Interoperating with Oracle AQ JMS 7-11

7.4 Advanced Topics

The following sections provide information on advanced interoperability topics when WebLogic Server applications interoperate with AQ JMS. ■ Section 7.4.1, Security Considerations ■ Section 7.4.2, WebLogic Messaging Bridge ■ Section 7.4.3, Stand-alone WebLogic AQ JMS Clients

7.4.1 Security Considerations

Stand-alone clients and server-side applications have different security semantics and configuration. If security is a concern, read this section carefully and also reference the WebLogic lock-down document for general information on how to secure a WebLogic Server or Cluster see Securing a Production Environment for Oracle WebLogic Server. The following section outlines security considerations for this release: ■ Section 7.4.1.1, Configuring AQ Destination Security ■ Section 7.4.1.2, Access to JNDI Advertised Destinations and Connection Factories ■ Section 7.4.1.3, Controlling Access to Destinations that are Looked Up using the JMS API

7.4.1.1 Configuring AQ Destination Security

ENQUEUE andor DEQUEUE permission must be configured for the database user in AQ to allow destination lookups as well as to allow enqueues and dequeues. The following usernames must be given enqueue andor dequeue permission: ■ For stand-alone clients: – The configured JMS Foreign Server username, as specified using the java.naming.security.principal property. – For Java code that passes a username using the JMS ConnectionFactory API createConnection method, this username requires permission. ■ For server-side applications: – The Database User Name is configured on the WebLogic Data Source. – Do not give permission for a username specified for JDBC Data Source clients that pass a username using the JMS ConnectionFactory API createConnection method: this username is a WebLogic username, not a database username. To understand which JDBC connection credentials and permissions that are used for AQ lookups, enqueues, and dequeues, see Queue Security and Access Control in Oracle Streams Advanced Queuing Users Guide.

7.4.1.2 Access to JNDI Advertised Destinations and Connection Factories

As described earlier, local JNDI names for connection factories and destinations must be configured as part of the JMS Foreign Server configuration task. You can optionally Note: A permission failure while looking up a destination will manifest as a name not found exception thrown back to application caller, not a security exception. 7-12 Configuring and Managing JMS for Oracle WebLogic Server configure security policies on these JNDI names, so access checks occur during JNDI lookup based on the current WebLogic credentials. The current WebLogic credentials depend on the client type. Once an applications WebLogic JNDI lookup security policy credential check passes for a destination, a JMS Foreign Server destination automatically looks up the destination resources in Oracle AQ using a JDBC connection. For stand-alone clients, the credential used for the second part of a destination lookup process are based on the username and password that is configured on the JMS Foreign Server. For server-side application JDBC Data Source clients, the credential used for this second destination lookup is based on the database username and password configured as part of the data source. Note that the credential used to gain access to this data source is the current WebLogic credential. It is possible to configure a WebLogic security policies on the data source. The WebLogic data source Identity Based Connection Pooling feature is not supported for this purpose. As previously mentioned, the database credential must have AQ JMS enqueue or dequeue permission on a destination in order to be able to successfully lookup the destination. See Section 7.4.1.1, Configuring AQ Destination Security.

7.4.1.3 Controlling Access to Destinations that are Looked Up using the JMS API