JMinor Application Framework

As simple as possible but not simpler

User Tools

Site Tools


documentation:technical:server

Introduction

  • Firewall friendly; uses one way communications without callbacks and can be configured to serve on a single fixed port
  • Client/server communications SSL encrypted by default 1) 2)
  • Multi threading provided by the RMI framework 3)
  • Integrated web server for serving Web Start applications and files, based on Jetty
  • All user authentication left to the database
  • Comprehensive administration and monitoring facilities
  • Moderate memory and CPU usage

Configuration

Requirements

For a quick introduction to Java RMI see: Java remote method invocation.

A JMinor server requires access to at most four configurable ports, one is required for the RMI Registry (1099 by default), one is required for serving clients and one for the server administration interface (a single port can be shared for this purpose), and finally the server needs to have access to the DBMS.

SSL setup

By default the communication channel between client and server is secured using the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols. On how to set up the required SSL keystores and truststores see Java.net/The New RMI.

Firewall setup

Example iptables entries

#rmi registry
-A INPUT -p tcp --dport 1099 -j ACCEPT
#jminor server port
-A INPUT -p tcp --dport 2222 -j ACCEPT
#jminor server admin port
-A INPUT -p tcp --dport 2223 -j ACCEPT

Demo configuration files

File: resources/server/config/h2_embedded.config -

jminor.db.embedded=true
jminor.db.host=./h2db/h2
jminor.db.useOptimisticLocking=true
jminor.db.type=h2
jminor.server.admin.user=scott:tiger
jminor.server.clientLoggingEnabled=true
jminor.server.domain.classes=org.jminor.framework.demos.empdept.domain.EmpDept,\
  org.jminor.framework.demos.petstore.domain.Petstore,\
  org.jminor.framework.demos.chinook.domain.Chinook,\
  org.jminor.framework.demos.world.domain.World
jminor.server.loginProxyClasses=org.jminor.framework.demos.empdept.server.EmpDeptLoginProxy
jminor.server.pooling.initial=scott:tiger
jminor.server.port=2222
jminor.server.admin.port=4444
jminor.server.registryPort=1099
jminor.server.web.documentRoot=.
jminor.server.web.port=8080
java.rmi.server.hostname=localhost
java.rmi.server.randomIDs=true
java.rmi.server.useCodebaseOnly=true
javax.net.ssl.keyStore=config/JMinorServerKeystore
javax.net.ssl.keyStorePassword=crappypass
#when running the shutdown command, we need to be able to connect to the server
javax.net.ssl.trustStore=config/JMinorServerMonitorTruststore
# uncomment when using the notsoserial library, add -javaagent:lib/notsoserial-1.0-SNAPSHOT.jar to launch command
#notsoserial.whitelist=config/notsoserial-whitelist.txt
#notsoserial.useDefaultBlacklist=false

File: resources/server/config/mysql.config -

jminor.db.host=localhost
jminor.db.port=3306
jminor.db.sid=mysql
jminor.db.useOptimisticLocking=true
jminor.db.type=mysql
jminor.server.admin.user=scott:tiger
jminor.server.clientLoggingEnabled=true
jminor.server.domain.classes=org.jminor.framework.demos.empdept.domain.EmpDept,\
  org.jminor.framework.demos.petstore.domain.Petstore,\
  org.jminor.framework.demos.chinook.domain.Chinook,\
  org.jminor.framework.demos.world.domain.World
jminor.server.loginProxyClasses=org.jminor.framework.demos.empdept.server.EmpDeptLoginProxy
jminor.server.pooling.initial=scott:tiger
jminor.server.port=2222
jminor.server.admin.port=4444
jminor.server.registryPort=1099
#jminor.server.web.documentRoot=/var/www
java.rmi.server.hostname=localhost
java.rmi.server.randomIDs=true
java.rmi.server.useCodebaseOnly=true
javax.net.ssl.keyStore=config/JMinorServerKeystore
javax.net.ssl.keyStorePassword=crappypass
#when running the shutdown command, we need to be able to connect to the server
javax.net.ssl.trustStore=config/JMinorServerMonitorTruststore
# uncomment when using the notsoserial library, add -javaagent:lib/notsoserial-1.0-SNAPSHOT.jar to launch command
#notsoserial.whitelist=config/notsoserial-whitelist.txt
#notsoserial.useDefaultBlacklist=false

File: resources/server/config/oracle.config -

jminor.db.host=localhost
jminor.db.port=1521
jminor.db.sid=xe
jminor.db.useOptimisticLocking=true
jminor.db.type=oracle
jminor.server.admin.user=scott:tiger
jminor.server.clientLoggingEnabled=true
jminor.server.domain.classes=org.jminor.framework.demos.empdept.domain.EmpDept,\
  org.jminor.framework.demos.petstore.domain.Petstore,\
  org.jminor.framework.demos.chinook.domain.Chinook,\
  org.jminor.framework.demos.world.domain.World
jminor.server.loginProxyClasses=org.jminor.framework.demos.empdept.server.EmpDeptLoginProxy
jminor.server.pooling.initial=scott:tiger
jminor.server.port=2222
jminor.server.admin.port=4444
jminor.server.registryPort=1099
#jminor.server.web.documentRoot=/var/www
java.rmi.server.hostname=localhost
java.rmi.server.randomIDs=true
java.rmi.server.useCodebaseOnly=true
javax.net.ssl.keyStore=config/JMinorServerKeystore
javax.net.ssl.keyStorePassword=crappypass
#when running the shutdown command, we need to be able to connect to the server
javax.net.ssl.trustStore=config/JMinorServerMonitorTruststore
# uncomment when using the notsoserial library, add -javaagent:lib/notsoserial-1.0-SNAPSHOT.jar to launch command
#notsoserial.whitelist=config/notsoserial-whitelist.txt
#notsoserial.useDefaultBlacklist=false

Server MySQL example

Configuration arguments for running a ssl secured JMinor RMI server on port 2222 to serve clients data from a MySQL database:

  • java.rmi.server.hostname=server.domain.org, the name of the host on which the server is running
  • java.security.policy=jminor_server.policy, the security policy file, see below
  • jminor.server.connection.sslEnabled=true 4), enables the SSL client connection encryption.
  • javax.net.ssl.keyStore=JMinorServerKeystore, the server keystore file for securing client connections
  • javax.net.ssl.keyStorePassword=jminor, the keystore password
  • jminor.server.clientLoggingEnabled=true 5), if enabled the server keeps a circular log of the most recent client method calls
  • jminor.server.port=2222 6), the port used for the client connections
  • jminor.server.registryPort=1099 8), the port for the RMI registry
  • jminor.db.type=mysql 9), the database type
  • jminor.db.host=database.domain.org 10), the database host name
  • jminor.db.port=3306 11), the port on which the database is accepting connections
  • jminor.db.sid=mysql 12), the database system identifier
  • jminor.server.pooling.initial=scott:tiger 13), a comma separated list of username:password combinations for which connection pools should be established on server startup
  • jminor.server.domain.classes=org.jminor.framework.demos.empdept.domain.EmpDept 14), a comma separated list of domain model classes that should be loaded on server startup

Security policy

For general information on the Java security model see: Java security

File: resources/security/jminor_server.policy -

grant {
  permission java.io.FilePermission "${user.dir}/logs", "read";
  permission java.io.FilePermission "${user.dir}/logs/-", "read,write,delete";
  permission java.io.FilePermission "${user.dir}/-", "read,write,delete";
  permission java.io.FilePermission "./-", "read,write,delete";
  //Web Start Server document root
  //permission java.io.FilePermission "/home/webstart/-", "read";
 
  //Web Start server port
  permission java.net.SocketPermission "*:8080", "listen";
  permission java.net.SocketPermission "*:8080-", "connect,listen,resolve";
  //Database port
  permission java.net.SocketPermission "*:3306", "connect";
  //Client service port
  permission java.net.SocketPermission "*:2222", "connect,listen";
  //Server admin port
  permission java.net.SocketPermission "*:4444", "connect,listen";
  //RMI Registry
  permission java.net.SocketPermission "*:1099", "connect,listen";
 
  permission java.net.SocketPermission "*", "accept";
  permission java.util.PropertyPermission "*", "read, write";
 
  permission java.lang.RuntimePermission "shutdownHooks";
  //for shutting down ExecutorService instances
  permission java.lang.RuntimePermission "modifyThread";
  //for JasperReports report generation and domain class loading
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
  //for logback
  permission java.lang.RuntimePermission "accessClassInPackage.sun.rmi.transport.proxy";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.rmi.registry";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.rmi.server";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.rmi.transport.tcp";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.http";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
 
  //for jetty, --incomplete, use all_permissions.policy when using the rest server plugin--
  permission java.util.PropertyPermission "*", "read,write";
  permission java.io.FilePermission "${user.dir}${/}-", "read";
  permission java.io.FilePermission "${user.dir}${/}logs${/}*", "read,write,delete";
  permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read,write,delete";
  permission java.security.SecurityPermission "putProviderProperty.SunJSSE";
  permission java.security.SecurityPermission "insertProvider.SunJSSE";
  permission java.lang.RuntimePermission "setSecurityManager";
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "setContextClassLoader";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.tools.*";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.tools.*";
  permission java.security.SecurityPermission "getPolicy";
  permission java.lang.RuntimePermission "setIO";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

Monitoring

documentation/technical/server.txt · Last modified: 2015/08/12 21:02 by darri