Configuring security for message-driven beans that use activation specifications

Use this task to configure resource security and security permissions for message-driven beans.

About this task

Messages handled by message-driven beans have no client credentials associated with them. The messages are anonymous.

To call secure enterprise beans from a message-driven bean, the message-driven bean needs to be configured with a RunAs Identity deployment descriptor. Security depends on the role specified by the RunAs Identity for the message-driven bean as an EJB component.

For more information about EJB security, see EJB component security. For more information about configuring security for your application, see Assembling secured applications.

Connections used by message-driven beans can benefit from the added security of using JCA container-managed authentication. To enable the use of JCA container authentication aliases and mapping, define an authentication alias on the activation specification that the message-driven bean is configured with. If defined, the message-driven bean uses the authentication alias for its JMSConnection security credentials instead of any application-managed alias.

To set the authentication alias, you can use the administrative console to complete the following steps. This task description assumes that you have already created an activation specification. If you want to create a new activation specification, see the related tasks.

Procedure

  • For a message-driven bean listening on a JMS destination of the default messaging provider, set the authentication alias on an activation specification.
    1. To display a list of existing JMS activation specifications, navigate to the following administrative console collection panel: Resources > JMS->Activation specifications
    2. If you have already created a JMS activation specification, click its name in the list displayed. Otherwise, click New to create a new JMS activation specification.
    3. Set the Authentication alias property.
    4. Click OK
    5. Save your changes to the master configuration.
  • For a message-driven bean listening on a destination (or endpoint) of third-party JCA 1.5-enabled provider, set the authentication alias on an activation specification.
    1. To display the activation specification settings, click Resources > Resource Adapters > J2C activation specifications > activation_specification_name
    2. Set the Authentication alias property.
    3. Click OK
    4. Save your changes to the master configuration.