Show TOC

Procedure documentationDefining Security in JMS Locate this document in the navigation structure

 

Security in JMS is related to preventing unauthorized access to the JMS resources. This is essential in many use cases such as banking systems and aviation industry systems where sensitive information must be protected.

More information: Authorization Concept of the AS Java

When a new JMS Virtual Provider is created, it has default security settings, that is, the permissions, actions, and roles give a full access to all of its resources. All created resources for that Virtual Provider are assigned to the role “everyone”.

All JMS-related security is specified in the actions.xml deployment descriptor in the META-INF folder in your enterprise application (EAR) project In this file you define custom permissions, roles, and actions.

Procedure

To assign actions to a JMS role you can use either the SAP NetWeaver Developer Studio, or the SAP NetWeaver Administrator. However, you can create new actions only in the actions.xml in the Developer Studio.

Assigning security roles using the Developer Studio
1. Define JMS security in the jms-resources.xml deployment descriptor

There is a specific property in the jms-resources.xml related to the security in JMS. To provide authorization in JMS you have to specify the customSecurityConfiguration property. Its default value is false.

The following example is an excerpt of the jms-resources.xml with the customSecurityConfiguration property included:

Syntax Syntax

  1. <jms-resources>

	<application-name>JMSSecurityTestEAR</application-name>

	<destination>
		<name>JMSSecurityTestQueue</name>
		<type>javax.jms.Queue</type>
		<sap-local-destination-type>
			<virtual-provider>SecurityTestVP</virtual-provider>
		</sap-local-destination-type>
	</destination>

	<destination>
		<name>JMSSecurityTestTopic</name>
		<type>javax.jms.Topic</type>
		<sap-local-destination-type>
			<virtual-provider>SecurityTestVP</virtual-provider>
		</sap-local-destination-type>
	</destination>

	<virtual-provider-properties>
		<name>SecurityTestVP</name> 
		<property>
			<description>customSecurityConfiguration</description>
			<config-property-name>customSecurityConfiguration</config-property-name>
			<config-property-value>true</config-property-value>
		</property>
	</virtual-provider-properties>

</jms-resources>
End of the code.
2. Create actions.xml file in the EAR project

  1. In the context menu of the META-INF folder of the EAR project, choose   New   Other  .

  2. Expand the XML node and choose XML. Choose Next.

  3. Enter actions.xml in the File name field. Make sure that META-INF is selected for the parent folder of the actions.xml file. Choose Next.

  4. Select the Create XML file from an XML template radio button. Choose Next.

  5. Choose Finish.

3. Create actions related to JMS security in the actions.xml deployment descriptor

You have to create actions in the actions.xml file and assign permissions in these actions. In one action you can have one or more permissions. For each permission, you have to define:

  • permission class

  • name — depends on the permission class you have specified.

  • value — depends on the name and respectively on the permission class you have specified.

There are two JMS-related permission classes:

  • com.sap.jms.server.service.impl.JMSDestinationPermission

  • com.sap.jms.server.service.impl.JMSAdministrationPermission

If you select the com.sap.jms.server.service.impl.JMSDestinationPermission permission class, then you have the following possibilities for the name of the permission and the respective value:

Permission Name

Corresponding Value

[VP_name.queue]

Example Example

JMSTestVP.queue

End of the example.

ALL:$:ALL

produce:$:[queue_name]

produce:$:ALL

consumer:$:[queue_name]

consumer:$:ALL

browse:$:[queue_name]

browse:$:ALL

[VP_name.temp.queue]

ALL:$:ALL

produce:$:ALL

consumer:$:ALL

browse:$:ALL

[VP_name.topic]

ALL:$:ALL

produce:$:[topic_name]

produce:$:ALL

consumer:$:[topic_name]

consumer:$:ALL

[VP_name.temp.topic]

ALL:$:ALL

produce:$:ALL

consumer:$:ALL

If you select the com.sap.jms.server.service.impl.JMSAdministrationPermission permission class, then you have the following possibilities for the name of the permission and the respective value:

Permission Name

Corresponding Value

[VP_name.administration]

ALL:$:ALL

create_queue:$:ALL

create_temporary_queue:$:ALL

remove_queue:$:ALL

create_topic:$:ALL

create_temporary_topic:$:ALL

remove_topic:$:ALL

create_subscription:$:ALL

remove_subscription:$:ALL

Open the actions.xml file for editing and use the following example to create JMS-related actions and assign the corresponding permissions. In this code excerpt the permission class is com.sap.jms.server.service.impl.JMSDestinationPermission with specified JMSTestVP for JMS Virtual Provider, destination of type queue and value ALL:$:ALL, which gives full authorization to create, delete and browse queues.

Syntax Syntax

  1. <?xml version="1.0" encoding="UTF-8"?>
<BUSINESSSERVICE NAME="JMSSecurityTestApp">
	<DESCRIPTION LOCALE="en" VALUE="JMS Service for JMSSecurityTestVP"/>

	<ACTION NAME="JMSSecurityTestAction1">
	<DESCRIPTION LOCALE="en" VALUE="Autogenerated action for JMSSecurityTest"/>
		<PERMISSION
			CLASS="com.sap.jms.server.service.impl.JMSDestinationPermission"
			NAME="JMSTestVP.queue" VALUE="ALL:$:ALL" />
	</ACTION>


	<ROLE NAME="JMSSecurityTestRole1">
		<ASSIGNEDACTION NAME="JMSSecurityTestAction1"/>
	</ROLE>

	<ROLE NAME="Administrator">
		<ASSIGNEDACTION NAME="JMSSecurityTestAction1"/>
	</ROLE>

	<ROLE NAME="Everyone">
		<ASSIGNEDACTION NAME="JMSSecurityTestAction1"/>
	</ROLE>
</BUSINESSSERVICE>
End of the code.
Assigning security roles using the SAP NetWeaver Administrator

Using the SAP NetWeaver Administrator you can create, delete and modify users, groups, and roles. You can also assign:

  • roles and groups to users

  • users and roles to groups

  • actions, groups, and users to roles

Note Note

The security roles defined in the application are displayed as UME actions in the SAP NetWeaver Administrator.

End of the note.

The following procedure describes how to assign JMS actions to predefined roles.

  1. Open the SAP NetWeaver Administrator.

  2. Choose   Configuration Management   Security   Identity Management  .

  3. Select Role in the Search Criteria field. Choose Go. A list with all available roles appears. Select the role you want to assign an action to.

  4. In the Details of Role Administrator section, choose Modify.

  5. Choose the Assign Actions tab.

  6. Enter *jms* in the Get field and choose Go. A list of the available services or application that use JMS appears.

  7. Select an action from the Available Actions list and choose Add. This action is now part of the Assigned Actions list of the corresponding security role.

More information: Managing Users, Groups, and Roles