Show TOC

Defining Security in JMSLocate this document in the navigation structure

Use

Security in JMS is related to preventing unauthorized access to the JMS resources. This is essential in many use cases such as banking systems and aviation industry systems where sensitive information must be protected.

More information: Authorization Concept of the AS Java

When a new JMS virtual provider is created, it has default security settings, that is, the permissions, actions, and roles give access to its resources.

All JMS-related security is specified in the actions.xml deployment descriptor in the META-INF folder in your enterprise application (EAR) project In this file you define custom permissions, roles, and actions.

Procedure

To assign actions to a JMS role you can use either the SAP NetWeaver Developer Studio, or the SAP NetWeaver Administrator. However, you can create new actions only in the actions.xml in the Developer Studio.

Assigning security roles using the Developer Studio

1. Define JMS security in the jms-resources.xml deployment descriptor

There is a specific property in the jms-resources.xml related to the security in JMS. To provide authorization in JMS you have to specify the customSecurityConfiguration property. Its default value is false .

The following example is an excerpt of the jms-resources.xml with the customSecurityConfiguration property included:

               <jms-resources>
        <application-name>JMSSecurityTestEAR</application-name>

        <destination>
                <name>JMSSecurityTestQueue</name>
                <type>javax.jms.Queue</type>
                <sap-local-destination-type>
                        <virtual-provider>SecurityTestVP</virtual-provider>
                </sap-local-destination-type>
        </destination>
        
        <destination>
                <name>JMSSecurityTestTopic</name>
                <type>javax.jms.Topic</type>
                <sap-local-destination-type>
                        <virtual-provider>SecurityTestVP</virtual-provider>
                </sap-local-destination-type>
        </destination>
        
        <virtual-provider-properties>
                <name>SecurityTestVP</name> 
                <property>
                        <description>customSecurityConfiguration</description>
                        <config-property-name>customSecurityConfiguration</config-property-name>
                        <config-property-value>true</config-property-value>
                </property>
        </virtual-provider-properties>
        
</jms-resources>

2. Create actions.xml file in the EAR project

  1. In the context menu of the META-INF folder of the EAR project, choose Start of the navigation path New Next navigation step Other End of the navigation path.

  2. Expand the XML node and select XML . Choose Next .

  3. Enter actions.xml in the File name field. Make sure that META-INF is selected for the parent folder of the actions.xml file. Choose Next .

  4. Select the Create XML file from an XML template radio button.

  5. Choose Next , then choose Finish .

3. Create actions related to JMS security in the actions.xml deployment descriptor

You have to create actions in the actions.xml file and assign permissions in these actions. In one action you can have one or more permissions. For each permission, you have to define:

  • permission class

  • name - depends on the permission class you have specified.

  • value - depends on the name and respectively on the permission class you have specified.

There are two JMS-related permission classes:

  • com.sap.jms.server.service.impl.JMSDestinationPermission

  • com.sap.jms.server.service.impl.JMSAdministrationPermission

If you select the com.sap.jms.server.service.impl.JMSDestinationPermission permission class, then you have the following possibilities for the name of the permission and the respective value:

Permission Name

Corresponding Value

[VP_name.queue]

Example

JMSTestVP.queue

ALL:$:ALL

produce:$:[queue_name]

produce:$:ALL

consumer:$:[queue_name]

consumer:$:ALL

browse:$:[queue_name]

browse:$:ALL

[VP_name.temp.queue]

ALL:$:ALL

produce:$:ALL

consumer:$:ALL

browse:$:ALL

[VP_name.topic]

ALL:$:ALL

produce:$:[topic_name]

produce:$:ALL

consumer:$:[topic_name]

consumer:$:ALL

[VP_name.temp.topic]

ALL:$:ALL

produce:$:ALL

consumer:$:ALL

If you select the com.sap.jms.server.service.impl.JMSAdministrationPermission permission class, then you have the following possibilities for the name of the permission and the respective value:

Permission Name

Corresponding Value

[VP_name.administration]

ALL:$:ALL

create_queue:$:ALL

create_temporary_queue:$:ALL

remove_queue:$:ALL

create_topic:$:ALL

create_temporary_topic:$:ALL

remove_topic:$:ALL

create_subscription:$:ALL

remove_subscription:$:ALL

Open the actions.xml file for editing and use the following example to create JMS-related actions and assign the corresponding permissions. In this code excerpt the permission class is com.sap.jms.server.service.impl.JMSDestinationPermission with specified JMSTestVP for JMS Virtual Provider, destination of type queue and value ALL:$:ALL , which gives full authorization to create, delete and browse queues.

               <?xml version="1.0" encoding="UTF-8"?>
<BUSINESSSERVICE NAME="JMSSecurityTestApp">
        <DESCRIPTION LOCALE="en" VALUE="JMS Service for JMSSecurityTestVP"/>

        <ACTION NAME="JMSSecurityTestAction1">
        <DESCRIPTION LOCALE="en" VALUE="Autogenerated action for JMSSecurityTest"/>
                <PERMISSION
                        CLASS="com.sap.jms.server.service.impl.JMSDestinationPermission"
                        NAME="JMSTestVP.queue" VALUE="ALL:$:ALL" />
        </ACTION>


        <ROLE NAME="JMSSecurityTestRole1">
                <ASSIGNEDACTION NAME="JMSSecurityTestAction1"/>
        </ROLE>

        <ROLE NAME="Administrator">
                <ASSIGNEDACTION NAME="JMSSecurityTestAction1"/>
        </ROLE>

        <ROLE NAME="Everyone">
                <ASSIGNEDACTION NAME="JMSSecurityTestAction1"/>
        </ROLE>
</BUSINESSSERVICE>

Assigning security roles using the SAP NetWeaver Administrator

Using the SAP NetWeaver Administrator you can create, delete and modify users, groups, and roles. You can also assign:

  • roles and groups to users

  • users and roles to groups

  • actions, groups, and users to roles

Note

The security roles defined in the application are displayed as UME actions in the SAP NetWeaver Administrator.

The following procedure describes how to assign JMS actions to predefined roles.

  1. Open the SAP NetWeaver Administrator.

  2. Choose Start of the navigation path Configuration Next navigation step Security Next navigation step Identity Management End of the navigation path.

  3. Select Role in the Search Criteria field. Choose Go . In the list of available roles that appears, select the role you want to assign an action to.

  4. In the Details of Role section, choose Modify .

  5. Choose the Assigned Actions tab.

  6. Enter *jms* in the Get field of the Available Actions area, and choose Go . A list of the available services or application that use JMS appears.

  7. Select an action from the Available Actions list and choose Add . This action is now part of the Assigned Actions list of the corresponding security role.

More information: Managing Users, Groups, and Roles