One way is to define a login module in server/xxx/conf/login-config.xml, and then reference that login module in server/xxx/deploy/messaging-jboss-beans.xml using the SecurityDomain property of the SecurityStore bean. Then for each of you destinations include as SecurityConfig attribute that identifies the roles that have read, write and create roles. The docs/examples/jms/example-destinations.xml file shows examples of setting the SecurityConfig roles.
Surprisingly, the docs are silent on this; at least, I could not find a specific section on securing destinations. Of course, if you are familiar with general access control on JBoss AS, then the access control for emssaging is very simple since it follows the same patterns.
I do have another resource that describes securing destinations in detail, but it is not free. I would be happy to provide the URL if you like.
Would you please provide that URL? Also, if the server is configured to use an LDAP login module, is there any way to use those credentials on the client that is sending/receiving from those jms destinations? I would imagine that it would be simpler to create a separate login module just for the messaging security that uses roles from a properties file.
How might this be done when you are using JMS through JBoss ESB? Would this be specified in jbm-queue-service.xml?
Chapter 8 of JBoss in Action ()http://www.manning.com/jamae) describes the steps needed to secure messaing. The example in that chapter sets up a database for login purposes, but you can use you LDAP login module. No matter what type of login module you use (LDAP, database, properties file), the messaging configuration is the same.