Download - JBoss Application Server
JBoss Application Server
1
What is J2EE
• J2EE is a standard based platform to
develop,deploy and manage multi-tier,web
enabled,server centric and component based
enterprise applications.
• As a super set of J2SE ,J2EE adds additional
specifications,libraries,documentation and
tools.
2
Multi-Tier Architecture
Client Tier
Client Tier (B2B)
Web Tier
Business
Tier
Messaging
Tier
Data
access Tier
Legacy/
External Tier
Data Tier
J2EE Application Server
3
Component based architecture
Web browser, Web
Pages, Applets JSP/Servlet
Web Container
Session Bean,Entity
bean,Message driven
bean
EJB Container
Data Tier
J2EE Application Server
4
Server Centric
• J2EE apps run within a J2EE application
server that provides all middle-tier services
• Clients are thin
• Support for rich clients through RMI, Web
services,etc
-The design of such clients is beyond
the scope of J2EE
5
Web enabled
• Thanks to Servlet/JSP technology,J2EE
applications are automatically web-
enabled
6
Some of j2EE App Servers
available in the market
• Apache Tomcat
• JBOSS AS
• BEA Weblogic
• IBM Websphere
• ATG Dynamo
7
JBoss Organization
• The professional Open Source Company
• Focuses on middleware software and
services-JBoss Enterprise Middleware Suite(JEMS)
• Software is open source and free.
8
Server Configurations
• Fundamentally, the JBoss architecture consists of the JMX MBean server, the
microkernel, and a set of pluggable component services, the MBeans.
• This makes it easy to assemble different configurations and gives you the
flexibility to tailor them to meet your requirements
• You don’t have to run a large, monolithic server all the time; you can remove
the components you don’t need
• you can also integrate additional services into JBoss by writing your own
MBeans. You certainly don’t need to do this to be able to run standard J2EE
applications.
9
Microkernel Layer
• Based on JMX architecture
• Defines lifecycle configuration and
management of services
--Standard mechanism for
assembling service components for
consistent access management and
integration
10
Java Management eXtension
• Management and Monitoring standard
• Both local and remote management
• Change setting at runtime
• Event notification/timer
• Portable across application servers
• Integrate with third party components
11
What is MBean
An MBean is a Java object that
implements one of the standard MBean
interfaces and follows the associated
design patterns. The MBean for a resource
exposes all necessary information and
operations that a management application
needs to control the resource.
12
JMX Architecture
13
Management Applications
Connectors and
Protocol Adapters
MBean Server
Agent Service MBeans
Resource MBeans
JVM
Distributed Services
Layer
Agent Layer
Instrumentation
Layer
JMX on Jboss AS
14
DB
Bean
Remote
Mgr
MBean
Security
MBean
JNDI
MBean
Jboss Microkernel
(JMX Mbean Server)
JTA
MBean
Servlet
Container
MBean
JMS
MBean
EJB
Container
MBean
15
Url: http://localhost:8080/jmx-console/
16
JMX Console
17
Service Layer
• Each service is defined as a JMX Managed Bean
• Services are hot Pluggable
• Makes it possible to tune the system for just the required
service to lower the footprint
• Easy to define new services and package them as SARs(service archive)
• Examples: Servlet/JSP container,EJB
Container,transaction
management,messaging,connection pooling,Security
18
Application Layer
• This is where the enterprise(J2EE)
applications reside
• This layer deals with the business logic
while leaving the container services up to
Jboss AS
• Portable-Independent of Jboss AS
19
Getting and Installing Java
• Download from http://java.sun.com
-Get J2SE SDL(JDK), not J2EE or JRE!
Avoid installing java into a directory that contains spaces or other special characters (e.g C:\Program Files)
21
Configuring Java
• Set JAVA_HOME to point to the directory where
you installed java
• Add $JAVA_HOME/bin to your PATH
• Test that java –version prints the expected java
version
In unix make these changes in the shell’s
configuration file (~/.bashrc). 22
Installing Jboss AS
• Download pacakeged community
distribution from:
http://labs.jboss.com/jbossas/download
Unpack the compressed archive
23
Directory Structure
• bin: contains startup and shutdown and other system-specific scripts. The scripts which starts JBoss.
• client: stores configuration and JAR files which may be needed by a client which runs outside the Jboss AS container such as:
Webservice client
EJB Client
JMX Console
This is used by external applications that need to access JNDI resources
To get the client classpath run:
$JBOSS_HOME/bin/classpath.sh –c
• docs: contains the XML DTDs used in JBoss for reference (these are also a useful source of documentation on JBoss configuration specifics). There are also example JCA (Java Connector Architecture) configuration files for setting up datasources for different databases (such as MySQL, Oracle, Postgres).
• lib: JAR files which are needed to run the JBoss microkernel. You should never add any of your own JAR files here. Applications running on Jboss do not have access to the libraries placed in this directory.
24
The Server Directory each of the subdirectories in here is a different server
configuration. The configuration sets contain the actual Jboss
service.
To Change the configuration set that Jboss AS runs with
,execute:
bin/run.sh –c minimal/all/default
Each configuration set has to have the following directories:
conf/ , deploy/ , lib/
Other directories such as data/ ,log/ , tmp/, and work/ are
automatically created on Jboss AS startup if they do not exist.
25
Server Configurations…contd
• Within the server directory, there are three example server configurations:
– minimal: The minimal configuration contains the bare minimum services required to start JBoss. It starts the logging service, a JNDI server and a URL deployment scanner to find new deployments. This is what you would use if you want to use JMX/JBoss to start your own services without any other J2EE technologies. This is just the bare server. There is no web container, no EJB or JMS support.
– default: The default configuration consists of the standard services needed by most J2EE applications. It does not include the JAXR service, the IIOP service, or any of the clustering services.
– all: The all configuration starts all the available services. This includes the RMI/IIOP and clustering services, which aren’t loaded in the default configuration.
26
The default/conf directory • jboss-srvice.xml: The conf directory contains
the bootstrap descriptor, jboss-service.xml by
default, for a given server configuration. This
defines the core services that are fixed for the
lifetime of the server
• jboss-log4j.xml: Configuration file for the
logging service defining log filters, priorities, and
destinations.
• jndi.properties: Specifies a set of properties
that are passed to JNDI
• login-config.xml : defines security realms used
for authentication and authorization.
• Props/*.properties: java property file
• standardjboss.xml: configuration file for the
standard EJB container 27
The default/data directory
• The data directory is a location
available for use by services that
want to store content in the file
system
• This directory is not accessible
to end users.
28
The default/deploy directory
• Dynamic deployment content directory
• This is where applications and services
are deployed.
• Default location used by hot
deployment service
• Contains code and configuration files
for all services.
29
The default/lib directory
• Contains shared java libraries(JAR files) needed by the server configuration
• The libraries are not hot-re/deployed
• All libraries are automatically added to the shared classpath on server start-up.
If you have java libraries that you need to be made available to all your
applications/services, these can be placed in this directory.
Similarly, you would also use this directory for java libraries that need to be used by
both your applications/services and Jboss AS services. For Example JDBC Driver
that is need by JBoss AS to manage a pool of database connections as well as your
code which implicitly uses it to interact with the database server.
30
The default/log directory
The log directory is the default directory into which
the bootstrap logging service places its logs. This
may be overridden through the conf/log4j.xml
configuration file.
• boot.log- Logs boot process
• Server.log- takes over once the logging service is
initialized from log4j.xml
• Default startup log priority: DEBUG
• STDOUT and STDERR are logged to console
• By default server.log is rolled over daily.
• Existing logs are overwritten by [re]start.
Old log files are not automatically cleaned by the
server during runtime.
• The log system can be easily configured to:
Roll over logs hourly
Roll Over logs by size
Automatically remove old logs
31
The default/work directory
• Directory where compiled JSP , ..java
and .class file reside
• Very useful for debugging problems in
JSP
32
Starting Jboss AS
• Execute $JBOSS_HOME/bin/run.sh(run.bat)
• The script figures out JBOSS_HOME by itself
• To start JBOSS as a service on unix use the script
• jboss_init_redhat.sh
• To bind Jboss to a specific address execute:
run.sh –Djboss.bind.address=10.1.2.3 or
run.sh –b 10.1.2.3
34
Starting Jboss AS On All IPs
• Jboss AS 4.2 by default binds all of its services to
127.0.01 ip address
-i.e jboss.bind.address=127.0.0.1
-Restricted to localhost for security reasons
• To start Jboss AS such that it binds to all IP addresses
execute:
-run.sh –b 0.0.0.0 (run.bat for WIN)
35
Verifying Jboss AS Startup
• Jboss is successfully started when in its console window you can see:
20:15:34,593 INFO [AjpProtocol] Starting Coyote AJP/1.3 on ajp-0.0.0.0-8009
20:15:34,593 INFO [Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBos
s_4_2_3_GA date=200807181439)] Started in 9s:765ms
• Point your browser to http://localhost:8080/status to verify the server startup.
36
Stopping Jboss AS
• If started in foreground using the run script, simply hit CTRL+C
• If running in the background as an OS service stop it just like any other OS service
-kill –TERM <jboss-pid>
-NET STOP Jboss(on Windows)
• Use the shutdown script(remote shutdown):
$JBOSS_HOME/bin/shutdown.sh –S
To shutdown a remote Jboss AS instance use:
./shutdown.sh –s jnp://remoteHostOrIP:1099 –S
Remote instance’s IP address and port are specified by its Naming Service configured in
${jboss.server.config.url}/jboss-service.xml
37
Starting from a Remote server
• Jboss can load itself from a network server using run
script’s -netboot=<url> option
• To boot Jboss AS from a remote server execute:
./run.sh –netboot=http://192.168.0.1:8080/jboss/
38
Running AS as a Service
• On Linux, Of course you can start the Jboss in
background by using ―&‖ .i.e. running it as a background
service
• On Windows, Utility called Javaservice can be used to
do that.
39
To Add your own Configuration
• copy an existing one that is closest to your needs and modify the
contents. For example, if you weren’t interested in using messaging,
you could copy the default directory, renaming it as myconfig,
remove the jms subdirectory and then start JBoss with the new
configuration.
• run -c myconfig
• The directory server configuration you’re using, is effectively the
server root while JBoss is running. It contains all the code and
configuration information for the services provided by the particular
configuration. It’s where the log output goes, and it’s where you
deploy your applications.
40
Deployment on JBoss AS
• Deploy by copying components to /deploy
directory
• Undeploy be removing the components that are
not needed
• The main deployment process is managed by
/conf/jboss-service.xml. By default this scans the
deploy directory every 5000ms for added,
removed or modified components. 41
Hot vs. Cold Deployment
• Hot deployment is cool but there is a risk of:
-Class-Loader exception
-Unrecognized configuration setting
-Lost session/application scoped
data
• Cold deployment is slow but stable
-Stop Jboss AS
-Delete data/ , log/ , tmp/ , work/
-Redeploy application
-Start Jboss AS
42
JMX-Console
• You can get a live view of the server by going to the JMX console application at
http://localhost:8080/jmx-console
• It allows you to modify its configuration, start and stop components and so on.
• For example, find the service=JNDIView link and click on it.
– This particular MBean provides a service to allow you to view the structure of
the JNDI namespaces within the server. Now find the operation called list. click
the invoke. The operation returns a view of the current names bound into the
JNDI tree, which is very useful when you start deploying your own
applications and want to know why you can’t resolve a particular EJB name.
43
Configuration Issues
• core services specified in the conf/jboss-service.xml.This is the bootstarp descriptor that defines core services that are fixed for the lifetime of the server.
• Several MBeans are being configured like logging, security, JNDI Naming and View, Thread Pool etc.
• Comment the JNDIView Service in jboss-service.xml & Restart the Appln server.
• <!—
• <mbean code="org.jboss.naming.JNDIView"
• name="jboss:service=JNDIView"
• xmbean-dd="resource:xmdesc/JNDIView-xmbean.xml">
• </mbean>
• -->
• Now if you see in JMX console you will not be able to find JNDIView service being deployed.
44
Services
Configuring JBoss AS services
45
Tomcat Web Container
• Apache tomcat is a free and open source servlet(2.4)
and JSP(2.0) container
• Embedded in Jboss AS as deploy/jboss-web.deployer
• Jboss AS configuration for Tomcat integration is done by
META-INF/jboss-service.xml
46
Tomcat’s server.xml
• Tomcat’s own configuration file:
jboss-web.deployer/server.xml
• Configures
-Connectors(HTTP,HTTPS,AJP)
-Security realms(Inherits from Jboss)
-logging (Tomcat Service)
-Valves(Request/Response
interceptor)
-Virtual Hosts(Name Based)
-Web application Context
47
Tomcat’s web.xml
• Default web descriptor for all web apps
jboss-web.deployer/conf/web.xml
• Configures
-common filters
-servlets for handling static
content,JSP,CGI Scripts
-Default session timeout
-MIME type mappings
-Welcome File List:index.html,index.jsp
-Error documents
48
Session Configuration
• Configure <session-config>
<session-timeout>30</session-timeout>
</session-config>
• The value (in minutes) indicated how long the servlet
container will maintain an idle session(in memory or in
disk) before timimg out
• Value<=0 indicates that session never expires-unless
destroyed explicitly through users logout
• Significant impact on server memory usage and end
users’ dissatisfaction with time outs.
49
Error Documents
• Configured through <error-page>
• Defines mapping between an <error-code> or
<exception-type> and a <location> of the error document
to be served on those errors
50
51
<! ELEMENT error-page ((error-code | exception-type) , location)>
<error-page>
<error-code>404</error-code>
<location>/FileNotFoundError.jsp</location>
</error-page>
<error-page>
<exception-type>
java.lang.IllegalArgumentException
</exception-type>
<location>/IllegalInputError.jsp</location>
</error-page>
Note that <location> is relative to the root of the application and it must
start with a /
52
<! ELEMENT error-page ((error-code | exception-type) , location)>
<error-page>
<error-code>404</error-code>
<location>/FileNotFoundError.jsp</location>
</error-page>
<error-page>
<exception-type>
java.lang.IllegalArgumentException
</exception-type>
<location>/IllegalInputError.jsp</location>
</error-page>
Note that <location> is relative to the root of the application and it must
start with a /
Virtual Hosting with Tomcat
• Add hosts and aliases to jboss-web.deployer/server.xml
<Host name=―myhost.com‖>
<alias>www.myhost.com</Alias>
</Host>
• Register applications for virtual hosts in their WEB-
INF/jboss-web.xml file
<jboss-web>
</context-root>/myapp</context-root>
<virtual-host>myhost.com</virtual-host>
</jboss-web>
53
Web Access Logging
• In Jboss_Home\ default\deploy\jboss-web.deployer\server.xml define a
<valve> in
-<Engine> - global for the entire server
-<Host>- per virtual host
-<Context>- per application
• Automatic Rotation of logs
• Conditional logging
<Engine name="jboss.web" defaultHost="localhost">
<Host name="localhost― autoDeploy="false" deployOnStartup="false"
deployXML="false"configClass="org.jboss.web.tomcat.security.config.JBossCo
ntextConfig">
<Valve className="org.apache.catalina.valves.AccessLogValve"
prefix="localhost_access_log." suffix=".log― pattern="common"
directory="${jboss.server.log.dir}" resolveHosts="false" />
……
54
JNDI on JBoss Configured in Jboss_Home\server\default\conf\ jboss-service.xml
<mbean code="org.jboss.naming.NamingService―
name="jboss:service=Naming"
xmbean-dd="resource:xmdesc/NamingService-xmbean.xml">
<attribute name="CallByValue">false</attribute>
<!-- The listening port for the bootstrap JNP service. Set this to -1
to run the NamingService without the JNP invoker listening port.
-->
<attribute name="Port">1099</attribute>
<!-- The bootstrap JNP server bind address. This also sets the default
RMI service bind address. Empty == all addresses-->
<attribute name="BindAddress">${jboss.bind.address}</attribute>
<!-- The port of the RMI naming service, 0 == anonymous -->
<attribute name="RmiPort">1098</attribute>
<!-- The RMI service bind address. Empty == all addresses
-->
<attribute name="RmiBindAddress">${jboss.bind.address}</attribute>
<!-- The thread pool service used to control the bootstrap lookups -->
<depends optional-attribute-name="LookupPool"
proxy-type="attribute">jboss.system:service=ThreadPool</depends>
<!-- An example of using the unifed invoker as the transport.
<depends optional-attribute-name="InvokerProxyFactory"
proxy-type="attribute">jboss:service=proxyFactory,type=unified,target=Naming</depends>
-->
<depends optional-attribute-name="Naming"
proxy-type="attribute">jboss:service=NamingBeanImpl</depends>
</mbean>
56
Configuring java mail service
• Configured by deploy/mail-service.xml
• Shared connection information for sending
email messages over SMTP
• Can also configure the defaults for
receiving mail over POP/IMAP4
• Can enable debugging to STDOUT
57
• <?xml version="1.0" encoding="UTF-8"?>
• <!-- $Id: mail-service.xml 62349 2007-04-15 16:48:15Z [email protected] $ -->
• <server>
• <!-- ==================================================================== -->
• <!-- Mail Connection Factory -->
• <!-- ==================================================================== -->
• <mbean code="org.jboss.mail.MailService"
• name="jboss:service=Mail">
• <attribute name="JNDIName">java:/Mail</attribute>
• <attribute name="User">nobody</attribute>
• <attribute name="Password">password</attribute>
• <attribute name="Configuration">
• <!-- A test configuration -->
• <configuration>
• <!-- Change to your mail server prototocol -->
• <property name="mail.store.protocol" value="pop3"/>
• <property name="mail.transport.protocol" value="smtp"/>
• <!-- Change to the user who will receive mail -->
• <property name="mail.user" value="nobody"/>
• <!-- Change to the mail server -->
• <property name="mail.pop3.host" value="pop3.nosuchhost.nosuchdomain.com"/>
• <!-- Change to the SMTP gateway server -->
• <property name="mail.smtp.host" value="smtp.nosuchhost.nosuchdomain.com"/>
•
• <!-- The mail server port -->
• <property name="mail.smtp.port" value="25"/>
•
• <!-- Change to the address mail will be from -->
• <property name="mail.from" value="[email protected]"/>
• <!-- Enable debugging output from the javamail classes -->
• <property name="mail.debug" value="false"/>
• </configuration>
• </attribute>
• <depends>jboss:service=Naming</depends>
• </mbean>
• </server>
58
In the application’s WEB-INF/web.xml
<resource-ref>
<description>Default Mail Session</description>
<res-ref-name>mail/Session</res-ref-name>
<res-type>javax.mail.Session</res-type>
<res-auth>Container</res-auth>
</resource-ref>
In the application’s WEB_INF/jboss-web.xml
<jboss-web>
<resource-ref>
<res-ref-name>mail/Session</res-ref-name>
<res-type>javax.mail.Session</res-type>
<jndi-name>java:/Mail</jndi-name>
</resource-ref>
</jboss-web>
59
Java Messaging Service
• Framework for reliable sync/async comm. between distributed components
• Guaranteed push-based delivery
• Peer to peer –One to One ,One to Many , Many to Many
• In J2EE,JMS
• Allows loosely coupled,reliable,asynchronous interactions among J2EE components and legacy systems
capable of messaging
• Application clients, EJBs, and web components can send and receive JMS messages
• Message driven beans enable the async consumption of messages, making it easy to plug in new business
event handlers into an existing deployment
• Message send and receive operation can participate in distributed transactions, which allow JMS operations
and database accesses to take place within a single transaction.
When is JMS used
• No dependency between components is important—Compile time dependency and runtime dependency (components run independently)
• Need asynchronous yet reliable communication
Inventory Factory Parts
Inventory Accounting
JMS Architecture
JNDI
• JMS Clients are the programs or components wrtitten in java programming language that produce and
comnsume messages.
• A JMS provider is the messaging system that implements the JMS interfaces and provides administrative and
control features.
• Messages are the objects that communicate information between JMS clients.
JMS Client
Administrative
Tool
JMS Provider
lookup
bind
Logical connection
JMS Messaging Domains
JMS Queue
• Point To Point
• A sender sends message addressed to a specific queue.
• A receiver consumes the message from the queue established to hold its messages
• Queues retain all messages sent to them until the messages are consumed or the messages expire
• Each message has only one consumer
• A sender and receiver of a message has no time dependency.A receiver can fetch the message whether or not
it was running when the client sent the message.
• The receiver acknowledges the successful processing of a message
JMS Client1 (Producer)
JMS Client2 (Consumer)
Send message
Consumes Message acknowledges
JMS Messaging Domains
JMS Topic
• Publish and Subscribe
• Publisher clients publish messages to one or more message topics
• Subscriber clients subscribe to one or more message message topics and receive messages when they are
sent to them.
• The topics hold the messages as long as it takes to deliver them to all currently subscribed clients
• Each message can have multiple consumers
• Publisher and subscribers have a timing dependency. A client that subscribes to a topic can consume only
messages published after the client has created a subscription and the subscriber must continue to be active in
order for it to consume messages
JMS Client1 (Publisher)
JMS Client2 (Subscriber)
publish message
Deliver Message Subscribe
JMS Message Consumption
• Sysnchronous: A subscriber or a receiver explicitly fetches the
message from the destination by calling the blocking receive
method
• Asynchornous: A client can register a message listener with a
consumer. Whenever a message arrives at the destination, the
JMS provider delivers the message by calling the listener's on
Message method, which acts on the contents of the message.
JMS on Jboss
• JMS Services
• Invocation Layer-Bidirectional communication
• Security manager-Enforces ACL to guard access to destination
• Destination Manager-Central service of MQ
• Message cache: Messages waiting for pickup
• State Manager: logins,durable subscriptions
• Persistence manager: Persists to JDBC
• Destinations:Queues , Topics
Logging Service
• Logging is controlled from a central conf/log4j.xmlfile.
• This file defines a set of appenders, specifying the log files, what categories
of messages should go there, the message format and the level of filtering.
By default, JBoss produces output to both the console and a log file (server.log in the log directory)
• There are 4 basic log levels used: DEBUG, INFO, WARN and ERROR.
• The logging threshold on the console is INFO, which means that you will
see informational messages, warning messages and error messages on the
console but not general debug messages.
67
Logging Service • In contrast, there is no threshold set for the server.log file, so all generated logging
messages will be logged there.
• Also that just because the logging threshold allows debug messages to be displayed,
that doesn't mean that all of JBoss will produce detailed debug information for the log
file. You will also have to boost the logging limits set for individual categories.
• Eg:
• <!-- Limit JBoss categories to INFO -->
• <category name="org.jboss">
• <priority value="INFO"/>
• </category>
• This limits the level of logging to INFO for all JBoss classes, apart from those which
have more specific overrides provided. If you were to change this to DEBUG, it would
produce much more detailed logging output.
68
Logging Example
• Another example if you want to set output from some component redirected to a particular file.
• <appender name="CMP" class="org.jboss.logging.appender.RollingFileAppender">
• <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
• <param name="File" value="${jboss.server.home.dir}/log/cmp.log"/>
• <param name="Append" value="false"/>
• <param name="MaxFileSize" value="500KB"/>
• <param name="MaxBackupIndex" value="1"/>
• <layout class="org.apache.log4j.PatternLayout">
• <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
• </layout>
• </appender>
• <category name="org.jboss.ejb.plugins.cmp">
• <priority value="DEBUG" />
• <appender-ref ref="CMP"/>
• </category>
• You will notice that the log directory also contains HTTP request logs which are
produced by the web container.
69
Database Connectivity (Connecting Jboss AS with RDBMS with connection pooling)
Steps Involved • Resource references in web apps—requiring connectivity to RDBMS
• Providing RDBMS resources(connection pools) in the server
Installing JDC Driver
Defining RDBMS Resources
Mapping resources to resource references
Web Applications that need services of a relational database, can connect to it :
By managing their own connections
By having the server managed a shared database
connection pool.
Management of database connections in web applications:
-Bloats the code
-require more testing
-require seperate configuration for each web app
-is slow if connections are not pooled.
-is inefficient and limiting if the connections are pooled
because there would be a separate pool for each web app with
potentially many idle connections.
Steps Involved contnd..
Having the server manage the database connections:
-Simplifies configuration and maintenance(single file to edit)
-is faster because the connections are pooled
-utilizes the connections well as they are shared
Resource Requirement
In a web app's WEB-INF/web.xml file
<web-app ..>
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/NorthwindDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
Defines an application's requirement for a container-managed
resource
Installing JDBC Driver
•JDBC driver is what enables the Java applications to talk to specific
RDBMS, such as MySQL,DB2,Oracle, etc.
•Download the JDBC driver from the database vedor
•Copy the driver jar into the directory
${jboss.server.lib.url}
Defining database Resources
• Create deploy/northwind-ds.xml
<datasources>
<local-tx-datasource>
<jndi-name>NorthwindDS</jndi-name>
<connection-
url>jdbc:mysql://localhost:3306/Northwind?autoReconnect=true
</connectionurl>\
<driver-class>com.mysql.jdbc.Driver</driver-class>
<user-name>northwind</user-name>
<password>secret</password>
</local-tx-datasource>
</datasources>
Defining database Resources
contnd..
Some of other common elements:
min-pool-size: the minimum number of pooled database connections.
Initialized when the pool is first accessed.
max-pool-size:the maximum number of pooled connections.Once this
limit is reached ,clients block. Defaults to 20.
blocking-timeout-millis: the maximum blocking time(in ms) while
waiting for an available connection before timing out by throwing an
exception. default to 5000ms
idle-timeout-minutes: the maximum time(in minutes) before idle
connections are closed.
Resource Mapping
• In the WEB_INF/jboss-web.xml file
<jboss-web>
<resource-ref>
<description>JDBC Connection</description>
<res-ref-name>jdbc/NorthwindDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<jndi-name>java:/NorthwindDS</jndi-name>
</resource-ref>
</jboss-web>
Maps the application's resources to real resource provided
by Jboss AS
Security
Securing Applications
Securing Jboss AS
Securing Applications
• Filtering clients by source IP address
• Requiring authentication and authorization
• Data transport integrity and
confidentiality(SSL)
Filtering Clients by Source •Limit access to web applications by client IP
or hostname
•Configured through Tomcat valves
-Different levels: <Engine> (global), <Host> (per virtual host) , <Context> (per web application)
To limit access as a desired <Valve> in <Engine> or <Host> within
\default\deploy\jboss-web.deployer\server.xml file-
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=‖192.168.* ,
127.*‖ />
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow=‖smtphost.com‖
/>
Limiting per webapplication can be done through tomcat by creating a <Context> file in
/deploy/<app.war>/WEB_INF/context.xml
<Context>
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=‖192.168.* ,
127.*‖ />
</Context>
Filtering Clients by Source Contnd..
•Configured through a servlet filter
-Servlet filters are J2EE AS independent
Configure a servlet filter in /WEB_INF/web.xml file
<filter>
<filter-name>RemoteHostFilter</filter-name>
<filter-class>
org.jboss.remotehostfilter.RemoteHostFilter
</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>192.168.*<param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>RemoteHostFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Authentication and Authorization
•JAAS – Java Authentication and
Authorization Service
•Support for single sign-on
•Role-based access control
•Separate business logic from A&A
•Declarative(XML Based)-not hard coded
Requiring A&A
Adding security-costraint in web.xml <security-constraint>
<web-resource-collection>
<web-resource-name>Tell Fortune Servlet</web-resource-name>
<url-pattern>/tellFortune</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
</security-constraint>
Requiring A&A contnd.. Adding login configuration <web-app ...>
.....
<security-constraint>
....
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Customers Only</realm-name>
</login-config>
...
</web-app>
In this case we used HTTP BASIC authentication. But other options
are:DIGEST,FORM etc.
Requiring A&A contnd.. Declaring security roles: <web-app ...>
.....
<security-constraint>
....
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
</security-constraint>
<login-config>...</login-config>
<security-role>
<role-name>customer</role-name>
</security-role>
</web-app>
Plain-Text login module
•Already enabled by default
•WEB_INF/classes/users.properties
mike=123
john=1234
•WEB-INF/classes/roles.properties
mike=customer john=manager
The properties files are loaded during initialization of the
context class loader. Placing these files in the deploy/<app>/WEB-
INF/classes directory makes them unique to that specific web
application.
Security Service
The security domain information is stored in the file \server\default\conf\login-
config.xml as a list of named security domains, each of which specifies a
number of JAAS3 login modules which are used for authentication purposes in that
domain.
• Eg: jmx-console (Since everything is being controlled by this, you may need to
secure this). To protect this application we will be add a security domain cover to it.
<application-policy name = "jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/jmx-console-users.properties</
module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</
module-option>
</login-module>
</authentication>
</application-policy>
87
Link to Security Domain
• Go to jmx-console.war/WEB-INF/ directory & edit the jboss-web.xml
• Now Uncomment the security-domain in that file, as shown below.
<jboss-web>
<security-domain>java:/jaas/jmx-console</security-
domain>
</jboss-web>
This links the security domain to the web application, but it doesn't tell the web application what security policy to enforce.
3. To configure this, go to the web.xml file in the same directory and uncomment the security-constraint that is already there.
•
88
Adding Security
• <!--
• A security constraint that restricts access to the HTML JMX console
• to users with the role JBossAdmin. Edit the roles to what you want and
• uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
• secured access to the HTML JMX console.
• -->
• <security-constraint>
• <web-resource-collection>
• <web-resource-name>HtmlAdaptor</web-resource-name>
• <description>
• An example security config that only allows users with the
• role JBossAdmin to access the HTML JMX console web application
• </description>
• <url-pattern>/*</url-pattern>
• <http-method>GET</http-method>
• <http-method>POST</http-method>
• </web-resource-collection>
• <auth-constraint>
• <role-name>JBossAdmin</role-name>
• </auth-constraint>
• </security-constraint>
89
Adding Security
• Where are the username, passwords & roles stored.
• The configuration is stored in conf/login-config.xml.
<application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"flag="required">
<module-option name="usersProperties">
props/jmx-console-users.properties
</module-option>
<module-option name="rolesProperties">
props/jmx-console-roles.properties
</module-option>
</login-module>
</authentication>
</application-policy>
90
Adding Security
• The location of these files is in the conf directory.
– i.e. <jboss-home>/server/default/conf/props/<filename>
– The usernames and passwords are stored in jmx-console-
users.properties in the directory and take the form
username=password".
– To assign a user to the JBossAdmin group add
"username=JBossAdmin" to the jmx-console-roles.properties file.
91
Securing Passwords •Configure Hashed passwords in
conf/login-config.xml <login-module code =
"org.jboss.security.auth.spi.DatabaseServerLoginModule"flag =
"required">
.....
<module-option name = "hashAlgorithm">MD5</module-option>
<module-option name = "hashEncoding">hex</module-option>
</login-module>
•Change user.properties file with the encoded
password •To compute MD5
• On LINUX run: echo -n <password> |md5sum
• On WINDOWS run md5.exe -d<password>
Enabling SSL
• Use KeyTool Utility with JDK to generate keystore file
• keytool -genkey -alias tomcat -keyalg RSA
• Copy the .keystore file to <Jboss-Home>/derver/default/conf. Rename it to ssl.keystore
• Uncomment the following from \server\default\deploy\jboss-web.deployer\server.xml
– <!-- SSL/TLS Connector configuration using the admin devl guide keystore
– <Connector port="8443" address="${jboss.bind.address}"
– maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
– emptySessionPath="true"
– scheme="https" secure="true" clientAuth="false"
– keystoreFile="${jboss.server.home.dir}/conf/ssl.keystore"
– keystorePass="rmi+ssl" sslProtocol = "TLS" />
• -->
• Also change the path of the keystorefile to appropriate location
93
Requiring SSL in Apps
•Add within a <security-constraint element> in WEB-INF/web.xml file.
<user-data-constraint>
<desription>Require SSL</desription>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
The element <transport-guarantee> can be
NONE,INTEGRAL,CONFIDENTIAL. The INTEGRAL,CONFIDENTIAL
flag indicates that the use of SSL is required.
Securing Jboss AS
•Running Jboss AS with low previleges
•File system security
•Securing console application-like JMX
•Securing other Jboss AS services
•Running with JAVA security Manager
•Running behind a firewall
JBoss AS system User • Do not run Jboss AS as root/Administrator
-Deployed applications and sedrvices run
with the same privilege as the Jboss AS
itself
-Create a low-privileged Jboss system
user
•Jboss being a JAVA app,can not switch its effective user id after
starting
--Running without root privileges forces you to use ports >=1024
on a UNIX/LINUX system
--Front Jboss AS with a web server (Like Apache HTTPD) or
setup firewall-based port forwarding for access over default
HTTP(S) port:80,443.
Performance Tuning
• Tomcat
• jbossweb-tomcat5.sar/server.xml
– <Connector port="8080" address="${jboss.bind.address}"
– maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
– enableLookups="false" redirectPort="8443" acceptCount="100"
– connectionTimeout="20000" disableUploadTimeout="true"/>
– You should have enough threads (maxThreads) to handle (rule of thumb) 25% more than your maximum expected load (concurrent hits coming in at once)
– You should have minSpareThreads equal just a little more than your normal load
– You should have maxSpareThreads equal just a little more than your peak load
– minSpareThreads means "on start up, always keep at least this many threads waiting idle"
– maxSpareThreads means "if we ever go above minSpareThreads then always keep maxSpareThreads waiting idle"
97
Performance-Log4J
• Logging has a profound effect on performance. Changing the logging level to TRACE can bring the JBossAS to a crawl. Changing it to ERROR (or WARN) can speed things up dramatically.
• By default, JBoss logs both to the console and server.log and by default it uses level "INFO".
• To turn off console logging:
• Edit server/slim/conf/log4j.xml
• Change the following XML fragment:
<root>
– <appender-ref ref=CONSOLE"/>
<appender-ref ref="FILE"/> – </root>
• make it read – <root>
– <appender-ref ref="FILE"/>
– </root>
98
• Finally the most important thing in log4j, make sure you limit the logging
level on your own class hierarchy.
• <!-- Limit my.package category to INFO -->
• <category name="my.package">
• <priority value="INFO"/>
• </category>
99
Slimming
• JavaMail
• Remove the services which are not being used.
• When not using the mail-service (J2EE standard JavaMail client)
• remove server/deploy/mail-service.xml
• remove server/lib/mail* (mail-plugin.jar, mail.jar - JavaMail stuff)
• remove server/lib/activation.jar (Java Activation Framework is used by
JavaMail)
• J2EE Client deployer service
• When not using the J2EE client deployer service
• remove server/deploy/client-deployer-service.xml
100
Slimming
• HAR Deployer
• When not using the integrated HAR deployer and Hibernate session management services
• remove server/deploy/hibernate-deployer-service.xml (HAR support)
• remove server/lib/jboss-hibernate.jar (HAR support)
• remove server/lib/hibernate2.jar (Hibernate itself)
• remove server/lib/cglib-full-2.0.1.jar (used by Hibernate to create proxies of POJOs)
• remove server/lib/odmg-3.0.jar
• HSQL
• When not using Hypersonic (which you should not in production)
• remove server/deploy/hsqldb-ds.xml
• remove server/lib/hsqldb-plugin.jar
• remove server/lib/hsqldb.jar
• Remember Jboss MQ by default uses HSQL. So sometimes you may need to configure it with some other database.
101
Slimming
• JBossMQ
• remove the entire server/deploy/jms directory
• remove server/lib/jbossmq.jar
HTTPInvoker (which lets you tunnel RMI over HTTP)
• remove the entire server/deploy/http-invoker.sar directory
JMX-Console
• remove server/slim/deploy/jmx-console.war
102
• If you do not need to make JMX calls over RMI (warning the shutdown.sh DOES do this)
• remove server/deploy/jmx-invoker-adaptor-server.sar
• remove server/deploy/jmx-adaptor-plugin.jar
• or you may want to just secure the JMX invoker-adaptor instead
• EAR Deployer
• If you do not need to be able to deploy EAR files
• open server/conf/jboss-service.xml in the vi editor
• remove/comment the following XML fragments from the
• from under the <mbean code="org.jboss.management.j2ee.LocalJBossServerDomain" MBean
•
• <attribute name="EARDeployer">jboss.j2ee:service=EARDeployer</attribute>
• and
• <!-- EAR deployer, remove if you are not using Web layers -->
• <mbean code="org.jboss.deployment.EARDeployer" name="jboss.j2ee:service=EARDeployer">
• </mbean>
103
High Availability and Scaling
Fronting with Apache HTTPD
Load Balancing
Clustering
Requirements
•Fault Tolerance
--Reliability
--Uptime Guarantee
•Stable Throughput – Scalability
--Provide consistent response times in light of increased system load
•Manageability of Servers
-- Server upgrade with no service interruptions
Simple Web Architecture
Client
Client
Client
Internet Jboss
AS
Data
Base
Data
Base
This architecture is not scalable.Additional users can only be handled by
improving the performance of the server(e.g. Additional CPUs, more memory)
No fault tolerance. If the JBoss AS goes down , the entire service becomes
unavailable.
Clustering Web Architecture
Client
Client
Client
Internet Jboss
AS
Data
Base
Data
Base
Add one or many web servers to balance the load to multiple Jboss AS
nodes typically running on seperate physical servers.
Additional user load can be handled by adding another Jboss AS
If anyone of the Jboss AS nodes fail, the service is still available through
other Jboss AS.
Webserver
Jboss
AS
Jboss
AS
Fronting with a Web Server
• Scalability and High Availability: Load balancing
and fail over
• Security: Web servers are simpler and easier to
protect
• Stability: More robust
Fronting with Apache HTTPD
Client
Legacy
System
Data
Base
Install and setup Apache HTTPD
Install and configure mod_jk on apache
AJP connector on Jboss AS already enabled in jboss.web.deployer/server.xml
Apache
HTTPD
Server
Jboss
AS HTTP/S
80/443 AJP1.3
8009
Installing mod_jk
• Download latest mod_jk(binary or source) from:
http://tomcat.apache.org/connectors-doc/
• Save it as <apache-dir>/modules/mod_jk.so
• Include its configuration file in
<apache-dir>/conf/httpd.conf:
Include conf/jk.conf
configuring mod_jk
• Define a Jboss AS instance in:
<apache-dir>/conf/workers.properties:
worker.jboss1.type=ajp13
worker.jboss1.host=127.0.0.1
worker.jboss1.port=8009
worker.list=jboss1
Special directive worker.list exports all declared workers for use in the Apache HTTPD
configuring mod_jk cont..
• Create <apache-dir>/conf/jk.conf
LoadModule jk_module modules/mod_jk.so
jkWorkersFile conf/workers.properties
jkLogFile logs/jk.log
jkLogLevel INFO
jkMount /jmx-console/* jboss1
Now jk.conf is included in httpd.conf
Include conf/jk.conf
Workers jboss1 come from workers.properties file because they were
exported by worker.list directive
Simple Load Balancing
• Set up another Jboss Instance
-- Use run.sh -Djboss.bind.adress=<ip> to run
instances on different IPs but same ports
• Define it in workers.properties:
worker.jboss2.type=ajp13
worker.jboss2.host=192.168.1.149
worker.jboss2.port=8009
Define a new load balancing worker:
worker.jboss.type=lb
worker.jboss.balance_workers=jboss1,jboss2
• Export the load balancing worker:
worker.list=jboss
<apache-dir>/conf/workers.properties file
worker.jboss1.type=ajp13
worker.jboss1.host=127.0.0.1
worker.jboss1.port=8009
worker.list=jboss1
worker.jboss2.type=ajp13
worker.jboss2.host=192.168.1.149
worker.jboss2.port=8009
worker.jboss.type=lb
worker.jboss.balance_workers=jboss1,jboss2
worker.list=jboss
Simple Load Balancing • Deploy fortune.war on both the instances.
• Change conf/jk.conf
jkMount /jmx-console/* jboss
jkMount /fortune/* jboss
• Start both the Jboss instances and Apache HTTPD
• The update jk.conf looks like:
LoadModule jk_module modules/mod_jk.so
jkWorkersFile Conf/workers.properties
jk_logLevel INFO
jkMount /jmx-console/* jboss
jkMount /fortune/* jboss
Note that we are no longer jkMount- ing jboss1 ( or jboss2). We can only use the new load
balancer worker called jboss because that is the one exported by worker.list in
conf/workers.properties file.