Re: [Openjmx-devel] SSL refactoring

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi

Funny I was going to ask if you wanted to add SSL to the RMI connector :-=
)

>Hi (Carlos especially),
>
>I'm implementing RMI over SSL adaptor, and I wanted to share some idea, =
since=20
SSL is also used for HTTP adaptor.
>
>I like very much the idea of having a SSL server socket factory (SSF) as=
=20
MBean, given the huge amount of parameters required to setup a SSL SSF.
>Furthermore it will be easy to improve it to support client authenticati=
on=20
also, not only server authentication.
>
>Given so, every time I need a HTTP adaptor over SSL, I register a SSL SS=
F and=20
then register the HTTP adaptor, passing it the object name of the SSL SSF=
 in=20
String form.
>Now it is not like this (no big deal) but instead the SSL SSF is passed =
as=20
Java object as attribute. This of course implies that it is not possible =
to=20
stop the HTTP adaptor, change the file from where key information is read=
 for=20
SSL (in the SSL SSF MBean), and restart the HTTP adaptor from a managemen=
t=20
application (such as the HTTP adaptor itself, for example :).

We can add that.

>I would like to do the same for the RMI adaptor or, to be precise, the J=
RMP=20
adaptor (IIOP still does not support SSL from Java API).
>So basically I register a SSL SSF with its own parameters, then register=
 the=20
JRMP adaptor, I will pass it the object name of the SSL SSF MBean, and st=
art=20
it.
>
>Any comment on the above schema ?
I definetly support it and clearly suggest to use a common SSF

>I find it cleaner than having a RMI adaptor MBean with a *lot* of parame=
ters=20
specifying the port for RMI, the key file and so on; we specify SSL=20
parameters to SSL MBean and RMI parameters to RMI MBean, and a pointer to=
 the=20
SSL MBean if we want to have RMI over SSL. Same for HTTP adaptor.
>It will also be very good when server applications are specified in MLet=
=20
files, since constructors will take fewer parameters.
>
>If the above is good, then I propose:
>
>1) to move the AdaptorSocketFactory from openjmx.adaptor.http to=20
openjmx.adaptor.
>2) to change its name to AdaptorServerSocketFactory.
>3) to remove setParameters
>4) to change createServerSocket() in createServerSocket(int port, int=20
backlog, String hostName);
>5) to move SSLFactory from openjmx.adaptor.http.ssl to openjmx.adaptor.s=
sl
>6) to change its name to SSLAdaptorServerSocketFactory
>7) to change its implementation following 3) and 4)
>8) to change accordingly the management interface (now SSLFactoryMBean)
>9) to move DefaultSocketFactory from openjmx.adaptor.http to openjmx.ada=
ptor
>10) to rename it Plain(Default)AdaptorServerSocketFactory
>11) to change its implementation following 3) and 4)
>
>About 3 and 4, I find easier to have only one method, and it is the sche=
ma=20
used in all the other socket factories present in libraries such as jdk a=
nd=20
jsse.
>About 10 I prefer Plain, since it is used also in jdk (implementation cl=
ass=20
for Socket is PlainSocketImpl).
I agree with all your changes and is ok if you make the changes. I'm in a=
 big=20
hurry now. Would you make the changes to the HTTPAdaptor too?

>
>I am deeply on it, so I can do all the changes above and commit by the=20
beginning of next week.
>
>Comments are welcome.
>
>Cheers,
>
>Simon
>
>_______________________________________________
>Openjmx-devel mailing list
>Ope...@li...
>https://lists.sourceforge.net/lists/listinfo/openjmx-devel
>