JBoss Application Server

JBoss Application Server

1

What is J2EE

• J2EE is a standard based platform to

develop,deploy and manage multi-tier,web

enabled,server centric and component based

enterprise applications.

• As a super set of J2SE ,J2EE adds additional

specifications,libraries,documentation and

tools.

2

Multi-Tier Architecture

Client Tier

Client Tier (B2B)

Web Tier

Business

Tier

Messaging

Tier

Data

access Tier

Legacy/

External Tier

Data Tier

J2EE Application Server

3

Component based architecture

Web browser, Web

Pages, Applets JSP/Servlet

Web Container

Session Bean,Entity

bean,Message driven

bean

EJB Container

Data Tier

J2EE Application Server

4

Server Centric

• J2EE apps run within a J2EE application

server that provides all middle-tier services

• Clients are thin

• Support for rich clients through RMI, Web

services,etc

-The design of such clients is beyond

the scope of J2EE

5

Web enabled

• Thanks to Servlet/JSP technology,J2EE

applications are automatically web-

enabled

6

Some of j2EE App Servers

available in the market

• Apache Tomcat

• JBOSS AS

• BEA Weblogic

• IBM Websphere

• ATG Dynamo

7

JBoss Organization

• The professional Open Source Company

• Focuses on middleware software and

services-JBoss Enterprise Middleware Suite(JEMS)

• Software is open source and free.

8

Server Configurations

• Fundamentally, the JBoss architecture consists of the JMX MBean server, the

microkernel, and a set of pluggable component services, the MBeans.

• This makes it easy to assemble different configurations and gives you the

flexibility to tailor them to meet your requirements

• You don’t have to run a large, monolithic server all the time; you can remove

the components you don’t need

• you can also integrate additional services into JBoss by writing your own

MBeans. You certainly don’t need to do this to be able to run standard J2EE

applications.

9

Microkernel Layer

• Based on JMX architecture

• Defines lifecycle configuration and

management of services

--Standard mechanism for

assembling service components for

consistent access management and

integration

10

Java Management eXtension

• Management and Monitoring standard

• Both local and remote management

• Change setting at runtime

• Event notification/timer

• Portable across application servers

• Integrate with third party components

11

What is MBean

An MBean is a Java object that

implements one of the standard MBean

interfaces and follows the associated

design patterns. The MBean for a resource

exposes all necessary information and

operations that a management application

needs to control the resource.

12

JMX Architecture

13

Management Applications

Connectors and

Protocol Adapters

MBean Server

Agent Service MBeans

Resource MBeans

JVM

Distributed Services

Layer

Agent Layer

Instrumentation

Layer

JMX on Jboss AS

14

DB

Bean

Remote

Mgr

MBean

Security

MBean

JNDI

MBean

Jboss Microkernel

(JMX Mbean Server)

JTA

MBean

Servlet

Container

MBean

JMS

MBean

EJB

Container

MBean

15

Url: http://localhost:8080/jmx-console/

16

JMX Console

Service Layer

• Each service is defined as a JMX Managed Bean

• Services are hot Pluggable

• Makes it possible to tune the system for just the required

service to lower the footprint

• Easy to define new services and package them as SARs(service archive)

• Examples: Servlet/JSP container,EJB

Container,transaction

management,messaging,connection pooling,Security

18

Application Layer

• This is where the enterprise(J2EE)

applications reside

• This layer deals with the business logic

while leaving the container services up to

Jboss AS

• Portable-Independent of Jboss AS

19

Getting and Installing Java

• Download from http://java.sun.com

-Get J2SE SDL(JDK), not J2EE or JRE!

Avoid installing java into a directory that contains spaces or other special characters (e.g C:\Program Files)

21

http://java.sun.com/

http://java.sun.com/

Configuring Java

• Set JAVA_HOME to point to the directory where

you installed java

• Add $JAVA_HOME/bin to your PATH

• Test that java –version prints the expected java

version

In unix make these changes in the shell’s

configuration file (~/.bashrc). 22

Installing Jboss AS

• Download pacakeged community

distribution from:

http://labs.jboss.com/jbossas/download

Unpack the compressed archive

23



Directory Structure

• bin: contains startup and shutdown and other system-specific scripts. The scripts which starts JBoss.

• client: stores configuration and JAR files which may be needed by a client which runs outside the Jboss AS container such as:

Webservice client

EJB Client

JMX Console

This is used by external applications that need to access JNDI resources

To get the client classpath run:

$JBOSS_HOME/bin/classpath.sh –c

• docs: contains the XML DTDs used in JBoss for reference (these are also a useful source of documentation on JBoss configuration specifics). There are also example JCA (Java Connector Architecture) configuration files for setting up datasources for different databases (such as MySQL, Oracle, Postgres).

• lib: JAR files which are needed to run the JBoss microkernel. You should never add any of your own JAR files here. Applications running on Jboss do not have access to the libraries placed in this directory.

24

The Server Directory each of the subdirectories in here is a different server

configuration. The configuration sets contain the actual Jboss

service.

To Change the configuration set that Jboss AS runs with

,execute:

bin/run.sh –c minimal/all/default

Each configuration set has to have the following directories:

conf/ , deploy/ , lib/

Other directories such as data/ ,log/ , tmp/, and work/ are

automatically created on Jboss AS startup if they do not exist.

25

Server Configurations…contd

• Within the server directory, there are three example server configurations:

– minimal: The minimal configuration contains the bare minimum services required to start JBoss. It starts the logging service, a JNDI server and a URL deployment scanner to find new deployments. This is what you would use if you want to use JMX/JBoss to start your own services without any other J2EE technologies. This is just the bare server. There is no web container, no EJB or JMS support.

– default: The default configuration consists of the standard services needed by most J2EE applications. It does not include the JAXR service, the IIOP service, or any of the clustering services.

– all: The all configuration starts all the available services. This includes the RMI/IIOP and clustering services, which aren’t loaded in the default configuration.

26

The default/conf directory • jboss-srvice.xml: The conf directory contains

the bootstrap descriptor, jboss-service.xml by

default, for a given server configuration. This

defines the core services that are fixed for the

lifetime of the server

• jboss-log4j.xml: Configuration file for the

logging service defining log filters, priorities, and

destinations.

• jndi.properties: Specifies a set of properties

that are passed to JNDI

• login-config.xml : defines security realms used

for authentication and authorization.

• Props/*.properties: java property file

• standardjboss.xml: configuration file for the

standard EJB container 27

The default/data directory

• The data directory is a location

available for use by services that

want to store content in the file

system

• This directory is not accessible

to end users.

28

The default/deploy directory

• Dynamic deployment content directory

• This is where applications and services

are deployed.

• Default location used by hot

deployment service

• Contains code and configuration files

for all services.

29

The default/lib directory

• Contains shared java libraries(JAR files) needed by the server configuration

• The libraries are not hot-re/deployed

• All libraries are automatically added to the shared classpath on server start-up.

If you have java libraries that you need to be made available to all your

applications/services, these can be placed in this directory.

Similarly, you would also use this directory for java libraries that need to be used by

both your applications/services and Jboss AS services. For Example JDBC Driver

that is need by JBoss AS to manage a pool of database connections as well as your

code which implicitly uses it to interact with the database server.

30

The default/log directory

The log directory is the default directory into which

the bootstrap logging service places its logs. This

may be overridden through the conf/log4j.xml

configuration file.

• boot.log- Logs boot process

• Server.log- takes over once the logging service is

initialized from log4j.xml

• Default startup log priority: DEBUG

• STDOUT and STDERR are logged to console

• By default server.log is rolled over daily.

• Existing logs are overwritten by [re]start.

Old log files are not automatically cleaned by the

server during runtime.

• The log system can be easily configured to:

Roll over logs hourly

Roll Over logs by size

Automatically remove old logs

31

The default/work directory

• Directory where compiled JSP , ..java

and .class file reside

• Very useful for debugging problems in

JSP

32

Starting Jboss AS

• Execute $JBOSS_HOME/bin/run.sh(run.bat)

• The script figures out JBOSS_HOME by itself

• To start JBOSS as a service on unix use the script

• jboss_init_redhat.sh

• To bind Jboss to a specific address execute:

run.sh –Djboss.bind.address=10.1.2.3 or

run.sh –b 10.1.2.3

34

Starting Jboss AS On All IPs

• Jboss AS 4.2 by default binds all of its services to

127.0.01 ip address

-i.e jboss.bind.address=127.0.0.1

-Restricted to localhost for security reasons

• To start Jboss AS such that it binds to all IP addresses

execute:

-run.sh –b 0.0.0.0 (run.bat for WIN)

35

Verifying Jboss AS Startup

• Jboss is successfully started when in its console window you can see:

20:15:34,593 INFO [AjpProtocol] Starting Coyote AJP/1.3 on ajp-0.0.0.0-8009

20:15:34,593 INFO [Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBos

s_4_2_3_GA date=200807181439)] Started in 9s:765ms

• Point your browser to http://localhost:8080/status to verify the server startup.

36

http://localhost:8080/status



Stopping Jboss AS

• If started in foreground using the run script, simply hit CTRL+C

• If running in the background as an OS service stop it just like any other OS service

-kill –TERM <jboss-pid>

-NET STOP Jboss(on Windows)

• Use the shutdown script(remote shutdown):

$JBOSS_HOME/bin/shutdown.sh –S

To shutdown a remote Jboss AS instance use:

./shutdown.sh –s jnp://remoteHostOrIP:1099 –S

Remote instance’s IP address and port are specified by its Naming Service configured in

${jboss.server.config.url}/jboss-service.xml

37

Starting from a Remote server

• Jboss can load itself from a network server using run

script’s -netboot=<url> option

• To boot Jboss AS from a remote server execute:

./run.sh –netboot=http://192.168.0.1:8080/jboss/

38

Running AS as a Service

• On Linux, Of course you can start the Jboss in

background by using ―&‖ .i.e. running it as a background

service

• On Windows, Utility called Javaservice can be used to

do that.

39

To Add your own Configuration

• copy an existing one that is closest to your needs and modify the

contents. For example, if you weren’t interested in using messaging,

you could copy the default directory, renaming it as myconfig,

remove the jms subdirectory and then start JBoss with the new

configuration.

• run -c myconfig

• The directory server configuration you’re using, is effectively the

server root while JBoss is running. It contains all the code and

configuration information for the services provided by the particular

configuration. It’s where the log output goes, and it’s where you

deploy your applications.

40

Deployment on JBoss AS

• Deploy by copying components to /deploy

directory

• Undeploy be removing the components that are

not needed

• The main deployment process is managed by

/conf/jboss-service.xml. By default this scans the

deploy directory every 5000ms for added,

removed or modified components. 41

Hot vs. Cold Deployment

• Hot deployment is cool but there is a risk of:

-Class-Loader exception

-Unrecognized configuration setting

-Lost session/application scoped

data

• Cold deployment is slow but stable

-Stop Jboss AS

-Delete data/ , log/ , tmp/ , work/

-Redeploy application

-Start Jboss AS

42

JMX-Console

• You can get a live view of the server by going to the JMX console application at

http://localhost:8080/jmx-console

• It allows you to modify its configuration, start and stop components and so on.

• For example, find the service=JNDIView link and click on it.

– This particular MBean provides a service to allow you to view the structure of

the JNDI namespaces within the server. Now find the operation called list. click

the invoke. The operation returns a view of the current names bound into the

JNDI tree, which is very useful when you start deploying your own

applications and want to know why you can’t resolve a particular EJB name.

43







Configuration Issues

• core services specified in the conf/jboss-service.xml.This is the bootstarp descriptor that defines core services that are fixed for the lifetime of the server.

• Several MBeans are being configured like logging, security, JNDI Naming and View, Thread Pool etc.

• Comment the JNDIView Service in jboss-service.xml & Restart the Appln server.

• <!—

• <mbean code="org.jboss.naming.JNDIView"

• name="jboss:service=JNDIView"

• xmbean-dd="resource:xmdesc/JNDIView-xmbean.xml">

• </mbean>

• -->

• Now if you see in JMX console you will not be able to find JNDIView service being deployed.

44

Services

Configuring JBoss AS services

45

Tomcat Web Container

• Apache tomcat is a free and open source servlet(2.4)

and JSP(2.0) container

• Embedded in Jboss AS as deploy/jboss-web.deployer

• Jboss AS configuration for Tomcat integration is done by

META-INF/jboss-service.xml

46

Tomcat’s server.xml

• Tomcat’s own configuration file:

jboss-web.deployer/server.xml

• Configures

-Connectors(HTTP,HTTPS,AJP)

-Security realms(Inherits from Jboss)

-logging (Tomcat Service)

-Valves(Request/Response

interceptor)

-Virtual Hosts(Name Based)

-Web application Context

47

Tomcat’s web.xml

• Default web descriptor for all web apps

jboss-web.deployer/conf/web.xml

• Configures

-common filters

-servlets for handling static

content,JSP,CGI Scripts

-Default session timeout

-MIME type mappings

-Welcome File List:index.html,index.jsp

-Error documents

48

Session Configuration

• Configure <session-config>

<session-timeout>30</session-timeout>

</session-config>

• The value (in minutes) indicated how long the servlet

container will maintain an idle session(in memory or in

disk) before timimg out

• Value<=0 indicates that session never expires-unless

destroyed explicitly through users logout

• Significant impact on server memory usage and end

users’ dissatisfaction with time outs.

49

Error Documents

• Configured through <error-page>

• Defines mapping between an <error-code> or

<exception-type> and a <location> of the error document

to be served on those errors

50

51

<! ELEMENT error-page ((error-code | exception-type) , location)>

<error-page>

<error-code>404</error-code>

<location>/FileNotFoundError.jsp</location>

</error-page>

<error-page>

<exception-type>

java.lang.IllegalArgumentException

</exception-type>

<location>/IllegalInputError.jsp</location>

</error-page>

Note that <location> is relative to the root of the application and it must

start with a /

52

<! ELEMENT error-page ((error-code | exception-type) , location)>

<error-page>

<error-code>404</error-code>

<location>/FileNotFoundError.jsp</location>

</error-page>

<error-page>

<exception-type>

java.lang.IllegalArgumentException

</exception-type>

<location>/IllegalInputError.jsp</location>

</error-page>

Note that <location> is relative to the root of the application and it must

start with a /

Virtual Hosting with Tomcat

• Add hosts and aliases to jboss-web.deployer/server.xml

<Host name=―myhost.com‖>

<alias>www.myhost.com</Alias>

</Host>

• Register applications for virtual hosts in their WEB-

INF/jboss-web.xml file

<jboss-web>

</context-root>/myapp</context-root>

<virtual-host>myhost.com</virtual-host>

</jboss-web>

53

Web Access Logging

• In Jboss_Home\ default\deploy\jboss-web.deployer\server.xml define a

<valve> in

-<Engine> - global for the entire server

-<Host>- per virtual host

-<Context>- per application

• Automatic Rotation of logs

• Conditional logging

<Engine name="jboss.web" defaultHost="localhost">

<Host name="localhost― autoDeploy="false" deployOnStartup="false"

deployXML="false"configClass="org.jboss.web.tomcat.security.config.JBossCo

ntextConfig">

<Valve className="org.apache.catalina.valves.AccessLogValve"

prefix="localhost_access_log." suffix=".log― pattern="common"

directory="${jboss.server.log.dir}" resolveHosts="false" />

……

54

JNDI on JBoss Configured in Jboss_Home\server\default\conf\ jboss-service.xml

<mbean code="org.jboss.naming.NamingService―

name="jboss:service=Naming"

xmbean-dd="resource:xmdesc/NamingService-xmbean.xml">

<attribute name="CallByValue">false</attribute>



<attribute name="Port">1099</attribute>



<attribute name="BindAddress">${jboss.bind.address}</attribute>



<attribute name="RmiPort">1098</attribute>



<attribute name="RmiBindAddress">${jboss.bind.address}</attribute>



<depends optional-attribute-name="LookupPool"

proxy-type="attribute">jboss.system:service=ThreadPool</depends>



<depends optional-attribute-name="Naming"

proxy-type="attribute">jboss:service=NamingBeanImpl</depends>

</mbean>

56

Configuring java mail service

• Configured by deploy/mail-service.xml

• Shared connection information for sending

email messages over SMTP

• Can also configure the defaults for

receiving mail over POP/IMAP4

• Can enable debugging to STDOUT

57

• <?xml version="1.0" encoding="UTF-8"?>

• 

• <server>

• 

• 

• 

• <mbean code="org.jboss.mail.MailService"

• name="jboss:service=Mail">

• <attribute name="JNDIName">java:/Mail</attribute>

• <attribute name="User">nobody</attribute>

• <attribute name="Password">password</attribute>

• <attribute name="Configuration">

• 

• <configuration>

• 

• <property name="mail.store.protocol" value="pop3"/>

• <property name="mail.transport.protocol" value="smtp"/>

• 

• <property name="mail.user" value="nobody"/>

• 

• <property name="mail.pop3.host" value="pop3.nosuchhost.nosuchdomain.com"/>

• 

• <property name="mail.smtp.host" value="smtp.nosuchhost.nosuchdomain.com"/>

•

• 

• <property name="mail.smtp.port" value="25"/>

•

• 

• <property name="mail.from" value="[email protected]"/>

• 

• <property name="mail.debug" value="false"/>

• </configuration>

• </attribute>

• <depends>jboss:service=Naming</depends>

• </mbean>

• </server>

58

In the application’s WEB-INF/web.xml

<resource-ref>

<description>Default Mail Session</description>

<res-ref-name>mail/Session</res-ref-name>

<res-type>javax.mail.Session</res-type>

<res-auth>Container</res-auth>

</resource-ref>

In the application’s WEB_INF/jboss-web.xml

<jboss-web>

<resource-ref>

<res-ref-name>mail/Session</res-ref-name>

<res-type>javax.mail.Session</res-type>

<jndi-name>java:/Mail</jndi-name>

</resource-ref>

</jboss-web>

59

Java Messaging Service

• Framework for reliable sync/async comm. between distributed components

• Guaranteed push-based delivery

• Peer to peer –One to One ,One to Many , Many to Many

• In J2EE,JMS

• Allows loosely coupled,reliable,asynchronous interactions among J2EE components and legacy systems

capable of messaging

• Application clients, EJBs, and web components can send and receive JMS messages

• Message driven beans enable the async consumption of messages, making it easy to plug in new business

event handlers into an existing deployment

• Message send and receive operation can participate in distributed transactions, which allow JMS operations

and database accesses to take place within a single transaction.

When is JMS used

• No dependency between components is important—Compile time dependency and runtime dependency (components run independently)

• Need asynchronous yet reliable communication

Inventory Factory Parts

Inventory Accounting

JMS Architecture

JNDI

• JMS Clients are the programs or components wrtitten in java programming language that produce and

comnsume messages.

• A JMS provider is the messaging system that implements the JMS interfaces and provides administrative and

control features.

• Messages are the objects that communicate information between JMS clients.

JMS Client

Administrative

Tool

JMS Provider

lookup

bind

Logical connection

JMS Messaging Domains

JMS Queue

• Point To Point

• A sender sends message addressed to a specific queue.

• A receiver consumes the message from the queue established to hold its messages

• Queues retain all messages sent to them until the messages are consumed or the messages expire

• Each message has only one consumer

• A sender and receiver of a message has no time dependency.A receiver can fetch the message whether or not

it was running when the client sent the message.

• The receiver acknowledges the successful processing of a message

JMS Client1 (Producer)

JMS Client2 (Consumer)

Send message

Consumes Message acknowledges

JMS Messaging Domains

JMS Topic

• Publish and Subscribe

• Publisher clients publish messages to one or more message topics

• Subscriber clients subscribe to one or more message message topics and receive messages when they are

sent to them.

• The topics hold the messages as long as it takes to deliver them to all currently subscribed clients

• Each message can have multiple consumers

• Publisher and subscribers have a timing dependency. A client that subscribes to a topic can consume only

messages published after the client has created a subscription and the subscriber must continue to be active in

order for it to consume messages

JMS Client1 (Publisher)

JMS Client2 (Subscriber)

publish message

Deliver Message Subscribe

JMS Message Consumption

• Sysnchronous: A subscriber or a receiver explicitly fetches the

message from the destination by calling the blocking receive

method

• Asynchornous: A client can register a message listener with a

consumer. Whenever a message arrives at the destination, the

JMS provider delivers the message by calling the listener's on

Message method, which acts on the contents of the message.

JMS on Jboss

• JMS Services

• Invocation Layer-Bidirectional communication

• Security manager-Enforces ACL to guard access to destination

• Destination Manager-Central service of MQ

• Message cache: Messages waiting for pickup

• State Manager: logins,durable subscriptions

• Persistence manager: Persists to JDBC

• Destinations:Queues , Topics

Logging Service

• Logging is controlled from a central conf/log4j.xmlfile.

• This file defines a set of appenders, specifying the log files, what categories

of messages should go there, the message format and the level of filtering.

By default, JBoss produces output to both the console and a log file (server.log in the log directory)

• There are 4 basic log levels used: DEBUG, INFO, WARN and ERROR.

• The logging threshold on the console is INFO, which means that you will

see informational messages, warning messages and error messages on the

console but not general debug messages.

67

Logging Service • In contrast, there is no threshold set for the server.log file, so all generated logging

messages will be logged there.

• Also that just because the logging threshold allows debug messages to be displayed,

that doesn't mean that all of JBoss will produce detailed debug information for the log

file. You will also have to boost the logging limits set for individual categories.

• Eg:

• 

• <category name="org.jboss">

• <priority value="INFO"/>

• </category>

• This limits the level of logging to INFO for all JBoss classes, apart from those which

have more specific overrides provided. If you were to change this to DEBUG, it would

produce much more detailed logging output.

68

Logging Example

• Another example if you want to set output from some component redirected to a particular file.

• <appender name="CMP" class="org.jboss.logging.appender.RollingFileAppender">

• <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>

• <param name="File" value="${jboss.server.home.dir}/log/cmp.log"/>

• <param name="Append" value="false"/>

• <param name="MaxFileSize" value="500KB"/>

• <param name="MaxBackupIndex" value="1"/>

• <layout class="org.apache.log4j.PatternLayout">

• <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>

• </layout>

• </appender>

• <category name="org.jboss.ejb.plugins.cmp">

• <priority value="DEBUG" />

• <appender-ref ref="CMP"/>

• </category>

• You will notice that the log directory also contains HTTP request logs which are

produced by the web container.

69

Database Connectivity (Connecting Jboss AS with RDBMS with connection pooling)

Steps Involved • Resource references in web apps—requiring connectivity to RDBMS

• Providing RDBMS resources(connection pools) in the server

Installing JDC Driver

Defining RDBMS Resources

Mapping resources to resource references

Web Applications that need services of a relational database, can connect to it :

By managing their own connections

By having the server managed a shared database

connection pool.

Management of database connections in web applications:

-Bloats the code

-require more testing

-require seperate configuration for each web app

-is slow if connections are not pooled.

-is inefficient and limiting if the connections are pooled

because there would be a separate pool for each web app with

potentially many idle connections.

Steps Involved contnd..

Having the server manage the database connections:

-Simplifies configuration and maintenance(single file to edit)

-is faster because the connections are pooled

-utilizes the connections well as they are shared

Resource Requirement

In a web app's WEB-INF/web.xml file

<web-app ..>

<resource-ref>

<description>DB Connection</description>

<res-ref-name>jdbc/NorthwindDB</res-ref-name>

<res-type>javax.sql.DataSource</res-type>

<res-auth>Container</res-auth>

</resource-ref>

</web-app>

Defines an application's requirement for a container-managed

resource

Installing JDBC Driver

•JDBC driver is what enables the Java applications to talk to specific

RDBMS, such as MySQL,DB2,Oracle, etc.

•Download the JDBC driver from the database vedor

•Copy the driver jar into the directory

${jboss.server.lib.url}

Defining database Resources

• Create deploy/northwind-ds.xml

<datasources>

<local-tx-datasource>

<jndi-name>NorthwindDS</jndi-name>

<connection-

url>jdbc:mysql://localhost:3306/Northwind?autoReconnect=true

</connectionurl>\

<driver-class>com.mysql.jdbc.Driver</driver-class>

<user-name>northwind</user-name>

<password>secret</password>

</local-tx-datasource>

</datasources>

Defining database Resources

contnd..

Some of other common elements:

min-pool-size: the minimum number of pooled database connections.

Initialized when the pool is first accessed.

max-pool-size:the maximum number of pooled connections.Once this

limit is reached ,clients block. Defaults to 20.

blocking-timeout-millis: the maximum blocking time(in ms) while

waiting for an available connection before timing out by throwing an

exception. default to 5000ms

idle-timeout-minutes: the maximum time(in minutes) before idle

connections are closed.

Resource Mapping

• In the WEB_INF/jboss-web.xml file

<jboss-web>

<resource-ref>

<description>JDBC Connection</description>

<res-ref-name>jdbc/NorthwindDB</res-ref-name>

<res-type>javax.sql.DataSource</res-type>

<jndi-name>java:/NorthwindDS</jndi-name>

</resource-ref>

</jboss-web>

Maps the application's resources to real resource provided

by Jboss AS

Security

Securing Applications

Securing Jboss AS

Securing Applications

• Filtering clients by source IP address

• Requiring authentication and authorization

• Data transport integrity and

confidentiality(SSL)

Filtering Clients by Source •Limit access to web applications by client IP

or hostname

•Configured through Tomcat valves

-Different levels: <Engine> (global), <Host> (per virtual host) , <Context> (per web application)

To limit access as a desired <Valve> in <Engine> or <Host> within

\default\deploy\jboss-web.deployer\server.xml file-

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=‖192.168.* ,

127.*‖ />

<Valve className="org.apache.catalina.valves.RemoteHostValve" allow=‖smtphost.com‖

/>

Limiting per webapplication can be done through tomcat by creating a <Context> file in

/deploy/<app.war>/WEB_INF/context.xml

<Context>

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=‖192.168.* ,

127.*‖ />

</Context>

Filtering Clients by Source Contnd..

•Configured through a servlet filter

-Servlet filters are J2EE AS independent

Configure a servlet filter in /WEB_INF/web.xml file

<filter>

<filter-name>RemoteHostFilter</filter-name>

<filter-class>

org.jboss.remotehostfilter.RemoteHostFilter

</filter-class>

<init-param>

<param-name>allow</param-name>

<param-value>192.168.*<param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>RemoteHostFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

Authentication and Authorization

•JAAS – Java Authentication and

Authorization Service

•Support for single sign-on

•Role-based access control

•Separate business logic from A&A

•Declarative(XML Based)-not hard coded

Requiring A&A

Adding security-costraint in web.xml <security-constraint>

<web-resource-collection>

<web-resource-name>Tell Fortune Servlet</web-resource-name>

<url-pattern>/tellFortune</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>customer</role-name>

</auth-constraint>

</security-constraint>

Requiring A&A contnd.. Adding login configuration <web-app ...>

.....

<security-constraint>

....


<login-config>

<auth-method>BASIC</auth-method>

<realm-name>Customers Only</realm-name>

</login-config>

...

</web-app>

In this case we used HTTP BASIC authentication. But other options

are:DIGEST,FORM etc.

Requiring A&A contnd.. Declaring security roles: <web-app ...>

.....

<security-constraint>

....

<auth-constraint>


</auth-constraint>


<login-config>...</login-config>

<security-role>


</security-role>

</web-app>

Plain-Text login module

•Already enabled by default

•WEB_INF/classes/users.properties

mike=123

john=1234

•WEB-INF/classes/roles.properties

mike=customer john=manager

The properties files are loaded during initialization of the

context class loader. Placing these files in the deploy/<app>/WEB-

INF/classes directory makes them unique to that specific web

application.

Security Service

The security domain information is stored in the file \server\default\conf\login-

config.xml as a list of named security domains, each of which specifies a

number of JAAS3 login modules which are used for authentication purposes in that

domain.

• Eg: jmx-console (Since everything is being controlled by this, you may need to

secure this). To protect this application we will be add a security domain cover to it.

<application-policy name = "jmx-console">

<authentication>

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

flag = "required">

<module-option name="usersProperties">props/jmx-console-users.properties</

module-option>

<module-option name="rolesProperties">props/jmx-console-roles.properties</

module-option>

</login-module>

</authentication>

</application-policy>

87

Link to Security Domain

• Go to jmx-console.war/WEB-INF/ directory & edit the jboss-web.xml

• Now Uncomment the security-domain in that file, as shown below.

<jboss-web>

<security-domain>java:/jaas/jmx-console</security-

domain>

</jboss-web>

This links the security domain to the web application, but it doesn't tell the web application what security policy to enforce.

3. To configure this, go to the web.xml file in the same directory and uncomment the security-constraint that is already there.

•

88

Adding Security

• 

• <security-constraint>

• <web-resource-collection>

• <web-resource-name>HtmlAdaptor</web-resource-name>

• <description>

• An example security config that only allows users with the

• role JBossAdmin to access the HTML JMX console web application

• </description>

• <url-pattern>/*</url-pattern>

• <http-method>GET</http-method>

• <http-method>POST</http-method>

• </web-resource-collection>

• <auth-constraint>

• <role-name>JBossAdmin</role-name>

• </auth-constraint>

• </security-constraint>

89

Adding Security

• Where are the username, passwords & roles stored.

• The configuration is stored in conf/login-config.xml.

<application-policy name="jmx-console">

<authentication>

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"flag="required">

<module-option name="usersProperties">

props/jmx-console-users.properties

</module-option>

<module-option name="rolesProperties">

props/jmx-console-roles.properties

</module-option>

</login-module>

</authentication>

</application-policy>

90

Adding Security

• The location of these files is in the conf directory.

– i.e. <jboss-home>/server/default/conf/props/<filename>

– The usernames and passwords are stored in jmx-console-

users.properties in the directory and take the form

username=password".

– To assign a user to the JBossAdmin group add

"username=JBossAdmin" to the jmx-console-roles.properties file.

91

Securing Passwords •Configure Hashed passwords in

conf/login-config.xml <login-module code =

"org.jboss.security.auth.spi.DatabaseServerLoginModule"flag =

"required">

.....

<module-option name = "hashAlgorithm">MD5</module-option>

<module-option name = "hashEncoding">hex</module-option>

</login-module>

•Change user.properties file with the encoded

password •To compute MD5

• On LINUX run: echo -n <password> |md5sum

• On WINDOWS run md5.exe -d<password>

Enabling SSL

• Use KeyTool Utility with JDK to generate keystore file

• keytool -genkey -alias tomcat -keyalg RSA

• Copy the .keystore file to <Jboss-Home>/derver/default/conf. Rename it to ssl.keystore

• Uncomment the following from \server\default\deploy\jboss-web.deployer\server.xml

– 

• Also change the path of the keystorefile to appropriate location

93

Requiring SSL in Apps

•Add within a <security-constraint element> in WEB-INF/web.xml file.

<user-data-constraint>

<desription>Require SSL</desription>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

The element <transport-guarantee> can be

NONE,INTEGRAL,CONFIDENTIAL. The INTEGRAL,CONFIDENTIAL

flag indicates that the use of SSL is required.

Securing Jboss AS

•Running Jboss AS with low previleges

•File system security

•Securing console application-like JMX

•Securing other Jboss AS services

•Running with JAVA security Manager

•Running behind a firewall

JBoss AS system User • Do not run Jboss AS as root/Administrator

-Deployed applications and sedrvices run

with the same privilege as the Jboss AS

itself

-Create a low-privileged Jboss system

user

•Jboss being a JAVA app,can not switch its effective user id after

starting

--Running without root privileges forces you to use ports >=1024

on a UNIX/LINUX system

--Front Jboss AS with a web server (Like Apache HTTPD) or

setup firewall-based port forwarding for access over default

HTTP(S) port:80,443.

Performance Tuning

• Tomcat

• jbossweb-tomcat5.sar/server.xml

– <Connector port="8080" address="${jboss.bind.address}"

– maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

– enableLookups="false" redirectPort="8443" acceptCount="100"

– connectionTimeout="20000" disableUploadTimeout="true"/>

– You should have enough threads (maxThreads) to handle (rule of thumb) 25% more than your maximum expected load (concurrent hits coming in at once)

– You should have minSpareThreads equal just a little more than your normal load

– You should have maxSpareThreads equal just a little more than your peak load

– minSpareThreads means "on start up, always keep at least this many threads waiting idle"

– maxSpareThreads means "if we ever go above minSpareThreads then always keep maxSpareThreads waiting idle"

97

Performance-Log4J

• Logging has a profound effect on performance. Changing the logging level to TRACE can bring the JBossAS to a crawl. Changing it to ERROR (or WARN) can speed things up dramatically.

• By default, JBoss logs both to the console and server.log and by default it uses level "INFO".

• To turn off console logging:

• Edit server/slim/conf/log4j.xml

• Change the following XML fragment:

<root>

– <appender-ref ref=CONSOLE"/>

<appender-ref ref="FILE"/> – </root>

• make it read – <root>

– <appender-ref ref="FILE"/>

– </root>

98

• Finally the most important thing in log4j, make sure you limit the logging

level on your own class hierarchy.

• 

• <category name="my.package">

• <priority value="INFO"/>

• </category>

99

Slimming

• JavaMail

• Remove the services which are not being used.

• When not using the mail-service (J2EE standard JavaMail client)

• remove server/deploy/mail-service.xml

• remove server/lib/mail* (mail-plugin.jar, mail.jar - JavaMail stuff)

• remove server/lib/activation.jar (Java Activation Framework is used by

JavaMail)

• J2EE Client deployer service

• When not using the J2EE client deployer service

• remove server/deploy/client-deployer-service.xml

100

Slimming

• HAR Deployer

• When not using the integrated HAR deployer and Hibernate session management services

• remove server/deploy/hibernate-deployer-service.xml (HAR support)

• remove server/lib/jboss-hibernate.jar (HAR support)

• remove server/lib/hibernate2.jar (Hibernate itself)

• remove server/lib/cglib-full-2.0.1.jar (used by Hibernate to create proxies of POJOs)

• remove server/lib/odmg-3.0.jar

• HSQL

• When not using Hypersonic (which you should not in production)

• remove server/deploy/hsqldb-ds.xml

• remove server/lib/hsqldb-plugin.jar

• remove server/lib/hsqldb.jar

• Remember Jboss MQ by default uses HSQL. So sometimes you may need to configure it with some other database.

101

Slimming

• JBossMQ

• remove the entire server/deploy/jms directory

• remove server/lib/jbossmq.jar

HTTPInvoker (which lets you tunnel RMI over HTTP)

• remove the entire server/deploy/http-invoker.sar directory

JMX-Console

• remove server/slim/deploy/jmx-console.war

102

• If you do not need to make JMX calls over RMI (warning the shutdown.sh DOES do this)

• remove server/deploy/jmx-invoker-adaptor-server.sar

• remove server/deploy/jmx-adaptor-plugin.jar

• or you may want to just secure the JMX invoker-adaptor instead

• EAR Deployer

• If you do not need to be able to deploy EAR files

• open server/conf/jboss-service.xml in the vi editor

• remove/comment the following XML fragments from the

• from under the <mbean code="org.jboss.management.j2ee.LocalJBossServerDomain" MBean

•

• <attribute name="EARDeployer">jboss.j2ee:service=EARDeployer</attribute>

• and

• 

• <mbean code="org.jboss.deployment.EARDeployer" name="jboss.j2ee:service=EARDeployer">

• </mbean>

103

High Availability and Scaling

Fronting with Apache HTTPD

Load Balancing

Clustering

Requirements

•Fault Tolerance

--Reliability

--Uptime Guarantee

•Stable Throughput – Scalability

--Provide consistent response times in light of increased system load

•Manageability of Servers

-- Server upgrade with no service interruptions

Simple Web Architecture

Client

Client

Client

Internet Jboss

AS

Data

Base

Data

Base

This architecture is not scalable.Additional users can only be handled by

improving the performance of the server(e.g. Additional CPUs, more memory)

No fault tolerance. If the JBoss AS goes down , the entire service becomes

unavailable.

Clustering Web Architecture

Client

Client

Client

Internet Jboss

AS

Data

Base

Data

Base

Add one or many web servers to balance the load to multiple Jboss AS

nodes typically running on seperate physical servers.

Additional user load can be handled by adding another Jboss AS

If anyone of the Jboss AS nodes fail, the service is still available through

other Jboss AS.

Webserver

Jboss

AS

Jboss

AS

Fronting with a Web Server

• Scalability and High Availability: Load balancing

and fail over

• Security: Web servers are simpler and easier to

protect

• Stability: More robust

Fronting with Apache HTTPD

Client

Legacy

System

Data

Base

Install and setup Apache HTTPD

Install and configure mod_jk on apache

AJP connector on Jboss AS already enabled in jboss.web.deployer/server.xml

Apache

HTTPD

Server

Jboss

AS HTTP/S

80/443 AJP1.3

8009

Installing mod_jk

• Download latest mod_jk(binary or source) from:

http://tomcat.apache.org/connectors-doc/

• Save it as <apache-dir>/modules/mod_jk.so

• Include its configuration file in

<apache-dir>/conf/httpd.conf:

Include conf/jk.conf





configuring mod_jk

• Define a Jboss AS instance in:

<apache-dir>/conf/workers.properties:

worker.jboss1.type=ajp13

worker.jboss1.host=127.0.0.1

worker.jboss1.port=8009

worker.list=jboss1

Special directive worker.list exports all declared workers for use in the Apache HTTPD

configuring mod_jk cont..

• Create <apache-dir>/conf/jk.conf

LoadModule jk_module modules/mod_jk.so

jkWorkersFile conf/workers.properties

jkLogFile logs/jk.log

jkLogLevel INFO

jkMount /jmx-console/* jboss1

Now jk.conf is included in httpd.conf

Include conf/jk.conf

Workers jboss1 come from workers.properties file because they were

exported by worker.list directive

Simple Load Balancing

• Set up another Jboss Instance

-- Use run.sh -Djboss.bind.adress=<ip> to run

instances on different IPs but same ports

• Define it in workers.properties:




Define a new load balancing worker:

worker.jboss.type=lb

worker.jboss.balance_workers=jboss1,jboss2

• Export the load balancing worker:

worker.list=jboss

<apache-dir>/conf/workers.properties file




worker.list=jboss1




worker.jboss.type=lb

worker.jboss.balance_workers=jboss1,jboss2

worker.list=jboss

Simple Load Balancing • Deploy fortune.war on both the instances.

• Change conf/jk.conf

jkMount /jmx-console/* jboss

jkMount /fortune/* jboss

• Start both the Jboss instances and Apache HTTPD

• The update jk.conf looks like:

LoadModule jk_module modules/mod_jk.so

jkWorkersFile Conf/workers.properties

jk_logLevel INFO

jkMount /jmx-console/* jboss

jkMount /fortune/* jboss

Note that we are no longer jkMount- ing jboss1 ( or jboss2). We can only use the new load

balancer worker called jboss because that is the one exported by worker.list in

conf/workers.properties file.

JBoss Application Server

Documents

Transcript of JBoss Application Server