consider the following use-case: we define a JMS topic to which certain, and only certain J2EE apps (probably running in different engines) should be allowed to report messages, but not for example a "malicious" standalone client. On the other side, clients should be allowed browse/read these messages without restrictions. In other words, distinct and selected producers, but broad audience of consumers.
How could this be achieved best?
In the online help I found a page suggesting to define a security policy. So I went to Visual Admin -> Security Provider -> Policy Configuration -> service.jms.default.authorization, selected "basic" as authentication method, removed group "Guest" from security role "clients" in "Security Roles", mapped it to a distinct user group (it's an UME user group to be precise, since my engine runs on an UME user store) and tried to publish a message to the topic --- to my surprise it worked! However, it shouldn't, since my client program does neither give user/password for the JNDI lockup nor for the creation of the topic connection.
In fact, it does not matter how the "client" role is mapped to a user or group, my "malicious" standalone client always is able to post a message.
What am I doing wrong?
By the way: what exactly is the purpose of the user/password entries for factories and destinations in the JMS connector? The docu says it is for access to the JMS provider, but at least the SAP JMS provider seems not to make any use of them. Is this for access to third-party JMS providers?