When you create a JMS Resource on WebLogic, it is not secure by default. If anyone knows your jms url, he or she can delete all your messages. You can say, we have firewall in front of it, but you should even secure your assets internally in your organization.
1. Define a JMS server
2. Create JMS module
3. Create Connection Factory then target it to the cluster
4. Create Distributed Queues then target it to the Subdeployment.
I have created “DistributedQueue-01” on my local WebLogic domain. Then connected to my JMS-Resources by using HermesJMS tool.
Here is my connection details:
JMS URL:
t3://localhost:7003,localhost:7004
I have created an Hermes JMS session with above settings. When you finished session creation on Hermes, right click on you session, then select “Discover” option on dropdown menu. After that, Hermes will connect to your JMS Resource successfully, then would list its queues and topics. See the below screen capture.
Secure your JMS Module
The best practice and operational excellence model is, secure your JMS Resource by defining a WebLogic group. Because, when another system wants to integrate its system, just create another user for the new system and assign it to JMS group. Then, automatically the new system must connect with security credentials.
1. Create a new WebLogic group and name it “JMS_Subscribers”
2. Create a new user for your backend system. I’ve named “jms_test_user”
3. Assign “jms_test_user” to “JMS_Subscribers” group
These three steps are basic administration issues, now I’ll give details for JMS Module.
4. Click on “Services > Messagging > JMS Modules > $YourJMSModule (on list) > Security (tab) > Policies (alt tab) > Add Conditions (button) ”
Then choose “Group” predicate, from predicate list combo box. Click on “Next”. On “Group Argument Name” type your WebLogic group name, which is “JMS_Subscriber”, click on “Add” button. Now, you should see your “JMS_Subscriber” group condition on the list. See screen capture below.
Finally, click on “SAVE” button. Without save click, it will not be activated.
That’s it, anymore your JMS-Module is secure. No one, can list your JMS resources without authentication.
When I rediscover my JMS connection on Hermes, it gave error. Because, I haven’t provide security credentials. Here is, the full error log.
javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation. [Root exception is javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation.] at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237) at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348) at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259) at weblogic.jndi.internal.ServerNamingNode_1036_WLStub.list(Unknown Source) at weblogic.jndi.internal.WLContextImpl.list(WLContextImpl.java:236) at hermes.ext.HermesAdminSupport.discoverDestinationConfigsFromContext(HermesAdminSupport.java:355) at hermes.ext.HermesAdminSupport.discoverDestinationConfigsFromContext(HermesAdminSupport.java:401) at hermes.ext.HermesAdminSupport.discoverDestinationConfigs(HermesAdminSupport.java:443) at hermes.impl.HermesAdminAdapter.discoverDestinationConfigs(HermesAdminAdapter.java:84) at hermes.impl.DefaultHermesImpl.discoverDestinationConfigs(DefaultHermesImpl.java:1358) at hermes.browser.tasks.DiscoverDestinationsTask.invoke(DiscoverDestinationsTask.java:76) at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175) at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170) at java.lang.Thread.run(Unknown Source) Caused by: javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation. at weblogic.jndi.internal.ServerNamingNode.checkPermission(ServerNamingNode.java:443) at weblogic.jndi.internal.ServerNamingNode.checkList(ServerNamingNode.java:419) at weblogic.jndi.internal.ServerNamingNode.listThis(ServerNamingNode.java:168) at weblogic.jndi.internal.BasicNamingNode.list(BasicNamingNode.java:627) at weblogic.jndi.internal.ServerNamingNode_WLSkel.invoke(Unknown Source) at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667) at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230) at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146) at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518) at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:119) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256) at weblogic.work.ExecuteThread.run(ExecuteThread.java:221) 2014-04-16 02:33:18,489 [Hermes ThreadPool-0] ERROR hermes.ext.HermesAdminSupport - discoverDestinationConfig binding=weblogic: User <anonymous> does not have permission on weblogic to perform list operation. hermes.HermesException: User <anonymous> does not have permission on weblogic to perform list operation. at hermes.ext.HermesAdminSupport.discoverDestinationConfigsFromContext(HermesAdminSupport.java:431) at hermes.ext.HermesAdminSupport.discoverDestinationConfigsFromContext(HermesAdminSupport.java:401) at hermes.ext.HermesAdminSupport.discoverDestinationConfigs(HermesAdminSupport.java:443) at hermes.impl.HermesAdminAdapter.discoverDestinationConfigs(HermesAdminAdapter.java:84) at hermes.impl.DefaultHermesImpl.discoverDestinationConfigs(DefaultHermesImpl.java:1358) at hermes.browser.tasks.DiscoverDestinationsTask.invoke(DiscoverDestinationsTask.java:76) at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175) at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170) at java.lang.Thread.run(Unknown Source) javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation. [Root exception is javax.naming.NoPermissionException: User <anonymous> does not have permission on weblogic to perform list operation.]
Add Security Credentials For JMS Connectivity
Anymore, we should add below properties for our JMS connections with proper user information.
securityPrincipal=jms_test_user
securityCredentials=welcome1
New connection settings:
After that, I have successfully listed my queue destinations.
If you have any questions about your JMS problems, drop me an email.