| Author |
Message
|
| sijtom0703 |
 Posted: Wed Feb 08, 2017 8:10 am Post subject: Restrict MQ client app from doing destructive get operation |
 |
|
Voyager
Joined: 28 May 2011
Posts: 84
Location: USA
|
I have a client app which like to do a non-destructive read of messages from a queue and write to a DB or file using a java program. To ensure that client App is doing a browse of messages and uses MQOO_BROWSE in MQ Get message options. Everything is fine till now. From an MQ administrator perspective I would like to ensure that there is additional layer of protection and I have removed Get access from the permissions for MCA user group which the client channel uses to access queue. I have only added the Browse permission. But then client is receiving MQRC_NOT_AUTHORIZED on the client side when trying to access the queue.
So my question is is there a way I can set permissions on the queue such that client App cannot do a destructive read on queue but can browse messages and copy them to a file or DB? Appreciate your guidance here. |
|
| Back to top |
|
 |
| PaulClarke |
| Posted: Wed Feb 08, 2017 8:59 am Post subject: |
|
|
Grand Master
Joined: 17 Nov 2005
Posts: 1002
Location: New Zealand
|
I would say that restricting the permissions sounds like the right way to go to me. Are you sure the Java application isn't trying to access the queue for input access as well? Remember that it is the queue open which matters from a security point of view, not the MQGET call. Check that you are not using MQC.MQOO_INPUT_SHARED on the open.
Cheers,
Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com |
|
| Back to top |
|
|
| sijtom0703 |
| Posted: Wed Feb 08, 2017 9:21 am Post subject: |
|
|
Voyager
Joined: 28 May 2011
Posts: 84
Location: USA
|
Thanks for the response!
The following are the open options used in the client code.
| Code: |
int openOptions = CMQC.MQOO_FAIL_IF_QUIESCING + CMQC.MQOO_INPUT_AS_Q_DEF +
CMQC.MQOO_INQUIRE + CMQC.MQOO_OUTPUT;
|
|
|
| Back to top |
|
|
| PaulClarke |
| Posted: Wed Feb 08, 2017 9:26 am Post subject: |
|
|
Grand Master
Joined: 17 Nov 2005
Posts: 1002
Location: New Zealand
|
Well, what happens if you change it to.....
| Code: |
| MQC.MQOO_FAIL_IF_QUIESCING + MQC.MQOO_BROWSE; |
Since I assume you don't want to inquire or write to the queue either.
Cheers,
Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Feb 08, 2017 11:19 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
For a Java application to browse the queue, the Open Options should be:
| Code: |
| int openOptions = CMQC.MQOO_INQUIRE + CMQC.MQOO_BROWSE + CMQC.MQOO_FAIL_IF_QUIESCING; |
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Feb 08, 2017 12:22 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
For a Java application to browse the queue, the Open Options should be:
| Code: |
| int openOptions = CMQC.MQOO_INQUIRE + CMQC.MQOO_BROWSE + CMQC.MQOO_FAIL_IF_QUIESCING; |
Regards,
Roger Lacroix
Capitalware Inc. |
Don't know if you need the Inquire with Java base... I do know that it should always be part of the permissions when using JMS...
Anyways adding/keeping Inquire should be a breeze.
I am always careful when creating the options and favor the | for the bit-wise OR operator. More secure when you do it twice and you're not risking an overflow... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sijtom0703 |
| Posted: Thu Feb 09, 2017 6:47 am Post subject: |
|
|
Voyager
Joined: 28 May 2011
Posts: 84
Location: USA
|
Thanks All!
If I remove CMQC.MQOO_INPUT*** from open options then I can remove get permissions from queue which will ensure Application cannot do a destructive get even by mistake. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Feb 09, 2017 6:50 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You should be careful of having applications that can only browse queues.
That is, you need to make sure that something else will clean the queue at some point.
If you are trying to write something that logs messages, you will need to be careful of the appllication that processes the message doesn't get a message before the browse/logger... which honestly you can't really prevent.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| sijtom0703 |
| Posted: Thu Feb 09, 2017 7:28 am Post subject: |
|
|
Voyager
Joined: 28 May 2011
Posts: 84
Location: USA
|
| Thanks for the input! The queues which we are dealing here are not Application write queues and also we have a separate Application process taking care of cleaning up the queue. |
|
| Back to top |
|
|
|
|
