cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization for JMS resources

Go to solution
Former Member

on ‎04-12-2005 10:32 AM

0 Kudos

Hi,

consider the following use-case: we define a JMS topic to which certain, and only certain J2EE apps (probably running in different engines) should be allowed to report messages, but not for example a "malicious" standalone client. On the other side, clients should be allowed browse/read these messages without restrictions. In other words, distinct and selected producers, but broad audience of consumers.

How could this be achieved best?

In the online help I found a page suggesting to define a security policy. So I went to Visual Admin -> Security Provider -> Policy Configuration -> service.jms.default.authorization, selected "basic" as authentication method, removed group "Guest" from security role "clients" in "Security Roles", mapped it to a distinct user group (it's an UME user group to be precise, since my engine runs on an UME user store) and tried to publish a message to the topic --- to my surprise it worked! However, it shouldn't, since my client program does neither give user/password for the JNDI lockup nor for the creation of the topic connection.

In fact, it does not matter how the "client" role is mapped to a user or group, my "malicious" standalone client always is able to post a message.

What am I doing wrong?

Best Regards

Michael

By the way: what exactly is the purpose of the user/password entries for factories and destinations in the JMS connector? The docu says it is for access to the JMS provider, but at least the SAP JMS provider seems not to make any use of them. Is this for access to third-party JMS providers?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-21-2005 8:18 AM
0 Kudos

Hi

Here are the steps you should make in version 6.40 :

1. Create your own topic

JMS Provider -> "Runtime" tab -> "JMS Server instances" border ("default") -> "Topics" tab -> "Create" button.

Let's name this topic "MySecureTopic".

2. Create a user which will have the permissions to produce messages to "MySecureTopic".

Security Provider -> "Runtime" tab -> "User Management" tab -> "Create User" button.

Let's name this user "secureproducer" with password "securepasswd". In my test I put this

user in "Authenticated users" group, but maybe he can be in any other group.

3. Now create new Security Role:

Security Provider -> "Components" ("service.jms.default.authorization") -> "Runtime" tab -> "Policy Configuration" tab -> "Security Roles" tab -> "Security Roles" -> "Add" button.

Note: in "service.jms.<b>default</b>.authorization" 'default' is the name of JMS instance (JMS Provider -> "Runtime" tab -> "JMS Server instances" border). If you use another instance, you should use the respective component ("service.jms.<b>another</b>.authorization").

The name of my role is "SecureProdurerRole".

Also add "secureproducer" user in this role :

Select "SecureProdurerRole" and click on "Mappings" -> "Add" button.

Security Provider -> "Runtime" tab -> "Policy Configuration" tab -> "Security Roles" tab -> "Mappings" border -> "Users" border -> "Add" button

4. Now you should add a security rule that makes the required behaviour :

Security Provider -> "Runtime" tab -> "Policy Configuration" tab -> "Resources" tab ->

4.1. from "Resources" border choose "topic"

4.2. from "Instances" border choose "MySecureTopic"

4.3. from "Actions" border choose Action "produce"

4.4. in "Granted" border should be only "SecureProdurerRole" and in "Denied" border - "administrators" and "clients" roles.

Now in your Java code you must create your JMS connection with username and password provided:

// this is the producer connection

tc = tcf.createTopicConnection("secureproducer", "securepasswd");

Otherwise using 

tc = tcf.createTopicConnection();

this exception will occur :

javax.jms.JMSSecurityException: You do not have permissions: action produce and instance MySecureTopic.

at ...

HTH

Best regards

Show replies
Show replies

Answers (2)

Answers (2)

former_member200106
Explorer
‎04-15-2005 9:12 AM
0 Kudos

Deleted as the statement did not apply to the version in question.

Show replies
Show replies
Former Member
‎04-14-2005 11:04 AM
0 Kudos

Hi,

JMS connector uses this properties (user, password) when calls JMS provider getConnection() method only. It does not check for security on server because these settings are common for all JMS provider vendors.

Best Regards Nikola

Show replies
Show replies
Ask a Question