Entering content frame

This graphic is explained in the accompanying text Security on JMS Service  Locate the document in its SAP Library structure

Security Aspects

The J2EE Engine JMS Provider implements the following security aspects:

·        Authentication

The TopicConnectionFactoryis always obtained via JNDI. This is why the SAP J2EE Engine forces authentication for JNDI clients. Only the clients that are authenticated against the JNDI login context can obtain a connection factory and create a JMS Connection. This user authentication is performed in one of the first steps you must follow to create a JMS Connection. The JMS API provides the following two variants to make the authentication. You can:

¡        Provide a user name and password:

The Security Provider Service of the session container forces authentication against the configured policy configuration for JMS basic password authentication

¡        Choose not to provide any credentials:

You must initialize the connection using SSL. The Security Provider Service of the session container then forces authentication against the policy configuration that is configured for JMS X.509 certificate authentication. Otherwise, the anonymous user is configured for SAP J2EE Engine

·        Authorization

SAP J2EE Engine authorization of the JMS Connection enables you to apply restrictions over:

¡        JMS Clients actions. You can prevent the client from:

§         Creating a Producer to a destination

§         Creating a Consumer to a destination

§         Creating a Browser to a destination

§         Connecting to a durable subscription on a destination

§         Creating a durable subscription on a destination

§         Creating destination with createQueue/createTopic

§         Creating a temporary destination

¡        JMS administrator actions

All administration tasks are checked against a predefined security role JMSAdministrators in the policy configuration of the Security Provider Service.

Policy configurations

The policy configurations for the JMS Provider are created using the Security Provider Service interfaces. The following configurations are created:

Configuration

Description

jms.<jms-instance-name>. authentication.basic

 

Contains the authentication configuration for login using username-password. When it is created, it is set up from the policy configuration basic

 

jms.<jms-instance-name>. authentication.cert

 

Contains the authentication configuration for login using X.509 certificate. When it is created, it is set up from the policy configuration client-cert

 

jms.<jms-instance-name>. authorization

 

Contains restrictions for administrative tasks such as creating a destination as well as default client action restrictions. The JMS Provider has two security roles named JMSAdministrators, which reference the preconfigured security role administrators of the policy configuration SAP-J2EE-Engine, and JMSClients, which references the preconfigured security role guests of policy configuration SAP-J2EE-Engine. JMSAdministrators is granted to all administrative rights and JMSClients to all client actions. Additional security roles can be defined by an administrator

 

This graphic is explained in the accompanying text

These policy configurations are configured by the SAP J2EE Engine Security Service and are changed according to changes in the active user store.

For more information about managing the user stores on the server, see Managing User Stores in the Administration Manual.

JMS.Authorization

jms.authorization defines the following resources:

Resource

Actions

Description

queue

·        consume

·        produce

·        browse

The resource for all queues. It has instances for each queue in the JMS Provider

topic

·        consume

·        produce

·        create-durable-subscription

·        connect-durable-subscription

The resource for all topics. It has instances for each topic in the provider. For hierarchical topics the instances are grouped

subscription

·        change-topic

·        change-selector

·        close

The resource for all durable subscriptions

connection

·        create-destination

·        create-temporary-destination

The resource for client tasks that do not have to deal with a specific destination

administration

·        create-topic

·        create-queue

·        create-subscription

·        remove-topic

·        remove-queue

·        remove-subscription if an instance is used, it specifies the target of the task

The resource for administrative tasks

Restrictions for message selectors

You can apply restrictions for the message selectors as follows:

For the instance of a destination, a number of message selection boundaries can be defined as grouped instances. When a consumer with a selector is created, the Security Service will go through all these boundaries to check if the consumer and selector combination passes all of them.

Example

For a queue named stockswith two boundaries: a group of users authorized are allowed to view the messages on all stocks and another group called not_authorized is limited to stocks with IDs greater than 1000.

Define two security roles then:

·        authorized with the authorized users.

·        not_authorized with the others users.

 We define the following instances of resource queue:

·        queue
     stocks
     “stock-id <= 1000” – authorized
      “”                - authorized, not_authorized

 

 

Leaving content frame