How to secure WebLogic JMS Resources?

Leave a Comment / JMS, Middleware, WebLogic / By

When you create a JMS Resource on WebLogic, it is not secure by default. If anyone knows your jms url, he or she can delete all your messages. You can say, we have firewall in front of it, but you should even secure your assets internally in your organization.

1. Define a JMS server

2. Create JMS module

3. Create Connection Factory then target it to the cluster

4. Create Distributed Queues then target it to the Subdeployment.

I have created “DistributedQueue-01” on my local WebLogic domain. Then connected to my JMS-Resources by using HermesJMS tool.

Here is my connection details:

JMS URL:

t3://localhost:7003,localhost:7004
JMS Connection Details Without Security Policy<
JMS Connection Details Without Security Policy

 

 

 

 

 

 

 

I have created an Hermes JMS session with above settings. When you finished session creation on Hermes, right click on you session, then select “Discover” option on dropdown menu. After that, Hermes will connect to your JMS Resource successfully, then would list its queues and topics. See the below screen capture.

Without security credentials, you can connect and list every JMS resources.
Without security credentials, you can connect and list every JMS resources.

 

 

 

 

 

 

 

 Secure your JMS Module

The best practice and operational excellence model is, secure your JMS Resource by defining a WebLogic group. Because, when another system wants to integrate its system, just create another user for the new system and assign it to JMS group. Then, automatically the new system must connect with security credentials.

1. Create a new WebLogic group and name it “JMS_Subscribers”

2. Create a new user for your backend system. I’ve named “jms_test_user”

3. Assign “jms_test_user” to “JMS_Subscribers” group

These three steps are basic administration issues, now I’ll give details for JMS Module.

4. Click on “Services > Messagging > JMS Modules > $YourJMSModule (on list) > Security (tab) > Policies (alt tab) > Add Conditions (button)  ”

Then choose “Group” predicate, from predicate list combo box. Click on “Next”. On “Group Argument Name” type your WebLogic group name, which is “JMS_Subscriber”, click on “Add” button. Now, you should see your “JMS_Subscriber” group condition on the list. See screen capture below.

Add Policy Condition for your JMS Modules
Add Policy Condition for your JMS Modules

 

 

 

 

 

 

 

Finally, click on “SAVE” button. Without save click, it will not be activated.

That’s it, anymore your JMS-Module is secure. No one, can list your JMS resources without authentication.

When I rediscover my JMS connection on Hermes, it gave error. Because, I haven’t provide security credentials. Here is, the full error log.

javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation. [Root exception is javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation.]
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
at weblogic.jndi.internal.ServerNamingNode_1036_WLStub.list(Unknown Source)
at weblogic.jndi.internal.WLContextImpl.list(WLContextImpl.java:236)
at hermes.ext.HermesAdminSupport.discoverDestinationConfigsFromContext(HermesAdminSupport.java:355)
at hermes.ext.HermesAdminSupport.discoverDestinationConfigsFromContext(HermesAdminSupport.java:401)
at hermes.ext.HermesAdminSupport.discoverDestinationConfigs(HermesAdminSupport.java:443)
at hermes.impl.HermesAdminAdapter.discoverDestinationConfigs(HermesAdminAdapter.java:84)
at hermes.impl.DefaultHermesImpl.discoverDestinationConfigs(DefaultHermesImpl.java:1358)
at hermes.browser.tasks.DiscoverDestinationsTask.invoke(DiscoverDestinationsTask.java:76)
at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175)
at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation.
at weblogic.jndi.internal.ServerNamingNode.checkPermission(ServerNamingNode.java:443)
at weblogic.jndi.internal.ServerNamingNode.checkList(ServerNamingNode.java:419)
at weblogic.jndi.internal.ServerNamingNode.listThis(ServerNamingNode.java:168)
at weblogic.jndi.internal.BasicNamingNode.list(BasicNamingNode.java:627)
at weblogic.jndi.internal.ServerNamingNode_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:119)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
2014-04-16 02:33:18,489 [Hermes ThreadPool-0] ERROR hermes.ext.HermesAdminSupport - discoverDestinationConfig binding=weblogic: User <anonymous> does not have permission on weblogic to perform list operation.
hermes.HermesException: User <anonymous> does not have permission on weblogic to perform list operation.
at hermes.ext.HermesAdminSupport.discoverDestinationConfigsFromContext(HermesAdminSupport.java:431)
at hermes.ext.HermesAdminSupport.discoverDestinationConfigsFromContext(HermesAdminSupport.java:401)
at hermes.ext.HermesAdminSupport.discoverDestinationConfigs(HermesAdminSupport.java:443)
at hermes.impl.HermesAdminAdapter.discoverDestinationConfigs(HermesAdminAdapter.java:84)
at hermes.impl.DefaultHermesImpl.discoverDestinationConfigs(DefaultHermesImpl.java:1358)
at hermes.browser.tasks.DiscoverDestinationsTask.invoke(DiscoverDestinationsTask.java:76)
at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175)
at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170)
at java.lang.Thread.run(Unknown Source)
javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation. [Root exception is javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation.]

 

Add Security Credentials For JMS Connectivity

Anymore, we should add below properties for our JMS connections with proper user information.

securityPrincipal=jms_test_user
securityCredentials=welcome1

New connection settings:

JMS Connection With Credentials
JMS Connection With Credentials

 

 

 

 

 

After that, I have successfully listed my queue destinations.

Successfully connected and discovered my JMS queues.
Successfully connected and discovered my JMS queues.

 

 

 

 

 

 

 

 If you have any questions about your JMS problems, drop me an email.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *


Subscribe
Subscribe