Set security for EJB 2.1 message-driven beans

Use this task to configure resource security and security permissions for EJB Version 2.1 message-driven beans.

The association between connection factories, destinations, and message-driven beans is provided by listener ports. A listener port allows a deployed message-driven bean associated with the port to retrieve messages from the associated destination. You create listener ports by specifying their admin name, the connection factory JNDI name, and the destination name (other optional properties are also configurable). Listener ports provide simplified administration of the associations between connection factories, destinations and message-driven beans, and are managed by a listener manager. The listener manager is provided by the message listener service to control and monitor the JMS listeners that are monitoring JMS destinations on behalf of deployed message-driven beans.

See about listener ports, see Message-driven beans - listener port components.

Messages handled by message-driven beans have no client credentials associated with them. The messages are anonymous.

To call secure enterprise beans from a message-driven bean, the message-driven bean needs to be configured with a RunAs Identity deployment descriptor. Security depends on the role specified by the RunAs Identity for the message-driven bean as an EJB component.

See about EJB security, see EJB component security.

See about configuring security for the application, see Assembling secured applications.

Connections used by message-driven beans can benefit from the added security of using J2C container-managed authentication. To enable the use of J2C container authentication aliases and mapping, define an authentication alias on the J2C activation specification that the message-driven bean is configured with. If defined, the message-driven bean uses the authentication alias for its JMSConnection security credentials instead of any application-managed alias.

To set the authentication alias, we can use the admin console to complete the following steps. This task description assumes that we have already created an activation specification. To create a new activation specification, see the related tasks.

 

• For a message-driven bean listening on a JMS destination of the default messaging provider, set the authentication alias on a JMS activation specification.

  1. To display a list of existing JMS activation specifications, navigate to the following admin console collection panel: Resources > JMS > Activation specifications

  2. If we have already created a JMS activation specification, click its name in the list displayed. Otherwise, click New to create a new JMS activation specification.

  3. Set the Authentication alias property.

  4. Click OK

  5. Save the changes to the master configuration.

• For a message-driven bean listening on a destination (or endpoint) of another Java EE Connector Architecture (JCA) provider, set the authentication alias on a J2C activation specification.

  1. To display the J2C activation specification settings, click Resources > Resource Adapters > J2C activation specifications > activation_specification_name

  2. Set the Authentication alias property.

  3. Click OK

  4. Save the changes to the master configuration.

 

Related tasks

Secure messaging
Set an activation spec for the default messaging provider