386 Patterns: Implementing Self-Service in an SOA Environment
4. Check the boxes to the left of the queue Destinations and the ThreadUsage.
Figure 11-13 Monitoring mediation counters
11.6.3 Security considerations
The JMS specification does not specify any features for controlling message
integrity or authentication. It is expected that the JMS provider will provide these
services. Security is considered to be a JMS provider-specific feature that is
configured by an administrator, rather than controlled with the JMS API by
clients.
Message-driven bean security
Messages arriving at a destination being processed by a message-driven bean
have no client credentials associated with them; the messages are anonymous.
Security depends on the role specified by the RunAs Identity for the
message-driven bean as an EJB component.
Security considerations for the default messaging provider
You can enable bus security so that access to the bus itself and to all
destinations on the bus must be authorized. For bus security to be enabled,
WebSphere global security must also be enabled.
Chapter 11. JMS scenario 387
When a bus is created, an initial set of authorization permissions is created.
These permissions grant all authenticated users access to the bus and to all
local destinations.
When bus security is enabled, you must set the Inter-engine authentication alias
property to control the authentication of messaging engines joining the bus and
for secure communication between messaging engines. Similarly, the Mediations
authentication alias property is used for mediations that access the bus.
You can use secure transport connections (SSL or HTTPS) to ensure
confidentiality and integrity of messages in transit between application clients
and messaging engines and between messaging engines. This is achieved by
defining transport chains and then referencing the transport chain name as
follows:
For application client connections: from the connection factory administered
objects
For connections to foreign buses: from the Target inbound transport chain
property of the service integration bus link
For connections to WebSphere MQ: from the Transport chain property of the
WebSphere MQ link
For connections between messaging engines: from the Inter-engine transport
chain property of the bus
In the routing definitions for connections to foreign buses, the user ID applied to
messages entering or leaving the foreign bus can be replaced by values
specified by the Inbound user ID and Outbound user ID properties.
The Authentication alias property of the service integration bus link is used for
authentication of access to a foreign bus.
Mediations security considerations
When an application sends a message to the bus, the identity of the sender
application is associated with the message. When bus security is enabled, any
new messages sent by a mediation will have the mediation identity versus the
original sender identity. In this case, the mediation identity will require access to
the destination. By default, a mediation inherits its identity from the messaging
engine. You can change the identity for a mediation handler by specifying a
RunAS role using the assembly tools.
388 Patterns: Implementing Self-Service in an SOA Environment
Get Patterns: Implementing Self-Service in an SOA Environment now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
