users@jms-spec.java.net

[jms-spec users] Security alignment of JMS

From: <pangalz_at_gmail.com>
Date: Sat, 16 May 2015 20:46:33 +0000 (UTC)

In JavaEE 7 we have some security problems with MDB JMS listeners.

JMS don't have a simple way to propagate the security
context, so in the MDB listener the user principal is "anonymous".

Currently we can append security credentials with the message and login
again, but it's big a security hole.

Although we can workaround these issues with interceptors and vendor
specific security managers, it's a common use case for JavaEE
applications and an important requirement for cloud/SaaS applications.

I've created an open-source library to get workaround these problems in
JBoss/WildFly.
It's called "JBoss Security Extended" and is available on maven central
with GAV "com.github.panga:jboss-security-extended:1.0.0".

Library source and docs:
https://github.com/panga/jboss-security-extended

What do you guys think?

Best Regards,
Leonardo Zanivan