JMS Security Authorization: Your AS Java is not broken, fix your JMS application
Did you recently notice an exception in the default trace? Or in the JMS application logs? I mean this kind of exception:
#2.0#2015 05 25 12:20:51:590#+0300#Error#com.sap.jms.server.sc.UMESecurityProvider#
#BC-JAS-JMS#jms#C0000A37426704CE00000000000072BC#9677150000000004#sap.com/JMSTestProject#com.sap.jms.server.sc.UMESecurityProvider#<USER>#0##4D6D5E5E006011E5CB4400000093A95E#4d6d5e5e006011e5cb4400000093a95e##0#Thread[HTTPWorker [@1110872576],5,Dedicated_Application_Thread]#Plain##
User: <USER> has not enough permissions. For more details see the exception.
[EXCEPTION]
javax.jms.JMSSecurityException: User: <USER> has not permission: vpName: myVP, type: queue, action: produce, destination: MyQueue
at com.sap.jms.server.sc.UMESecurityProvider.checkPermission(UMESecurityProvider.java:218)
at com.sap.jms.server.sc.UMESecurityProvider.checkDestinationProducePermission(UMESecurityProvider.java:113)
at com.sap.jms.server.JMSVirtualProviderProcessor.producerCreate(JMSVirtualProviderProcessor.java:546)
at com.sap.jms.client.session.JMSSession.createProducer(JMSSession.java:607)
at com.sap.jms.client.session.JMSQueueSession.createSender(JMSQueueSession.java:56)
at com.sap.jms.test.TestServlet.sendAndReceiveMessage(TestServlet.java:73)
at com.sap.jms.test.TestServlet.doGet(TestServlet.java:47)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
...
at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
If you have already found this exception, don’t worry. There is nothing wrong with your AS Java. Here is what happens, and what you can do about it.
Note: There is no problem during build time, the issues appears only at runtime.
What you can do to adjust your application?
There are a couple of things you can choose from:
- Setting the necessary authorizations in the actions.xml file. You can do this by adding the following code:
<BUSINESSSERVICE NAME="MyVirtualProvider">
<ACTION NAME="my_all_action">
<PERMISSION NAME="myVP.queue" VALUE="ALL:$:MyQueue"
CLASS="com.sap.jms.server.service.impl.JMSDestinationPermission"/>
</ACTION>
<ACTION NAME="my_produce_action">
<PERMISSION NAME="myVP.queue" VALUE="produce:$:MyQueue"
CLASS="com.sap.jms.server.service.impl.JMSDestinationPermission"/>
</ACTION>
<ROLE NAME="MyASJavaRole">
<ASSIGNEDACTION NAME="my_produce_action"/>
</ROLE>
</BUSINESSSERVICE>Or you can manually assign Action to the Role in the SAP NetWeaver Administrator → Identity Management.
Anyway, make sure the relevant Role (for example, MyASJavaRole) is assigned to the Users who are accessing JMS. However, make sure the relevant permissions are granted only to users who are expected to have these permissions.
- Using the runAs mechanism. Here you have two options: using Subject.doAs() in the source code of the JMS application, or adding the necessary information in the Java EE deployment descriptors, such as web.xml, ejb-jar.xml.
- Using Java EE deployment descriptors.
-
-
- If you use JMS in a Servlet, or a JSP you have to adjust the web.xml and the web-j2ee-engine.xml files.
-
web.xml
<web-app>
<servlet>
<servlet-name>...</servlet-name>
...
<run-as>
<role-name>MyServletRole</role-name>
</run-as>
</servlet>
<security-role>
<role-name>MyServletRole</role-name>
</security-role>
</web-app>web-j2ee-engine.xml
<web-j2ee-engine>
<security-role-map>
<role-name>MyServletRole</role-name>
<server-role-name>MyASJavaRole</server-role-name>
</security-role-map>
</web-j2ee-engine>-
-
- If you use JMS in EJBs, you need to change the ejb-jar.xml and the ejb-j2ee-engine.xml files.
-
ejb-jar.xml
<ejb-jar>
<assembly-descriptor>
<security-role>
<role-name>MyEJBRole</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>ejb-j2ee-engine.xml
<ejb-j2ee-engine>
<security-permission>
<security-role-map>
<role-name>MyEJBRole</role-name>
<server-role-name>MyASJavaRole</server-role-name>
</security-role-map>
</security-permission>
</ejb-j2ee-engine>
-
- Using Subject.doAs() method. Here is an example:
PrivilegedExceptionAction codeToBeExecutedWithGivenUser = new PrivilegedExceptionAction() {
public Object run() throws Exception {
//code to be executed with given user
return null;
}
};
IUser doAsUser = UMFactory.getUserFactory().getUserByLogonID("RUN_AS_USER");
// create new Subject
final Subject runAsSubject = new Subject();
runAsSubject.getPrincipals().add(doAsUser);
try {
Object result = Subject.doAs(runAsSubject, codeToBeExecutedWithGivenUser);
} catch (PrivilegedActionException pae) {
...
}- Using the JMSConnectionFactory.createConnection(user, password) method in the source code of your JMS application. Here is an example:
InitialContext context = new InitialContext();
Connection con = null;
try {
Queue queue = (Queue) context.lookup("jmsqueues/myVP/MyQueue");
QueueConnectionFactory queueConnectionFactory = (QueueConnectionFactory)context.lookup("jmsfactory/myVP/QueueConnectionFactory");
con= queueConnectionFactory.createConnection(“User”, “Password”);
Session session = con.createSession(false, Session.AUTO_ACKNOWLEDGE);
QueueSender sender = (QueueSender) session.createProducer(queue);
…JMS destinations created manually in SAP NetWeaver Administrator (JMS Server Configuration plug-in)
When you create a new JMS destination, UME actions are also created.
If you want particular Users to be able to work with this JMS destination, you have to assign this action to a particular Role (which is assigned to the target Users):
In the end
This JMS Security Mechanism helps you to protect your JMS application by defining JMS actions for some API methods (such as createProducer(), createConsumer(), and so on) and giving the possibility to assign these actions to different user roles. If you still have any concerns, list them in the comments section below.
Hi,
thanks for this article. Unortunately our application that was running fine on NW 7.4 stopped working regarding JMS and MBean services in NW 7.5. We get the JMS error above and additionally for MBeans:
com.sap.engine.services.jmx.exception.JmxSecurityException: Caller Guest not authorized, required permission missing ("javax.management.MBeanPermission" "-#Host[:SAP_J2EECluster="",j2eeType=SAP_J2EEInstance,name=local]" "getAttribute")
Although we use the approach with runAs mappings in ejb-jar.xml and ejb-j2ee-engine.xml to administrators group (reflected in the META-INF\sda-dd.xml as well). This was all working fine in NW 7.4, so were there any changes regarding this mechanism in NW 7.5?
Thanks,
Lars
Hi Lars,
Thanks for looking into the article. However please notice the mentioned com.sap.engine.services.jmx.exception.JmxSecurityException is outside the scope of the current JMS article. I would suggest that you open an incident under BC-JAS-ADM-ADM so that you can get this exception solved.
When talking about the JMS issue - a detailed investigation probably would be needed and a deeper look into your scenario. So please don't hesitate to directly use BC-JAS-JMS component.
Best regards,
Ivaylo
Hi Ivaylo,
thanks for your reply, as mentioned the JmxSecurityException is only an exception additional to the exception mentioned in this article (I guess both errors have the same reason).
So any hints on what has changed for JMX/JMS security and run-as Users from NW7.0/NW 7.4 to NW7.5 would help us sort out hat problem. I have searched for any info but couldnt find a SAP note about it.
Support redirected us here, because they said it is not maintenance (although I tjhink it is). If you say we should open an incident and refer to this article and your comment we would try that again.
Best,
Lars
Hi Lars,
Yes, please report and refer to the discussion we had here.
Best regards,
Ivaylo
Hello,
thanks a lot for this helpful article. I am still having trouble understanding the full picture. Maybe somebody can help.
The exception used in this example was:
So the user “Guest” has no permission to send a message to the queue “MDBTestQUEUE”.
One way to solve this problem is to create an actions.xml to define permissions and assign them to roles.
I do not understand how the permissions defined there are “linked” to the queue given in the exception?
Is it done by the permission name “myVP.queue” ? But then again “myVP.queue” seems to relate to a virtual provider called “myVP” but “MDBTestQUEUE” uses the provider “default”.
I would be extremely grateful if somebody could shed some light on this. All SAP docs I found never have a consistent example
Thanks and best regards,
Tanja
Hi Tanja,
Apologies for the late reply. The example was customized so it might become clearer.
Thank you for the feedback. Please let me know in case of further questions.
Best regards,
Ivaylo