[z/OS]

Configuring security for message-driven beans that use listener ports

Use this task to configure resource security and security permissions for message-driven beans.

About this task

There are two special security considerations when using message-driven beans (MDBs).  In other respects, however, the security considerations for an MDB are identical to those of any other EJB.  For instance, access of JDBC and JCA (for example CICS, IMS) resources is handled in the same way as for an entity or session EJB. Access to other JMS resources is also handled in the same way as for other EJBs. 

However to understand this last point about JMS access correctly, it is important to understand that the security considerations when configuring the MDB listener, which can be thought of as part of the application server infrastructure, are unique to MDBs. These considerations which are specific to MDBs are relevant when configuring authentication and authorization for the server to connect to a JMS provider and a Destination so that a message can be selected and so that the MDB can pass this message to the its onMessage() method.

The user's MDB onMessage() application code might not make additional JMS calls, however if the MDB application code accesses additional JMS resources, it is this access which is handled identically to JMS calls made by an entity or session EJB.

MBD security considerations:

The  MDB listener's security information is established when the MDB listener's JMS Connection is created. This is the typical JMS programming pattern. The properties used to configure the MDB listener's JMS Connection Factory are also used for specifying these security parameters. By configuring the Connection Factory mapped to in the Listener Port definition, you can control the security parameters used by the MDB listener. The JMS Connection used by a given MDB listener is obtained in the order of precedence based on the configuration of the JMS Connection Factory used by the Message Listener Service Listener Port onto which a given MDB is mapped. For example, if an MDB, mdb1 is mapped onto Listener Port mylp1 and mylp1 uses ConnectionFactory qcf1, you would configure qcf1 to control the configuration of mdb1's MDB listener. The order of precedence is:
  1. If a container-managed alias has been defined for this Connection Factory, the userid associated with the container-managed alias is used in the Connection creation call, for example createQueueConnection(userid,password)).
  2. If a component-managed alias has been defined for this Connection Factory, the userid associated with the component-managed alias is used.
  3. If neither alias is specified and the Connection Factory is defined in Bindings mode (that is, TransportType = “BINDINGS”), the server identity is used.  The server identity translates more specifically into the servant identity in the servants, and the controller identity in the controller.  In the case of listening-in controller, the controller identity is relevant as well as the servant identity. For related information about listening-in controllers, see Message Listener Service on z/OS.
Note: The authentication aliases referred to here are those associated with the Connection Factory defined by the Administrator. No application resource reference is associated with the MDB listener and so no authentication alias has to be set at that level.

To set the container-managed alias, (if you elect that option), use the administrative console to complete the following steps:

Procedure

  1. To display the listener port settings, click Servers > application_server Message Listener Service > Listener Ports > listener_port
  2. To get the name of the JMS connection factory, look at the Connection factory JNDI name property.
  3. Display the JMS connection factory properties. For example, to display the properties of a queue connection factory provided by the default messaging provider, click Resources > JMS ->Queue connection factories ->queue_connection_factory .
  4. Set the Container-managed Authentication Alias property.
  5. Click OK

Results

Considerations for invoking other EJBs:

Messages arriving at a listener port have no client credentials associated with them. The messages are anonymous. To call secure enterprise beans from a message-driven bean, the message-driven bean must be configured with a RunAs Identity deployment descriptor. Security depends on the role specified by the RunAs Identity for the message-driven bean as an EJB component.

For more information about EJB security, see Securing enterprise bean applications. For more information about configuring security for your application, see Securing applications during assembly and deployment.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 1:23:07 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=tmb_sec00
File name: tmb_sec00.html