ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ API SupportJava Client to NT Server

Post new topicReply to topic
Java Client to NT Server View previous topic :: View next topic
Author Message
msiegert
PostPosted: Mon Aug 06, 2001 1:55 am Post subject: Reply with quote

Apprentice

Joined: 05 Aug 2001
Posts: 29

Hi there!

A colleague gets through on my NT server MQSeries queues with the ID MUSR_MQADMIN without the need of setting this ID.
How does the connection between a java client and a NT server work? Where and when is this admin ID set?
Can anyone tell me how to avoid this because it looks like a huge security hole?

Thnaks for help.
Marc
Back to top
View user's profile Send private message
kolban
PostPosted: Mon Aug 06, 2001 5:11 am Post subject: Reply with quote

Grand Master

Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA

In Java, if a user claims to be any MQSeries userid, that userid is sent from the Java application to the queue manager and they queue manager will believe that the authoriazations in effect are turly that of the claimed userid.

Personally, I always felt this to be an exposure. In discussions, I have been told that the solution is to ALWAYS utilize security exits associated with Java applications.

This whole "thing" I believe comes from the notion that a Java application has no protable way to determine what operating system user it is running as. This is always 100% true of an applet if not an application.
Back to top
View user's profile Send private message
msiegert
PostPosted: Mon Aug 06, 2001 6:45 am Post subject: Reply with quote

Apprentice

Joined: 05 Aug 2001
Posts: 29

ok, I've decided to 'block' the MUSR_MQADMIN user on the NT machine and to let the java developers set a different ID to connect to the QMGR.
For this ID I will configure only the required access to relating objects on the server machine.
Thanks for help hope this works
Marc

_________________
____________________
Marc Siegert
MQSeries Specialist
eBusiness Solution Advisor
Back to top
View user's profile Send private message
kolban
PostPosted: Mon Aug 06, 2001 7:10 am Post subject: Reply with quote

Grand Master

Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA

On the MQSeries queue manager, you can specify a hard-coded userid that all incoming connections will use over-riding ANY that an application may select. This is specified in the MCA_USER field. This is set in the SVRCONN channel definition.
Back to top
View user's profile Send private message
msiegert
PostPosted: Tue Aug 07, 2001 1:42 am Post subject: Reply with quote

Apprentice

Joined: 05 Aug 2001
Posts: 29

on one hand this seems good, on the other hand in my case lots of users use this client/server connection and therefore I would have to give them all the same access rights
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ API SupportJava Client to NT Server
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.