Hi,

I am looking for a way of maintaining the security details of a the
source of a JMS message so that the application components at the
message destination are called in same security context.

The reason for doing this is that we must develop to a highly decoupled
architecture where calls from one application layer to another are to
be made using JMS. The message will be received on the destination
layer by a MDB which will then call the required modules (for example,
an EJB) before sending back the result as another JMS message to source
of the original message (i.e. synchronous over asynchronous).

The problem is that we need to transfer the security context from
sending application layer to the destination layer in order to control
access to those objects that may be accessed in the destination layer?

One option we have considered is setting up dummy JNDI objects for each
component of the destination application layer, applying security rules
to these objects and then validating that the call can be made by
authorizing against these JNDI objects before the JMS message is sent
(this seems a bit of a hack though!).

A better way would be to pass the security information as part of the
JMS message and reconstruct the security context at the destination. Is
this possible?
Your help would be very much appreciated.

Thanks,

Matt.