I examined protected resources (especially JMS, JDBC), and left with some observations and questions.
In theory, for unprotected resources I do the following:
- declare resources in ejb-jar.xml/web.xml with <res-auth>Container</res-auth>
- get resource in the code with
javax.jms.QueueConnection o = factory.createQueueConnection();
java.sql.Conneciton o = oDS.getConnection();
(without username/passwords). That works fine, of course.
Now I protect the resources. For JMS, I create the queues/topics in a service file with optioinal attributes "SecurityManager" and a SecurityConf. Here I can set read/write/create permissions.
The accounts usable for such a JMS object are set in jbossmq-state.xml
JDBC datasources can be protected by DB-related tools.
Now I can declare the resource object with <res-auth>Container</res-auth> or <res-auth>Application</res-auth>.
I have the choice of getting the resources i nthe code without login data or with login data like this:
javax.jms.QueueConnection o = factory.createQueueConnection(user, pwd);
java.sql.Conneciton o = oDS.getConnection(user, pwd);
I think specifying login data are connected with res-auth=Application, and leaving them out is linked to res-auth=Container.
I made the following observatiosn:
1) Regardless of the res-auth setting, if i supply login data (user/pwd) while getting/creating the connection, these settings are ALWAYS used and checked.
2) Regardless of the res-auth settings, if i specify login attributes in the service file for a JDBC resource, these infos are used.
My questions are now:
a) Is 1) correct? Are explicitly given login data really used regardless of the res-auth setting?
b) I thought <res-auth>=Container would allow me to get connections WITHOUT specifying login data in the code. But then, where else can I specify them? In case of JDBC, in the service file are some attributes related to this, but for JMS??
c) Are JDBC login attributes really preferred over the res-auth setting? What role plays the "ByContainer" or "ByApplication" value for "Criteria" attribute?
d) Does jboss use the res-auth value at all??
Thanks very much,