We're deploying an Enterprise Application containing an embedded Application Client that's deployed to the client via Java Web Start.
We have all the common artifacts inside the lib subdirectory of the .ear.
The client calls an injected remote interface of a bean, which has a method like this:
public void importConfiguration(TasksAndResources configuration);
The class TaskAndResources is serializable, and contains JPA 2.0 entities inside, via Set<Task> and Set<Resource> member attributes. These are present both in the client dependencies and in the .ear lib subdirectory.
However, when the client calls the above method, the Glassfish server connects back to the client (random RMI port listening) in order to retrieve the class definitions for Task, Resource, and ResourceRequirement (another entity that relates the former, but that's not directly referenced by the TaskAndResources class that's declared in the interface method).
We've verified these call backs by using Wireshark and dumping the packets. The requests from the server to the client seem to use an operation called "meta".
This seems rather strange. Why would the server need to download those classes, when they're already present in the .ear file, and a dependency (via MANIFEST.MF ClassPath attribute) to the called ejb implementation?
Moreover, this breaks any hope we could have of being able to deploy the appclient when there's any kind of firewall between the client and the server. Since the callback port is random and non-configurable, we can't even create an ad-hoc rule.
I guess there must be some classloader related problem when de-serializing the client request; the Task, Resource and ResourceRequirement classes aren't found in whatever classpath is used for that classloader (even if actually present in the .ear), and then they get requested from the client. The ejb call then succeeds, BTW.
We detected this because the client would fail in client machines with more than one interface, when the random-port RMI server would declare a non-routable IP address for a local private interface.