Security of lookups with component managed authentication

External Java clients (stand alone clients or servers from other cells) with JNDI access can look up a J2C resource such as a data source or JMS queue. However, they are not permitted to take advantage of the component managed authentication alias defined on the resource. This alias is a default value used when the user and password are not supplied on the getConnection call. Therefore, if an external client needs to get a connection, it must assume responsibility for the authentication data. It can either pass user and password on the getConnection call, or it can use the no-argument getConnection() call and define the alias with the corresponding user and password in a file on each system on which the client is expected to run.

Any client running in the WAS process (such as a Servlet or an enterprise bean) within the same cell that can look up a resource in the JNDI namespace can obtain connections without providing authentication data. It is important to note that J2C authentication alias is per cell. An enterprise bean or Servlet in one appserver cannot look up a resource in another server process which is in a different cell, because the alias would not be resolved.