Asynchronous messaging - security considerations
Security for messaging operates as a part of global security, and is enabled only when global security is enabled.
JMS connections made to the JMS provider are authenticated, and access to JMS resources owned by the JMS provider are controlled by access authorizations. Also, all requests to create new connections to the JMS provider must provide a user ID and password for authentication. The user ID and password do not need to be provided by the application. If authentication is successful, then the JMS connection is created; if the authentication fails then the connection request is ended.
Standard J2C authentication is used for a request to create a new connection to the JMS provider. One can specify a Component-managed Authentication Alias and a Container-managed Authentication Alias for each JMS connection factory. The use of the associated J2C authentication data entries depends on the resource authentication (res-auth) setting, as follows:
- If your resource authentication (res-auth) is set to Application, set the alias in the Component-managed Authentication Alias. If the application that tries to create a connection to the JMS provider specifies a user ID and password, those values are used to authenticate the creation request. If the application does not specify a user ID and password, the values defined by the Component-managed Authentication Alias are used. If the connection factory is not configured with a Component-managed Authentication Alias, then you receive a runtime JMS exception when an attempt is made to connect to the JMS provider.
- If your res-auth is set to Container, set the Container-managed Authentication Alias. The values defined by the Container-managed Authentication Alias are used to authenticate the creation request. If you do not specify an alias, then you receive a runtime JMS exception when an attempt is made to connect to the JMS provider.
User IDs longer than 12 characters cannot be used for authentication with the embedded WebSphere JMS provider. For example, the default Windows NT user ID, Administrator, is not valid for use with embedded WebSphere messaging, because it contains 13 characters.
Authorization to access JMS resources owned by the embedded WebSphere JMS provider is controlled by authorization data in
config/integral-jms-authorisations.xml
Styles of messaging in applications
WAS cloning and MQ clustering
Asynchronous messaging with WebSphere - an overview
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.