Configuring security for message-driven beans that use listener ports

For non-Java™ EE Connector Architecture (JCA) messaging providers, the association between connection factories, destinations, and message-driven beans is provided by listener ports. In this case, you can configure resource security and security permissions for message-driven beans by setting the container-managed alias. The MDB listener's security information is established when the MDB listener's JMS Connection is created.

Before you begin

A listener port allows a deployed message-driven bean associated with the port to retrieve messages from the associated destination. For more information about listener ports, see Beans Orientados a Mensagens - Componentes da Porta Listener.

Note: Para WebSphere Application Server Versão 7 e posterior, as portas listener são estabilizadas. Para obter informações adicionais, leia o artigo sobre recursos estabilizados. Você deve planejar migrar as configurações de implementação do bean acionado por mensagens do WebSphere MQ do uso de portas do listener para o uso de especificações de ativação. [AIX Solaris HP-UX Linux Windows][IBM i]Para obter informações adicionais sobre como configurar as especificações de ativação para o modo não ASF, veja Configurando especificações de ativação para o modo não ASF. No entanto, você não deve iniciar esta migração até ter certeza de que o aplicativo não precisa funcionar nos servidores de aplicativos anteriores ao WebSphere Application Server Versão 7. Por exemplo, se você possuir um cluster do servidor de aplicativos com alguns membros na Versão 6.1 e alguns em uma versão posterior, não deverá migrar os aplicativos nesse cluster para usar as especificações de ativação até depois de ter migrado todos os servidores de aplicativos no cluster para a versão posterior.

About this task

In most respects, the security for an MDB is identical to security for any other enterprise bean. For instance, access to JDBC resources and JCA resources (for example CICS®, IMS™) is handled in the same way as for an entity or session bean. Access to other JMS resources is also handled in the same way as for other enterprise beans.

To secure an MDB which has been deployed on a listener port, you configure authentication and authorization for the server to connect to a JMS provider and a destination so that a message can be retrieved from the destination for processing by the onMessage() method of the MDB.

With some MDBs, the onMessage() method attempts to access additional JMS resources after the initial JMS connection has been made. In this case, security is handled identically to JMS calls made by an entity or session EJB.

The security information for an MDB which has been deployed onto a listener port is required when the initial JMS connection is created. When an MDB is deployed on a listener port, the security information for the MDB is determined by the values specified for the connection factory which the listener port is using. The user ID that is used by the listener port to create the JMS connection, is determined by the type of authentication alias which has been specified on the queue connection factory:
  1. If a container-managed alias has been defined for the connection factory, the user ID associated with the container-managed alias is used in the connection creation call, for example createQueueConnection(userid,password).
  2. If a component-managed alias has been defined for this connection factory, the user ID associated with the component-managed alias is used for the connection creation call.
  3. If neither alias is specified and the connection factory is defined in bindings mode (that is, TransportType = "BINDINGS" ), the server identity is used. [z/OS]The server identity translates more specifically into the servant identity in the servants, and the controller identity in the controller. Therefore, for a listening-in controller, the controller identity is relevant and the servant identity is relevant. For related information about listening-in controllers, see [z/OS]Serviço de Listener de Mensagens no z/OS.
Note: The authentication aliases referred to here are the authentication aliases associated with the connection factory defined by the administrator. No application resource reference is associated with the MDB or the listener port, therefore no authentication alias must be set at that level.

To set the container-managed alias (if you elect that option), use the administrative console to complete the following steps:

Procedure

  1. Display the listener port settings, by clicking Servers > Server Types > WebSphere application servers > application_server > [Communications] Messaging > Message listener service > [Additional properties] Listener ports > listener_port
  2. Get the name of the JMS connection factory, by looking at the connection factory JNDI name property.
  3. Display the JMS connection factory properties. For example, to display the properties of a queue connection factory, click Recursos > JMS->Connection Factories de Filas->queue_connection_factory.
  4. Set the "Container-managed authentication alias" property.
  5. Click OK

What to do next

Invoking other EJBs

Messages arriving at a listener port have no client credentials associated with them. The messages are anonymous. To call secure enterprise beans from a message-driven bean, the message-driven bean must be configured with a RunAs Identity deployment descriptor. Security depends on the role specified by the RunAs Identity for the message-driven bean as an EJB component.

For more information about EJB security, see Protegendo Aplicativos de Beans Corporativos. For more information about configuring security for your application, see Protegendo os Aplicativos Durante a Montagem e a Implementação.


Ícone que indica o tipo de tópico Tópico de Tarefa



Ícone de registro de data e hora Última atualização: July 9, 2016 7:55
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=tmb_sec00
Nome do arquivo: tmb_sec00.html