I have deployed a Java EE application on JBoss-5.1.0. To have extra security I have fronted the JBoss with Apache + enabled ssl. Tomcat talks to server using (AJP 1.3 on port 8001). So my configuration looks like:
tomcat:443 (ssl) ---|--- Jboss:8080 (IpAddress:8080) (http)
This configuation seems to work well for all static and Dynamic pages except for flex part.
My problems begin when I try access anything on flex part. The AMF channels fail and I can see the following stack trace on server log:
2012-04-13 16:19:50,940 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/catissuecore].[MessageBrokerServlet]] (ajp-127.0.0.1-8009-4) Servlet.service() for servlet MessageBrokerServlet threw exception
flex.messaging.security.SecurityException: Secure endpoint ‘/messagebroker/amfsecure’ must be contacted via a secure protocol.
at flex.messaging.endpoints.AbstractEndpoint.validateRequestProtocol(AbstractEndpoint.java:862)
at flex.messaging.endpoints.AbstractEndpoint.service(AbstractEndpoint.java:630)
at flex.messaging.endpoints.AMFEndpoint.service(AMFEndpoint.java:99)
at flex.messaging.MessageBrokerServlet.service(MessageBrokerServlet.java:424)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:436)
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:384)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:662)
I have defined following channels in remote-config.xml:
<default-channels>
<channel ref="my-amf"/>
<channel ref="my-secure-amf"/>
</default-channels>
And my services-config.xml has following configuration
<channels>
<channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
<endpoint uri="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
<properties>
<polling-enabled>false</polling-enabled>
</properties>
</channel-definition>
<channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
<endpoint uri="https://{server.name}:{server.port}/{context.root}/messagebroker/amfsecure" class="flex.messaging.endpoints.SecureAMFEndpoint"/>
<properties>
<!--HTTPS requests on some browsers do not work when pragma "no-cache" are set-->
<add-no-cache-headers>false</add-no-cache-headers>
</properties>
</channel-definition>
Has anyone face this issue?
Any pointer will be of great use.
In my case I allow only HTTPS traffic and all these HTTPS traffic was allowed to route through ssl enabled Apache server. Also I have a load balancer which talks to Apache sending HTTP request instead of HTTPS request, which was the root cause of problem. I changed the setting of load balancer and it works properly.
Exception: Secure endpoint ‘/messagebroker/amfsecure’ must be contacted via a secure protocol.
There are two solutions: