Securing Oracle WebLogic messaging
By default, the Oracle WebLogic JNDI and JMS resources are owned and managed by an “everyone” Group to which anonymous users (Anonymous Roles) are assigned. As a result, anonymous users are, by default, able to access JNDI and JMS resources.
Note: The following information references JMS queues. If you use
JMS topics for JMS messaging, follow similar security recommendations.
Note: The sample configuration provided below, using Oracle WebLogic 12.2.1.3, is an example for
illustration purposes only. The sample is by no means exhaustive or optimal. There are other
approaches to securing message queues, each with their own strengths and weaknesses. Since message
queuing software is provided by third party vendors, we strongly encourage you to discuss your
approach to hardening or securing message queues with Oracle WebLogic messaging specialists.
Products can evolve; hence, processes for hardening them might change over time. If you have any
problems with the processes discussed here, we ask you work with Oracle directly. Use the following
recommendations as a starting point and customize the configuration for your specific operating
environment.
To secure access to the WebLogic JMS, do the following:
- Define a user and group that will be given access rights to the JMS
- Add that user to the JMS Roles and Policies
To perform these functions in Oracle WebLogic 12.2.1.3, navigate to your WebLogic Administration
Console and perform the following steps:
- Select the tab Users and Groups. Create a group and add users to the group.
- Go to and create a new JMS Server.
- Go to and create a new JMS Module.
- Click on the newly created JMS Module and click on the New button. Create a Connection Factory.
- Repeat the step given above to create a Queue.
- Go to the queue Security tab.
- Add Group as JMS Queue Scoped Roles.
- Under Policies, add the user.
This restricts queue access to your defined users and groups.
For more details, refer to WebLogic documentation.