This chapter describes how to develop, assemble, and deploy Java clients in the following sections:
The Application Client Container (ACC) includes a set of Java classes, libraries, and other files that are required for and distributed with Java client programs that execute in their own Java Virtual Machine (JVM). The ACC manages the execution of Java EE application client components (application clients), which are used to access a variety of Java EE services (such as JMS resources, EJB components, web services, security, and so on.) from a JVM outside the Sun GlassFish Communications Server.
The ACC communicates with the Communications Server using RMI-IIOP protocol and manages the details of RMI-IIOP communication using the client ORB that is bundled with it. Compared to other Java EE containers, the ACC is lightweight.
For information about debugging application clients, see Application Client Debugging.
Interoperability between application clients and Communications Servers running under different major versions is not supported.
The ACC determines when authentication is needed. This typically occurs when the client refers to an EJB component or when annotations in the client's main class trigger injection which, in turn, requires contact with the Communications Server's naming service. To authenticate the end user, the ACC prompts for any required information, such as a username and password. The ACC itself provides a very simple dialog box to prompt for and read these values.
The ACC integrates with the Communications Server’s authentication system. It also supports SSL (Secure Socket Layer)/IIOP if configured and when necessary; see Using RMI/IIOP Over SSL.
You can provide an alternate implementation to gather authentication information, tailored to the needs of the application client. To do so, include the class to perform these duties in the application client and identify the fully-qualified name of this class in the callback-handler element of the application-client.xml descriptor for the client. The ACC uses this class instead of its default class for asking for and reading the authentication information. The class must implement the javax.security.auth.callback.CallbackHandler interface. See the Java EE specification, section 9.2, Application Clients: Security, for more details.
Application clients can use Programmatic Login.
For more information about security for application clients, see the Java EE 5 Specification, Section EE.9.7, “Java EE Application Client XML Schema.”
The client container enables the application clients to use the Java Naming and Directory Interface (JNDI) to look up Java EE services (such as JMS resources, EJB components, web services, security, and so on.) and to reference configurable parameters set at the time of deployment.
Annotation is supported for application clients. For more information, see section 9.4 of the Java EE 5 Specification and Java EE Standard Annotation in Sun GlassFish Communications Server 1.5 Application Deployment Guide.
Java Web Start allows your application client to be easily launched and automatically downloaded and updated. It is enabled for all application clients by default. For more information, see Using Java Web Start.
This section describes the procedure to develop, assemble, and deploy client applications using the ACC. This section describes the following topics:
 To Access an EJB Component From an Application
Client
To Access an EJB Component From an Application
ClientIn your client code, reference the EJB component by using an @EJB annotation or by looking up the JNDI name as defined in the ejb-jar.xml file.
For more information about annotations in application clients, see section 9.4 of the Java EE 5 Specification.
For more information about naming and lookups, see Accessing the Naming Context.
If load balancing is enabled as in Step 7 and the EJB components being accessed are in a different cluster, the endpoint list must be included in the lookup, as follows:
corbaname:host1:port1,host2:port2,.../NameService#ejb/jndi-name
Define the @EJB annotations or the ejb-ref elements in the application-client.xml file. Define the corresponding ejb-ref elements in the sun-application-client.xml file.
For more information on the application-client.xml file, see the Java EE 5 Specification, Section EE.9.7, “Java EE Application Client XML Schema.”
For more information on the sun-application-client.xml file, see The sun-application-client.xml file in Sun GlassFish Communications Server 1.5 Application Deployment Guide. For a general explanation of how to map JNDI names using reference elements, see Mapping References.
Deploy the application client and EJB component together in an application.
For more information on deployment, see the Sun GlassFish Communications Server 1.5 Application Deployment Guide. To get the client JAR file, use the --retrieve option of the asadmin deploy command.
To retrieve the stubs and ties whether or not you requested their generation during deployment, use the asadmin get-client-stubs command. For details, see the Sun GlassFish Communications Server 1.5 Reference Manual.
Ensure that the client JAR file includes the following files:
A Java class to access the bean.
application-client.xml - (optional) Java EE application client deployment descriptor. For information on the application-client.xml file, see the Java EE 5 Specification, Section EE.9.7, “Java EE Application Client XML Schema.”
sun-application-client.xml - (optional) Communications Server specific client deployment descriptor. For information on the sun-application-client.xml file, see The sun-application-client.xml file in Sun GlassFish Communications Server 1.5 Application Deployment Guide.
The MANIFEST.MF file. This file contains a reference to the main class, which states the complete package prefix and class name of the Java client.
Prepare the client machine. This step is not needed for Java Web Start.
If you are using the appclient script, either package the application client to run on a remote client system using the package-appclient script, or copy the following JAR files to the client machine manually and include them in the classpath on the client side:
appserv-rt.jar - available at as-install/lib
javaee.jar - available at as-install/lib
The client JAR file
For more information, see Using the package-appclient Script.
To access EJB components that are residing in a remote system, make the following changes to the sun-acc.xml file. This step is not needed for Java Web Start.
Define the target-server element’s address attribute to reference the remote server machine. See target-server in Sun GlassFish Communications Server 1.5 Application Deployment Guide.
Define the target-server element’s port attribute to reference the ORB port on the remote server.
This information can be obtained from the domain.xml file on the remote system. For more information on domain.xml file, see the Sun GlassFish Communications Server 1.5 Administration Reference.
To set up load balancing and failover of remote EJB references, define at least two target-server elements in the sun-acc.xml file. This step is not needed for Java Web Start.
Some topics in the documentation pertain to features that are available only in domains that are configured to support clusters. Examples of domains that support clusters are domains that are created with the cluster profile. For information about profiles, see Usage Profiles in Sun GlassFish Communications Server 1.5 Administration Guide.
If the Communications Server instance on which the application client is deployed participates in a cluster, the ACC finds all currently active IIOP endpoints in the cluster automatically. However, a client should have at least two endpoints specified for bootstrapping purposes, in case one of the endpoints has failed.
The target-server elements specify one or more IIOP endpoints used for load balancing. The address attribute is an IPv4 address or host name, and the port attribute specifies the port number. See client-container in Sun GlassFish Communications Server 1.5 Application Deployment Guide.
Run the application client.
See Using Java Web Start or Running an Application Client Using the appclient Script.
 To Access a JMS Resource From an Application
Client
To Access a JMS Resource From an Application
ClientCreate a JMS client.
For detailed instructions on developing a JMS client, see “Chapter 33: The Java Message Service API” in the Java EE 5 Tutorial.
Next, configure a JMS resource on the Communications Server.
For information on configuring JMS resources, see Creating JMS Resources: Destinations and Connection Factories.
Define the @Resource or @Resources annotations or the resource-ref elements in the application-client.xml file. Define the corresponding resource-ref elements in the sun-application-client.xml file.
For more information on the application-client.xml file, see the Java EE 5 Specification, Section EE.9.7, “Java EE Application Client XML Schema.”
For more information on the sun-application-client.xml file, see The sun-application-client.xml file in Sun GlassFish Communications Server 1.5 Application Deployment Guide. For a general explanation of how to map JNDI names using reference elements, see Mapping References.
Ensure that the client JAR file includes the following files:
A Java class to access the resource.
application-client.xml - (optional) Java EE application client deployment descriptor. For information on the application-client.xml file, see the Java EE 5 Specification, Section EE.9.7, “Java EE Application Client XML Schema.”
sun-application-client.xml - (optional) Communications Server specific client deployment descriptor. For information on the sun-application-client.xml file, see The sun-application-client.xml file in Sun GlassFish Communications Server 1.5 Application Deployment Guide.
The MANIFEST.MF file. This file contains a reference to the main class, which states the complete package prefix and class name of the Java client.
Prepare the client machine. This step is not needed for Java Web Start.
If you are using the appclient script, either package the application client to run on a remote client system using the package-appclient script, or copy the following JAR files to the client machine manually and include them in the classpath on the client side:
appserv-rt.jar - available at as-install/lib
javaee.jar - available at as-install/lib
imqjmsra.jar - available at as-install/lib/install/aplications/jmsra
The client JAR file
For more information, see Using the package-appclient Script.
Run the application client.
See Using Java Web Start or Running an Application Client Using the appclient Script.
Java Web Start allows your application client to be easily launched and automatically downloaded and updated. General information about Java Web Start is available at http://java.sun.com/products/javawebstart/reference/api/index.html.
Java Web Start is discussed in the following topics:
Java Web Start is enabled for all application clients by default.
The application developer or deployer can specify that Java Web Start is always disabled for an application client by setting the value of the eligible element to false in the sun-application-client.xml file. See the Sun GlassFish Communications Server 1.5 Application Deployment Guide.
The Communications Server administrator can disable Java Web Start for a previously deployed eligible application client using the asadmin set command.
To disable Java Web Start for all eligible application clients in an application, use the following command:
| asadmin set --user adminuser domain1.applications.j2ee-application.app-name.java-web-start-enabled="false" | 
To disable Java Web Start for a stand-alone eligible application client, use the following command:
| asadmin set --user adminuser domain1.applications.appclient-module.module-name.java-web-start-enabled="false" | 
Setting java-web-start-enabled="true" re-enables Java Web Start for an eligible application client. For more information about the asadmin set command, see the Sun GlassFish Communications Server 1.5 Reference Manual.
If Java Web Start is enabled for your deployed application client, you can launch it for testing. Simply click on the Launch button next to the application client or application's listing on the App Client Modules page in the Admin Console.
On other machines, you can download and launch the application client using Java Web Start in the following ways:
Using a web browser, directly enter the URL for the application client. See The Application Client URL.
Click on a link to the application client from a web page.
Use the Java Web Start command javaws, specifying the URL of the application client as a command line argument.
If the application has previously been downloaded using Java Web Start, you have additional alternatives.
Use the desktop icon that Java Web Start created for the application client. When Java Web Start downloads an application client for the first time it asks you if such an icon should be created.
Use the Java Web Start control panel to launch the application client.
When you launch an application client, Java Web Start contacts the server to see if a newer client version is available. This means you can redeploy an application client without having to worry about whether client machines have the latest version.
The default URL for an application or module generally is as follows:
| http://host:port/context-root | 
The default URL for a stand-alone application client module is as follows:
| http://host:port/appclient-module-id | 
The default URL for an application client module embedded within an application is as follows. Note that the relative path to the application client JAR file is included.
| http://host:port/application-id/appclient-path | 
If the context-root, appclient-module-id, or application-id is not specified during deployment, the name of the JAR or EAR file without the extension is used. If the application client module or application is not in JAR or EAR file format, an appclient-module-id or application-id is generated.
Regardless of how the context-root or id is determined, it is written to the server log. For details about naming, see Naming Standards in Sun GlassFish Communications Server 1.5 Application Deployment Guide.
To set a different URL for an application client, use the context-root subelement of the java-web-start-access element in the sun-application-client.xml file. This overrides the appclient-module-id or application-id. See Sun GlassFish Communications Server 1.5 Application Deployment Guide.
You can also pass arguments to the ACC or to the application client's main method as query parameters in the URL. If multiple application client arguments are specified, they are passed in the order specified.
A question mark separates the context root from the arguments. Ampersands (&) separate the arguments and their values. Each argument and each value must begin with arg=. Here is an example URL with a -color argument for a stand-alone application client. The -color argument is passed to the application client's main method.
| http://localhost:8080/testClient?arg=-color&arg=red | 
If you are using the javaws URL command to launch Java Web Start with a URL that contains arguments, enclose the URL in double quotes (") to avoid breaking the URL at the ampersand (&) symbol.
Ideally, you should build your production application clients with user-friendly interfaces that collect information which might otherwise be gathered as command-line arguments. This minimizes the degree to which users must customize the URLs that launch application clients using Java Web Start. Command-line argument support is useful in a development environment and for existing application clients that depend on it.
Java Web Start enforces a security sandbox. By default it grants any application, including application clients, only minimal privileges. Because Java Web Start applications can be so easily downloaded, Java Web Start provides protection from potentially harmful programs that might be accessible over the network. If an application requires a higher privilege level than the sandbox permits, the code that needs privileges must be in a JAR file that was signed. When Java Web Start downloads such a signed JAR file, it displays information about the certificate that was used to sign the JAR, and it asks you whether you want to trust that signed code. If you agree, the code receives elevated permissions and runs. If you reject the signed code, Java Web Start does not start the downloaded application.
The Communications Server serves two types of signed JAR files in response to Java Web Start requests. One type is a JAR file installed as part of the Communications Server, which starts an application client during a Java Web Start launch: as-install/lib/appserv-jwsacc.jar.
The other type is a generated application client JAR file. As part of deployment, the Communications Server generates a new application client JAR file that contains classes, resources, and descriptors needed to run the application client on end-user systems. When you deploy an application with the asadmin deploy command's --retrieve option, use the asadmin get-client-stubs command, or select the Generate RMIStubs option from the EJB Modules deployment page in the Admin Console, this is the JAR file retrieved to your system. Because application clients need access beyond the minimal sandbox permissions to work in the Java Web Start environment, the generated application client JAR file must be signed before it can be downloaded to and executed on an end-user system.
A JAR file can be signed automatically or manually. The following sections describe the ways of signing JAR files.
The Communications Server automatically creates a signed version of the required JAR file if none exists. When a Java Web Start request for the appserv-jwsacc.jar file arrives, the Communications Server looks for domain-dir/java-web-start/appserv-jwsacc.jar. When a request for an application's generated application client JAR file arrives, the Communications Server looks in the directory domain-dir/java-web-start/app-name for a file with the same name as the generated JAR file created during deployment.
In either case, if the requested signed JAR file is absent or older than its unsigned counterpart, the Communications Server creates a signed version of the JAR file automatically and deposits it in the relevant directory. Whether the Communications Server just signed the JAR file or not, it serves the file from the domain-dir/java-web-start directory tree in response to the Java Web Start request.
To sign these JAR files, the Communications Server uses its self-signed certificate. When you create a new domain, either by installing the Communications Server or by using the asadmin create-domain command, the Communications Server creates a self-signed certificate and adds it to the domain's key store.
A self-signed certificate is generally untrustworthy because no certification authority vouches for its authenticity. The automatic signing feature uses the same certificate to create all required signed JAR files. To sign different JAR files with different certificates, do the signing manually.
You can sign the appserv-jwsacc.jar file manually any time after you have installed the Communications Server. Copy the unsigned file from as-install/lib to a different working directory and use the jarsigner command provided with the JDK to create a signed version of exactly the same name using your certificate. Then manually copy the signed file into domain-dir/java-web-start. From then on, the Communications Server serves the JAR file signed with your certificate whenever a Java Web Start request asks that domain for the appserv-jwsacc.jar file. Note that you can sign each domain's appserv-jwsacc.jar file differently.
Remember that if you create a new domain and do not sign appserv-jwsacc.jar manually for that domain, the Communications Server creates an auto-signed version of it for use by the new domain. Also, if you create a domain-specific signed appserv-jwsacc.jar, delete the domain, and then create a new domain with the same name as the just-deleted domain, the Communications Server does not remember the earlier signed appserv-jwsacc.jar. You must recreate the manually signed version.
You can sign the generated application client JAR file for an application any time after you have deployed the application. As you deploy the application, you can specify the asadmin deploy command's --retrieve option or select the Generate RMIStubs option on the EJB Modules deployment page in the Admin Console. Doing either of these tasks returns a copy of the generated application client JAR file to a directory you specify. Or, after you have deployed an application, you can download the generated application client JAR file using the asadmin get-client-stubs command.
Once you have a copy of the generated application client JAR file, you can sign it using the jarsigner tool and your certificate. Then place the signed JAR file in the domain-dir/java-web-start/app-name directory. You do not need to restart the server to start using the new signed JAR file.
When an application client is launched using Java Web Start, any error that the application client logic does not catch and handle is written to System.err and displayed in a dialog box. This display appears if an error occurs even before the application client logic receives control. It also appears if the application client code does not catch and handle errors itself.
To specify a vendor-specific icon, splash screen, text string, or a combination of these for Java Web Start download and launch screens, use the vendor element in the sun-application-client.xml file. The complete format of this element's data is as follows:
<vendor>icon-image-URI::splash-screen-image-URI::vendor-text</vendor>
The following example vendor element contains an icon, a splash screen, and a text string:
<vendor>images/icon.jpg::otherDir/splash.jpg::MyCorp, Inc.</vendor>
The following example vendor element contains an icon and a text string:
<vendor>images/icon.jpg::MyCorp, Inc.</vendor>
The following example vendor element contains a splash screen and a text string; note the initial double colon:
<vendor>::otherDir/splash.jpg::MyCorp, Inc.</vendor>
The following example vendor element contains only a text string:
<vendor>MyCorp, Inc.</vendor>
The default value is the text string Application Client.
For more information about the sun-application-client.xml file, see the Sun GlassFish Communications Server 1.5 Application Deployment Guide.
To run an application client that does not have Java Web Start enabled, you can launch the ACC using the appclient script. This is optional. This script is located in the as-install/bin directory. For details, see the Sun GlassFish Communications Server 1.5 Reference Manual.
You can package an application client that does not have Java Web Start enabled into a single appclient.jar file using the package-appclient script. This is optional. This script is located in the as-install/bin directory. For details, see the Sun GlassFish Communications Server 1.5 Reference Manual.
The client.policy file is the J2SE policy file used by the application client. Each application client has a client.policy file. The default policy file limits the permissions of Java EE deployed application clients to the minimal set of permissions required for these applications to operate correctly. If an application client requires more than this default set of permissions, edit the client.policy file to add the custom permissions that your application client needs. Use the J2SE standard policy tool or any text editor to edit this file.
For more information on using the J2SE policy tool, see http://java.sun.com/docs/books/tutorial/security1.2/tour2/index.html.
For more information about the permissions you can set in the client.policy file, see http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html.
You can configure RMI/IIOP over SSL in two ways: using a username and password, or using a client certificate.
To use a username and password, configure the ior-security-config element in the sun-ejb-jar.xml file. The following configuration establishes SSL between an application client and an EJB component using a username and password. The user has to login to the ACC using either the sun-acc.xml mechanism or the Programmatic Login mechanism.
<ior-security-config>
  <transport-config>
    <integrity>required</integrity>
    <confidentiality>required</confidentiality>
    <establish-trust-in-target>supported</establish-trust-in-target>
    <establish-trust-in-client>none</establish-trust-in-client>
  </transport-config>
  <as-context>
    <auth-method>username_password</auth-method>
    <realm>default</realm>
    <required>true</required>
  </as-context>
 <sas-context>
    <caller-propagation>none</caller-propagation>
 </sas-context>
</ior-security-config>
For more information about the sun-ejb-jar.xml and sun-acc.xml files, see the Sun GlassFish Communications Server 1.5 Application Deployment Guide.
To use a client certificate, configure the ior-security-config element in the sun-ejb-jar.xml file. The following configuration establishes SSL between an application client and an EJB component using a client certificate.
<ior-security-config>
  <transport-config>
    <integrity>required</integrity>
    <confidentiality>required</confidentiality>
    <establish-trust-in-target>supported</establish-trust-in-target>
    <establish-trust-in-client>required</establish-trust-in-client>
  </transport-config>
  <as-context>
    <auth-method>none</auth-method>
    <realm>default</realm>
    <required>false</required>
  </as-context>
  <sas-context>
    <caller-propagation>none</caller-propagation>
  </sas-context>
</ior-security-config>
To use a client certificate, you must also specify the system properties for the keystore and truststore to be used in establishing SSL. To use SSL with the Application Client Container (ACC), you need to set VMARGS environment variable in one of the following ways:
Set the environment variable VMARGS in the shell. For example, in the ksh or bash shell, the command to set this environment variable would be as follows:
export VMARGS="-Djavax.net.ssl.keyStore=${keystore.db.file} 
-Djavax.net.ssl.trustStore=${truststore.db.file} 
-Djavax.net.ssl.keyStorePass word=${ssl.password} 
-Djavax.net.ssl.trustStorePassword=${ssl.password}"
Set the env element in the asant script (see Chapter 3, The asant Utility). For example:
<target name="runclient">
  <exec executable="${S1AS_HOME}/bin/appclient">
    <env key="VMARGS" value=" -Djavax.net.ssl.keyStore=${keystore.db.file} 
      -Djavax.net.ssl.trustStore=${truststore.db.file} 
      -Djavax.net.ssl.keyStorePasword=${ssl.password} 
      -Djavax.net.ssl.trustStorePassword=${ssl.password}"/>
    <arg value="-client"/>
    <arg value="${appClient.jar}"/>
  </exec>
</target>
To deploy and run an application client that connects to an EJB module on a Communications Server instance that is behind a firewall, you must set ORB Virtual Address Agent Implementation (ORBVAA) options. Use the asadmin create-jvm-options command as follows:
| asadmin create-jvm-options --user adminuser -Dcom.sun.corba.ee.ORBVAAHost=public-IP-adress asadmin create-jvm-options --user adminuser -Dcom.sun.corba.ee.ORBVAAPort=public-port asadmin create-jvm-options --user adminuser -Dcom.sun.corba.ee.ORBUserConfigurators.com.sun.corba.ee.impl.plugin.hwlb.VirtualAddressAgentImpl=x | 
Set the ORBVAAHost and ORBVAAPort options to the host and port of the public address. The ORBUserConfigurators option tells the ORB to create an instance of the VirtualAddressAgentImpl class and invoke the configure method on the resulting object, which must implement the com.sun.corba.ee.spi.orb.ORBConfigurator interface. The ORBUserConfigurators value doesn't matter. Together, these options create an ORB that in turn creates Object references (the underlying implementation of remote EJB references) containing the public address, while the ORB listens on the private address specified for the IIOP port in the Communications Server configuration.