|  | 
 
  
    | RSS Feed - WebSphere MQ Support | RSS Feed - Message Broker Support |  
 
  
	|    |  |  
  
	| Passing data to security exit | « View previous topic :: View next topic » |  
  	| 
		
		
		  | Author | Message |  
		  | fgoergen | 
			  
				|  Posted: Thu Oct 25, 2001 8:47 am    Post subject: |   |  |  
		  | Newbie
 
 
 Joined: 24 Oct 2001Posts: 3
 Location: IBM/SSD
 
 | 
			  
				| I need to pass apllication data from a mqseries call like mqput() to a security exit (for additional authentication) I do not see MQSeries provides any means for this. Is there any (any optional data, buffer pointers etc.) |  |  
		  | Back to top |  |  
		  |  |  
		  | bduncan | 
			  
				|  Posted: Thu Oct 25, 2001 10:17 am    Post subject: |   |  |  
		  | Padawan
 
 
 Joined: 11 Apr 2001Posts: 1554
 Location: Silicon Valley
 
 | 
			  
				| As far as I know, the exit only has access to the data contained in the message that was sent using MQPUT. In other words, you'll need to add any information the exit needs within the message itself (probably in the header). The exit has access to these structures. You might want to take a look at the channel encryption exit in the code repository, as this is both a security exit and a channel exit. You can look at how the security exit causes the sending and receiving channel to handshake in order to authenticate. I'm not sure if it makes use of any data in the messages themselves, but it's probably worth a look as there isn't much sample code on exits, at least as far as I've seen... 
 
 _________________
 Brandon Duncan
 IBM Certified MQSeries Specialist
 MQSeries.net forum moderator
 |  |  
		  | Back to top |  |  
		  |  |  
		  | kolban | 
			  
				|  Posted: Thu Oct 25, 2001 8:01 pm    Post subject: |   |  |  
		  |  Grand Master
 
 
 Joined: 22 May 2001Posts: 1072
 Location: Fort Worth, TX, USA
 
 | 
			  
				| I won't swear to this but I think it is guaranteed that the security exit will run in the same address space as your own application and hence can obtain your userid/groupid etc from process context.  Since it runs in the same address space, it should be able to access a piece of process data that could be identified in shared memory or some other inter-thread communications block... not the best answer. 
 Can you elaborate on what exactly it is you are trying to achieve?
 |  |  
		  | Back to top |  |  
		  |  |  
		  | fgoergen | 
			  
				|  Posted: Fri Oct 26, 2001 1:23 am    Post subject: |   |  |  
		  | Newbie
 
 
 Joined: 24 Oct 2001Posts: 3
 Location: IBM/SSD
 
 | 
			  
				| 
   
	| Quote: |  
	| On 2001-10-25 11:17, bduncan wrote:
 As far as I know, the exit only has access to the data contained in the message that was sent using MQPUT. (...)You might want to take a look at the channel encryption exit in the code repository, as this is both a security exit and a channel exit.(...)
 
 |  Thanks for your answer. I looked at this sample already, but I found out that I have access to the message data itself *only at the send exit*, but I do not see any chance to get it in the security exit. The second problem is, the send exit gets called *after* security channel negotiation is complete.No chance!?
 |  |  
		  | Back to top |  |  
		  |  |  
		  | fgoergen | 
			  
				|  Posted: Fri Oct 26, 2001 7:19 am    Post subject: |   |  |  
		  | Newbie
 
 
 Joined: 24 Oct 2001Posts: 3
 Location: IBM/SSD
 
 | 
			  
				| 
   
	| Quote: |  
	| On 2001-10-25 21:01, kolban wrote:
 I won't swear to this but I think it is guaranteed that the security exit will run in the same address space as your own application and hence can obtain your userid/groupid etc from process context.  Since it runs in the same address space, it should be able to access a piece of process data that could be identified in shared memory or some other inter-thread communications block... not the best answer.
 
 Can you elaborate on what exactly it is you are trying to achieve?
 
 |  What I want to do: The kind of security (do'nt  say you would not call this a security problem) I have to provide is based on information *in the message*, meaning solely information about the user/process/application is not enough. This is why I need to pass data from the clients put call to the MQseries server process on the remote machine. The way you suggest is indeed the only possibility I see, too, it is the one I will go, althought (as your remark says) it does not look elegant. Thanks for your answer!
 
 [ This Message was edited by: fgoergen on 2001-10-26 08:20 ]
 |  |  
		  | Back to top |  |  
		  |  |  
		  |  |  |  
  
	|    |  | Page 1 of 1 |  
 
 
  
  	| 
		
		  | 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 |  |  |  |