Security in JMS is related to preventing unauthorized access to the JMS resources. This is essential in many use cases such as banking systems and aviation industry systems where sensitive information must be protected.
More information: Authorization Concept of the AS Java
When a new JMS virtual provider is created, it has default security settings, that is, the permissions, actions, and roles give access to its resources.
All JMS-related security is specified in the actions.xml deployment descriptor in the META-INF folder in your enterprise application (EAR) project In this file you define custom permissions, roles, and actions.
To assign actions to a JMS role you can use either the SAP NetWeaver Developer Studio, or the SAP NetWeaver Administrator. However, you can create new actions only in the actions.xml in the Developer Studio.
Assigning security roles using the Developer Studio
1. Define JMS security in the jms-resources.xml deployment descriptor
There is a specific property in the jms-resources.xml related to the security in JMS. To provide authorization in JMS you have to specify the customSecurityConfiguration property. Its default value is false .
The following example is an excerpt of the jms-resources.xml with the customSecurityConfiguration property included:
<jms-resources> <application-name>JMSSecurityTestEAR</application-name> <destination> <name>JMSSecurityTestQueue</name> <type>javax.jms.Queue</type> <sap-local-destination-type> <virtual-provider>SecurityTestVP</virtual-provider> </sap-local-destination-type> </destination> <destination> <name>JMSSecurityTestTopic</name> <type>javax.jms.Topic</type> <sap-local-destination-type> <virtual-provider>SecurityTestVP</virtual-provider> </sap-local-destination-type> </destination> <virtual-provider-properties> <name>SecurityTestVP</name> <property> <description>customSecurityConfiguration</description> <config-property-name>customSecurityConfiguration</config-property-name> <config-property-value>true</config-property-value> </property> </virtual-provider-properties> </jms-resources>
2. Create actions.xml file in the EAR project
In the context menu of the META-INF folder of the EAR project, choose .
Expand the XML node and select XML . Choose Next .
Enter actions.xml in the File name field. Make sure that META-INF is selected for the parent folder of the actions.xml file. Choose Next .
Select the Create XML file from an XML template radio button.
Choose Next , then choose Finish .
3. Create actions related to JMS security in the actions.xml deployment descriptor
You have to create actions in the actions.xml file and assign permissions in these actions. In one action you can have one or more permissions. For each permission, you have to define:
permission class
name - depends on the permission class you have specified.
value - depends on the name and respectively on the permission class you have specified.
There are two JMS-related permission classes:
com.sap.jms.server.service.impl.JMSDestinationPermission
com.sap.jms.server.service.impl.JMSAdministrationPermission
If you select the com.sap.jms.server.service.impl.JMSDestinationPermission permission class, then you have the following possibilities for the name of the permission and the respective value:
Permission Name |
Corresponding Value |
---|---|
[VP_name.queue] Example
JMSTestVP.queue |
ALL:$:ALL |
produce:$:[queue_name] |
|
produce:$:ALL |
|
consumer:$:[queue_name] |
|
consumer:$:ALL |
|
browse:$:[queue_name] |
|
browse:$:ALL |
|
[VP_name.temp.queue] |
ALL:$:ALL |
produce:$:ALL |
|
consumer:$:ALL |
|
browse:$:ALL |
|
[VP_name.topic] |
ALL:$:ALL |
produce:$:[topic_name] |
|
produce:$:ALL |
|
consumer:$:[topic_name] |
|
consumer:$:ALL |
|
[VP_name.temp.topic] |
ALL:$:ALL |
produce:$:ALL |
|
consumer:$:ALL |
If you select the com.sap.jms.server.service.impl.JMSAdministrationPermission permission class, then you have the following possibilities for the name of the permission and the respective value:
Permission Name |
Corresponding Value |
---|---|
[VP_name.administration] |
ALL:$:ALL |
create_queue:$:ALL |
|
create_temporary_queue:$:ALL |
|
remove_queue:$:ALL |
|
create_topic:$:ALL |
|
create_temporary_topic:$:ALL |
|
remove_topic:$:ALL |
|
create_subscription:$:ALL |
|
remove_subscription:$:ALL |
Open the actions.xml file for editing and use the following example to create JMS-related actions and assign the corresponding permissions. In this code excerpt the permission class is com.sap.jms.server.service.impl.JMSDestinationPermission with specified JMSTestVP for JMS Virtual Provider, destination of type queue and value ALL:$:ALL , which gives full authorization to create, delete and browse queues.
<?xml version="1.0" encoding="UTF-8"?> <BUSINESSSERVICE NAME="JMSSecurityTestApp"> <DESCRIPTION LOCALE="en" VALUE="JMS Service for JMSSecurityTestVP"/> <ACTION NAME="JMSSecurityTestAction1"> <DESCRIPTION LOCALE="en" VALUE="Autogenerated action for JMSSecurityTest"/> <PERMISSION CLASS="com.sap.jms.server.service.impl.JMSDestinationPermission" NAME="JMSTestVP.queue" VALUE="ALL:$:ALL" /> </ACTION> <ROLE NAME="JMSSecurityTestRole1"> <ASSIGNEDACTION NAME="JMSSecurityTestAction1"/> </ROLE> <ROLE NAME="Administrator"> <ASSIGNEDACTION NAME="JMSSecurityTestAction1"/> </ROLE> <ROLE NAME="Everyone"> <ASSIGNEDACTION NAME="JMSSecurityTestAction1"/> </ROLE> </BUSINESSSERVICE>
Assigning security roles using the SAP NetWeaver Administrator
Using the SAP NetWeaver Administrator you can create, delete and modify users, groups, and roles. You can also assign:
roles and groups to users
users and roles to groups
actions, groups, and users to roles
The security roles defined in the application are displayed as UME actions in the SAP NetWeaver Administrator.
The following procedure describes how to assign JMS actions to predefined roles.
Open the SAP NetWeaver Administrator.
Choose
.Select Role in the Search Criteria field. Choose Go . In the list of available roles that appears, select the role you want to assign an action to.
In the Details of Role section, choose Modify .
Choose the Assigned Actions tab.
Enter *jms* in the Get field of the Available Actions area, and choose Go . A list of the available services or application that use JMS appears.
Select an action from the Available Actions list and choose Add . This action is now part of the Assigned Actions list of the corresponding security role.
More information: Managing Users, Groups, and Roles