For non-Java EE
Connector Architecture (JCA)
messaging providers, the association between connection factories,
destinations, and message-driven beans is provided by listener ports.
In this case, you can configure resource security and security permissions
for message-driven beans by setting the container-managed alias. The
MDB listener's security information is established when the MDB listener's
JMS Connection is created.
Before you begin
A
listener port allows a deployed message-driven bean associated with
the port to retrieve messages from the associated destination. For
more information about listener ports, see Message-driven beans - listener port components.
Note: For WebSphere Application Server Version 7 and later, listener ports are stabilized. For more information, read the article on stabilized features. You should plan to migrate your WebSphere MQ message-driven bean deployment configurations from using listener ports to using activation specifications. However, you should not begin this migration until you are sure the application does not have to work on application servers earlier than WebSphere Application Server Version 7. For example, if you have an application server cluster with some members at Version 6.1 and some at a later version, you should not migrate applications on that cluster to use activation specifications until after you migrate all the application servers in the cluster to the later version.
About this task
In most respects, the security for an MDB is identical
to security for any other enterprise bean. For instance, access to
JDBC resources and JCA resources (for example CICS®, IMS™)
is handled in the same way as for an entity or session bean. Access
to other JMS resources is also handled in the same way as for other
enterprise beans.
To secure an MDB which has been deployed
on a listener port, you configure authentication and authorization
for the server to connect to a JMS provider and a destination so that
a message can be retrieved from the destination for processing by
the onMessage() method of the MDB.
With some
MDBs, the onMessage() method attempts to access additional
JMS resources after the initial JMS connection has been made. In this
case, security is handled identically to JMS calls made by an entity
or session EJB.
The security information for an MDB which has
been deployed onto a listener port is required when the initial JMS
connection is created. When an MDB is deployed on a listener port,
the security information for the MDB is determined by the values specified
for the connection factory which the listener port is using. The user
ID that is used by the listener port to create the JMS connection,
is determined by the type of authentication alias which has been specified
on the queue connection factory:
- If a container-managed alias
has been defined for the connection
factory, the user ID associated with the container-managed alias is
used in the connection creation call, for example createQueueConnection(userid,password).
- If a component-managed alias has been defined for this connection
factory, the user ID associated with the component-managed alias is
used for the connection creation call.
- If neither alias is
specified and the connection factory is defined
in bindings mode (that is, TransportType = "BINDINGS" ),
the server identity is used. The server identity
translates more specifically into the servant identity in the servants,
and the controller identity in the controller. Therefore, for a listening-in
controller, the controller identity is relevant and the servant identity
is relevant. For related information about listening-in controllers,
see
Message listener service on z/OS.
Note: The authentication aliases referred to here are the
authentication aliases associated with the connection factory defined
by the administrator. No application resource reference is associated
with the MDB or the listener port, therefore no authentication alias
must be set at that level.
To set the container-managed
alias (if you elect that option), use the administrative console to
complete the following steps:
Procedure
- Display
the listener port settings, by clicking
- Get the name of the JMS connection
factory, by looking
at the connection factory JNDI name property.
- Display
the JMS connection factory properties. For example,
to display the properties of a queue connection factory, click .
- Set the "Container-managed authentication alias" property.
- Click OK
What to do next
Invoking other EJBs
Messages arriving at a listener
port have no client credentials associated with them. The messages
are anonymous. To call secure enterprise beans from a message-driven
bean, the message-driven bean must be configured with a RunAs Identity
deployment descriptor. Security depends on the role specified by the
RunAs Identity for the message-driven bean as an EJB component.
For
more information about EJB security, see Securing enterprise bean applications. For more information
about configuring security for your application, see Securing applications during assembly and deployment.