By nitkal on Jan 31, 2011
This post describes how one could make secure calls to an EJB (3.x) from a web application using SSL or MUTUAL_SSL, even when the web-app and the EJB are running on GlassFish instances in different host machines.
Wth the following <ior-security-config> in the EJB (glassfish-ejb-jar.xml), SSL is forced by the EJB.
With the following annotation in the servlet:
private SecureEjbRemote secureRemote;
and the following element in glassfish-web.xml, the client (servlet) is forced to contact the Ejb securely (using the MUTUAL_SSL ORB port 3820)
<jndi-name>corbaname:iiop:<host in which EJB is deployed>:3820#SecureEjbBean</jndi-name>
With the following jvm-option added to the domain.xml of the host in which the web-app is deployed,
secure communication happens between the servlet and the EJB for the name service lookup (before the EJB create call)