| Author |
Message
|
| javagals |
 Posted: Wed Aug 13, 2008 5:21 am Post subject: UserId from Client is over written by MCAUSER in Server. |
 |
|
Apprentice
Joined: 13 Aug 2008
Posts: 34
|
Hello,
I would like to know WHAT MQ Connect Options or MQ Open Options or MQ Put Message Options to set to make sure "UserId" from MQ Client is not over written by MCAUSER from MQ Server.
I have tried using the following options.
Connection:
Default connect options.
Access put queue options.
MQC.MQOO_OUTPUT | MQC.MQOO_PASS_ALL_CONTEXT
Put message options.
Default.
Could you please kindly let me know what combination of options I should use to make sure client details on a message from Sender are passed to receiver without getting overwritten by MCAUSER.
Regards,
Sridhar Javagal |
|
| Back to top |
|
 |
| David.Partridge |
| Posted: Wed Aug 13, 2008 5:54 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
You have it the wrong way round.
MCAUSER set on a channel will override anything you do at the client and intentionaly so.
If you can subvert this, then you should open a security/integrity APAR with IBM as fast as you can.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| javagals |
| Posted: Wed Aug 13, 2008 5:59 am Post subject: |
|
|
Apprentice
Joined: 13 Aug 2008
Posts: 34
|
Thanks David.
You mean to say, there is no way I can add or update the UserIdentifier field. Even if I do, it will always be overwritten by MCAUSER?
Can I make use of receiver exit? in this case?
Regards,
Sridhar Javagal |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Aug 13, 2008 6:20 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
If (and only if) the userid set in MCAUSER has "set all context" authority, then if you have opened the queue for output using MQOO_SET_IDENTITY_CONTEXT, or MQOO_SET_ALL_CONTEXT, then you should be able to populate the MQMD.UserIdentifier field and use MQPMO_SET_IDENTITY_CONTEXT.
MQOO_PASS_ALL_CONTEXT and MQPMO_PASS_ALL_CONTEXT are used to pass information from one MD (that of a message you've gotten from an input queue) to an output message, and in this case you need to populate the MQPMO.Context field with the object handle of the input queue from which you've just gotten the input message. MQ will deal with populating the output MD in this case from the input MD.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Aug 13, 2008 6:53 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Hackers can get by it if the version of MQ 6.0.2.1 or earlier.
Security Exits can override it as well.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Aug 13, 2008 6:53 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
Further to this based on your posts in the user exits forum.
As you are getting messages from the clients and then putting a new message, you should be using the PASS_ALL_CONTEXT technique.
In this case you must also specify when you open the input queue that you wish to save context by opening it with MQOO_SAVE_ALL_CONTEXT.
From programming guide:
Passing identity context
In general, programs should pass identity context information from message to message around an application until the data reaches its final destination. Programs should change the origin context information each time that they change the data. However, applications that want to change or set any context information must have the appropriate level of authority. The queue manager checks this authority when the applications open the queues; they must have authority to use the appropriate context options for the MQOPEN call.
If your application gets a message, processes the data from the message, then puts the changed data into another message (possibly for processing by another application), the application must pass the identity context information from the original message to the new message. You can allow the queue manager to create the origin context information.
To save the context information from the original message, use the MQOO_SAVE_ALL_CONTEXT option when you open the queue for getting the message. This is in addition to any other options you use with the MQOPEN call. Note, however, that you cannot save context information if you only browse the message.
When you create the second message:
Open the queue using the MQOO_PASS_IDENTITY_CONTEXT option (in addition to the MQOO_OUTPUT option).
In the Context field of the put-message options structure, give the handle of the queue from which you saved the context information.
In the Options field of the put-message options structure, specify the MQPMO_PASS_IDENTITY_CONTEXT option.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Aug 13, 2008 6:54 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
And of course the userid in MCAUSER must be authorised to pass context!
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Aug 13, 2008 7:00 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
True Peter, but I'm sure the OP would prefer we solve the problem without resorting to exploitation of product vulnerabilities or using exits (even though he/she was trying to do this using a receive exit).
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
|
|
