
68

Logging Example
Another example if you want to set output from some component redirected to a particular file. <appender name="CMP" class="org.jboss.logging.appender.RollingFileAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="File" value="${jboss.server.home.dir}/log/cmp.log"/> <param name="Append" value="false"/> <param name="MaxFileSize" value="500KB"/> <param name="MaxBackupIndex" value="1"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/> </layout> </appender> <category name="org.jboss.ejb.plugins.cmp"> <priority value="DEBUG" /> <appender-ref ref="CMP"/> </category>

You will notice that the log directory also contains HTTP request logs which are produced by the web container.

69

Database Connectivity
(Connecting Jboss AS with RDBMS with connection pooling)

Steps Involved
Resource references in web appsrequiring connectivity to RDBMS Providing RDBMS resources(connection pools) in the server Installing JDC Driver Defining RDBMS Resources

Mapping resources to resource references

Web Applications that need services of a relational database, can connect to it : By managing their own connections By having the server managed a shared database connection pool. Management of database connections in web applications: -Bloats the code -require more testing -require seperate configuration for each web app -is slow if connections are not pooled. -is inefficient and limiting if the connections are pooled because there would be a separate pool for each web app with potentially many idle connections.

Steps Involved contnd..

Having the server manage the database connections: -Simplifies configuration and maintenance(single file to edit) -is faster because the connections are pooled

-utilizes the connections well as they are shared

Resource Requirement
In a web app's WEB-INF/web.xml file
<web-app ..>
<resource-ref> <description>DB Connection</description> <res-ref-name>jdbc/NorthwindDB</res-ref-name>

<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth> </resource-ref> </web-app>

Defines an application's requirement for a container-managed resource

Installing JDBC Driver

JDBC driver is what enables the Java applications to talk to specific RDBMS, such as MySQL,DB2,Oracle, etc. Download the JDBC driver from the database vedor

Copy the driver jar into the directory

${jboss.server.lib.url}

Defining database Resources

Create deploy/northwind-ds.xml
<datasources>

<local-tx-datasource>
<jndi-name>NorthwindDS</jndi-name> <connectionurl>jdbc:mysql://localhost:3306/Northwind?autoReconnect=true </connectionurl>\ <driver-class>com.mysql.jdbc.Driver</driver-class> <user-name>northwind</user-name> <password>secret</password> </local-tx-datasource> </datasources>

Defining database Resources contnd..

Some of other common elements:
min-pool-size: the minimum number of pooled database connections. Initialized when the pool is first accessed. max-pool-size:the maximum number of pooled connections.Once this limit is reached ,clients block. Defaults to 20. blocking-timeout-millis: the maximum blocking time(in ms) while waiting for an available connection before timing out by throwing an exception. default to 5000ms

idle-timeout-minutes: the maximum time(in minutes) before idle connections are closed.

Resource Mapping
In the WEB_INF/jboss-web.xml file
<jboss-web>
<resource-ref> <description>JDBC Connection</description> <res-ref-name>jdbc/NorthwindDB</res-ref-name> <res-type>javax.sql.DataSource</res-type> <jndi-name>java:/NorthwindDS</jndi-name> </resource-ref>

</jboss-web>
Maps the application's resources to real resource provided by Jboss AS

Security

Securing Applications Securing Jboss AS

Securing Applications

Filtering clients by source IP address Requiring authentication and authorization Data transport integrity and confidentiality(SSL)

Filtering Clients by Source

Limit access to web applications by client IP or hostname Configured through Tomcat valves

-Different levels: <Engine> (global), <Host> (per virtual host) , <Context> (per web application)
To limit access as a desired <Valve> in <Engine> or <Host> within \default\deploy\jboss-web.deployer\server.xml file-

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=192.168.* , 127.* />

<Valve className="org.apache.catalina.valves.RemoteHostValve" allow=smtphost.com /> Limiting per webapplication can be done through tomcat by creating a <Context> file in /deploy/<app.war>/WEB_INF/context.xml <Context> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=192.168.* , 127.* />

</Context>

Filtering Clients by Source Contnd..

Configured through a servlet filter -Servlet filters are J2EE AS independent
Configure a servlet filter in /WEB_INF/web.xml file
<filter> <filter-name>RemoteHostFilter</filter-name> <filter-class> org.jboss.remotehostfilter.RemoteHostFilter </filter-class> <init-param> <param-name>allow</param-name> <param-value>192.168.*<param-value> </init-param> </filter> <filter-mapping> <filter-name>RemoteHostFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

Authentication and Authorization

JAAS Java Authentication and Authorization Service Support for single sign-on Role-based access control Separate business logic from A&A Declarative(XML Based)-not hard coded

Requiring A&A
Adding security-costraint in web.xml
<security-constraint> <web-resource-collection> <web-resource-name>Tell Fortune Servlet</web-resource-name>

<url-pattern>/tellFortune</url-pattern>
</web-resource-collection> <auth-constraint> <role-name>customer</role-name> </auth-constraint> </security-constraint>

Requiring A&A contnd..

Adding login configuration
<web-app ...>

.....
<security-constraint> .... </security-constraint>

<login-config>
<auth-method>BASIC</auth-method> <realm-name>Customers Only</realm-name> </login-config> ... </web-app> In this case we used HTTP BASIC authentication. But other options are:DIGEST,FORM etc.

Requiring A&A contnd..

Declaring security roles:
<web-app ...>

.....
<security-constraint> .... <auth-constraint>

<role-name>customer</role-name>
</auth-constraint> </security-constraint> <login-config>...</login-config> <security-role> <role-name>customer</role-name> </security-role> </web-app>

Plain-Text login module

Already enabled by default WEB_INF/classes/users.properties
mike=123 john=1234

WEB-INF/classes/roles.properties
mike=customer
john=manager The properties files are loaded during initialization of the context class loader. Placing these files in the deploy/<app>/WEBINF/classes directory makes them unique to that specific web application.

Security Service
The security domain information is stored in the file \server\default\conf\loginconfig.xml as a list of named security domains, each of which specifies a number of JAAS3 login modules which are used for authentication purposes in that domain. Eg: jmx-console (Since everything is being controlled by this, you may need to secure this). To protect this application we will be add a security domain cover to it. <application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/jmx-console-users.properties</ module-option> <module-option name="rolesProperties">props/jmx-console-roles.properties</ module-option> </login-module> </authentication> </application-policy>

87

Link to Security Domain

Go to jmx-console.war/WEB-INF/ directory & edit the jboss-web.xml Now Uncomment the security-domain in that file, as shown below. <jboss-web> <security-domain>java:/jaas/jmx-console</securitydomain> </jboss-web> This links the security domain to the web application, but it doesn't tell the web application what security policy to enforce.

3. To configure this, go to the web.xml file in the same directory and uncomment the security-constraint that is already there.

88

Adding Security
<!-A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. --> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description> An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> 89

Adding Security
Where are the username, passwords & roles stored. The configuration is stored in conf/login-config.xml.
<application-policy name="jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"flag="required"> <module-option name="usersProperties"> props/jmx-console-users.properties </module-option> <module-option name="rolesProperties"> props/jmx-console-roles.properties </module-option> </login-module> </authentication> </application-policy>

90

Adding Security
The location of these files is in the conf directory. i.e. <jboss-home>/server/default/conf/props/<filename> The usernames and passwords are stored in jmx-consoleusers.properties in the directory and take the form username=password". To assign a user to the JBossAdmin group add "username=JBossAdmin" to the jmx-console-roles.properties file.

91

Securing Passwords
Configure Hashed passwords in conf/login-config.xml
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"flag = "required"> ..... <module-option name = "hashAlgorithm">MD5</module-option> <module-option name = "hashEncoding">hex</module-option> </login-module>

Change user.properties file with the encoded password

To compute MD5 On LINUX run: echo -n <password> |md5sum On WINDOWS run md5.exe -d<password>

Enabling SSL
Use KeyTool Utility with JDK to generate keystore file keytool -genkey -alias tomcat -keyalg RSA Copy the .keystore file to <Jboss-Home>/derver/default/conf. Rename it to ssl.keystore Uncomment the following from \server\default\deploy\jboss-web.deployer\server.xml
<!-- SSL/TLS Connector configuration using the admin devl guide keystore <Connector port="8443" address="${jboss.bind.address}" maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/ssl.keystore" keystorePass="rmi+ssl" sslProtocol = "TLS" /> -->

Also change the path of the keystorefile to appropriate location

93

Requiring SSL in Apps

Add within a <security-constraint element> in WEB-INF/web.xml file.

<user-data-constraint>
<desription>Require SSL</desription> <transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>
The element <transport-guarantee> can be NONE,INTEGRAL,CONFIDENTIAL. The INTEGRAL,CONFIDENTIAL flag indicates that the use of SSL is required.

Securing Jboss AS
Running Jboss AS with low previleges File system security Securing console application-like JMX Securing other Jboss AS services Running with JAVA security Manager Running behind a firewall

JBoss AS system User

Do not run Jboss AS as root/Administrator

-Deployed applications and sedrvices run

with the same privilege as the Jboss AS itself

-Create a low-privileged Jboss system

user Jboss being a JAVA app,can not switch its effective user id after

starting
--Running without root privileges forces you to use ports >=1024 on a UNIX/LINUX system

--Front Jboss AS with a web server (Like Apache HTTPD) or setup firewall-based port forwarding for access over default HTTP(S) port:80,443.

Performance Tuning
Tomcat jbossweb-tomcat5.sar/server.xml <Connector port="8080" address="${jboss.bind.address}" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"/>

You should have enough threads (maxThreads) to handle (rule of thumb) 25% more than your maximum expected load (concurrent hits coming in at once) You should have minSpareThreads equal just a little more than your normal load You should have maxSpareThreads equal just a little more than your peak load minSpareThreads means "on start up, always keep at least this many threads waiting idle" maxSpareThreads means "if we ever go above minSpareThreads then always keep maxSpareThreads waiting idle"

97

Performance-Log4J
Logging has a profound effect on performance. Changing the logging level to TRACE can bring the JBossAS to a crawl. Changing it to ERROR (or WARN) can speed things up dramatically. By default, JBoss logs both to the console and server.log and by default it uses level "INFO". To turn off console logging:

Edit server/slim/conf/log4j.xml Change the following XML fragment: <root>

<appender-ref ref=CONSOLE"/>

<appender-ref ref="FILE"/>
</root> <root> <appender-ref ref="FILE"/> </root>

make it read

98

Finally the most important thing in log4j, make sure you limit the logging level on your own class hierarchy. <!-- Limit my.package category to INFO --> <category name="my.package"> <priority value="INFO"/> </category>

99

Slimming
JavaMail Remove the services which are not being used. When not using the mail-service (J2EE standard JavaMail client) remove server/deploy/mail-service.xml remove server/lib/mail* (mail-plugin.jar, mail.jar - JavaMail stuff) remove server/lib/activation.jar (Java Activation Framework is used by JavaMail)
J2EE Client deployer service When not using the J2EE client deployer service remove server/deploy/client-deployer-service.xml

100

Slimming
HAR Deployer When not using the integrated HAR deployer and Hibernate session management services remove server/deploy/hibernate-deployer-service.xml (HAR support) remove server/lib/jboss-hibernate.jar (HAR support) remove server/lib/hibernate2.jar (Hibernate itself) remove server/lib/cglib-full-2.0.1.jar (used by Hibernate to create proxies of POJOs) remove server/lib/odmg-3.0.jar HSQL When not using Hypersonic (which you should not in production) remove server/deploy/hsqldb-ds.xml remove server/lib/hsqldb-plugin.jar remove server/lib/hsqldb.jar Remember Jboss MQ by default uses HSQL. So sometimes you may need to configure it with some other database.

101

Slimming
JBossMQ remove the entire server/deploy/jms directory remove server/lib/jbossmq.jar

HTTPInvoker (which lets you tunnel RMI over HTTP) remove the entire server/deploy/http-invoker.sar directory

JMX-Console remove server/slim/deploy/jmx-console.war

102

If you do not need to make JMX calls over RMI (warning the shutdown.sh DOES do this) remove server/deploy/jmx-invoker-adaptor-server.sar remove server/deploy/jmx-adaptor-plugin.jar or you may want to just secure the JMX invoker-adaptor instead

EAR Deployer If you do not need to be able to deploy EAR files open server/conf/jboss-service.xml in the vi editor remove/comment the following XML fragments from the from under the <mbean code="org.jboss.management.j2ee.LocalJBossServerDomain" MBean <attribute name="EARDeployer">jboss.j2ee:service=EARDeployer</attribute> and <!-- EAR deployer, remove if you are not using Web layers --> <mbean code="org.jboss.deployment.EARDeployer" name="jboss.j2ee:service=EARDeployer"> </mbean>

103

High Availability and Scaling

Fronting with Apache HTTPD Load Balancing Clustering

Requirements
Fault Tolerance --Reliability

--Uptime Guarantee
Stable Throughput Scalability --Provide consistent response times in light of increased system load Manageability of Servers -- Server upgrade with no service interruptions

Simple Web Architecture

Client Client
Internet
Data Base

Jboss AS
Data Base

Client

This architecture is not scalable.Additional users can only be handled by improving the performance of the server(e.g. Additional CPUs, more memory) No fault tolerance. If the JBoss AS goes down , the entire service becomes unavailable.

Clustering Web Architecture

Client Client
Internet
Webserver

Jboss AS

Data Base

Jboss AS Jboss AS
Data Base

Client

Add one or many web servers to balance the load to multiple Jboss AS nodes typically running on seperate physical servers. Additional user load can be handled by adding another Jboss AS If anyone of the Jboss AS nodes fail, the service is still available through other Jboss AS.

Fronting with a Web Server

Scalability and High Availability: Load balancing and fail over Security: Web servers are simpler and easier to protect Stability: More robust

Fronting with Apache HTTPD

Data Base

Client

HTTP/S 80/443

Apache HTTPD Server

AJP1.3 8009

Jboss AS

Legacy System

Install and setup Apache HTTPD Install and configure mod_jk on apache AJP connector on Jboss AS already enabled in jboss.web.deployer/server.xml

Installing mod_jk
Download latest mod_jk(binary or source) from: http://tomcat.apache.org/connectors-doc/ Save it as <apache-dir>/modules/mod_jk.so Include its configuration file in <apache-dir>/conf/httpd.conf: Include conf/jk.conf

configuring mod_jk
Define a Jboss AS instance in: <apache-dir>/conf/workers.properties: worker.jboss1.type=ajp13 worker.jboss1.host=127.0.0.1 worker.jboss1.port=8009 worker.list=jboss1 Special directive worker.list exports all declared workers for use in the Apache HTTPD

configuring mod_jk cont..

Create <apache-dir>/conf/jk.conf LoadModule jk_module modules/mod_jk.so jkWorkersFile conf/workers.properties jkLogFile logs/jk.log jkLogLevel INFO jkMount /jmx-console/* jboss1
Now jk.conf is included in httpd.conf

Include conf/jk.conf
Workers jboss1 come from workers.properties file because they were exported by worker.list directive

Simple Load Balancing

Set up another Jboss Instance
-- Use run.sh -Djboss.bind.adress=<ip> to run
instances on different IPs but same ports

Define it in workers.properties:
worker.jboss2.type=ajp13 worker.jboss2.host=192.168.1.149 worker.jboss2.port=8009

Define a new load balancing worker:

worker.jboss.type=lb

worker.jboss.balance_workers=jboss1,jboss2
Export the load balancing worker: worker.list=jboss

<apache-dir>/conf/workers.properties file
worker.jboss1.type=ajp13 worker.jboss1.host=127.0.0.1 worker.jboss1.port=8009 worker.list=jboss1 worker.jboss2.type=ajp13 worker.jboss2.host=192.168.1.149 worker.jboss2.port=8009 worker.jboss.type=lb worker.jboss.balance_workers=jboss1,jboss2

worker.list=jboss

Simple Load Balancing

Deploy fortune.war on both the instances.

Change conf/jk.conf
jkMount /jmx-console/* jboss jkMount /fortune/* The update jk.conf looks like:
LoadModule jkWorkersFile jk_logLevel jkMount jk_module INFO jboss modules/mod_jk.so Conf/workers.properties

jboss

Start both the Jboss instances and Apache HTTPD

/jmx-console/*

jkMount

/fortune/*

jboss

Note that we are no longer jkMount- ing jboss1 ( or jboss2). We can only use the new load balancer worker called jboss because that is the one exported by worker.list in conf/workers.properties file.