| Author |
Message
|
| Mr Butcher |
 Posted: Tue Aug 08, 2006 4:33 am Post subject: QALAIS / QLOCAL Security |
 |
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
I am on z/OS, i have a third party program that connects via SVRCONN channel. I put in an MCA userid that is allowed to put to a QALIAS, but the userid is not allowed to access the BASEQ (which is a qlocal).
When the application is running, i get a security error on the QLOCAL although i am sure the application only knows about the QALIAS (by parameter).
| Quote: |
| ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) |
So there must be something within the code that opens the QALIAS, gets the BASEQ name and then opens the BASEQ too (but why READ security instead of UPDATE? the application wants to put).
I am no JMS guy, so i post some of the code the vendor supplied me with.
Is this a normal behaviour of jms and therefore i have to adopt my security settings, or is there anything in the code that forces this behaviour? if so, how should the code look like to open / put to the QALIAS only?
| Quote: |
private MQQueueConnectionFactory qcf = null;
private QueueConnection queueCon = null;
private QueueSession queueSession = null;
private Queue queueSend = null;
private QueueSender queueSender = null;
//initialize Queue Connection Factory
qcf = new MQQueueConnectionFactory();
qcf.setHostName(prop.getProperty("HostName"));
qcf.setPort(Integer.parseInt(prop.getProperty("Port")));
qcf.setQueueManager(prop.getProperty("QManagerName"));
qcf.setChannel(prop.getProperty("Channel"));
qcf.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
// Create a connection
queueCon = qcf.createQueueConnection();
//Create queue session
queueSession = queueCon.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);
//Create queue
queueSend = queueSession.createQueue(prop.getProperty("QName"));
//Create queue sender
queueSender = queueSession.createSender(queueSend);
//start connection
queueCon.start();
//send message
TextMessage tMsg;
tMsg = queueSession.createTextMessage();
tMsg.setText(content);
queueSender.send(tMsg);
//stop connection
queueCon.stop(); |
_________________
Regards, Butcher |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Aug 08, 2006 2:14 pm Post subject: Re: QALAIS / QLOCAL Security |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Mr Butcher wrote: |
I am no JMS guy, so i post some of the code the vendor supplied me with.
Is this a normal behaviour of jms and therefore i have to adopt my security settings, or is there anything in the code that forces this behaviour? if so, how should the code look like to open / put to the QALIAS only?
| Code: |
private MQQueueConnectionFactory qcf = null;
private QueueConnection queueCon = null;
private QueueSession queueSession = null;
private Queue queueSend = null;
private QueueSender queueSender = null;
//initialize Queue Connection Factory
qcf = new MQQueueConnectionFactory();
qcf.setHostName(prop.getProperty("HostName"));
qcf.setPort(Integer.parseInt(prop.getProperty("Port")));
qcf.setQueueManager(prop.getProperty("QManagerName"));
qcf.setChannel(prop.getProperty("Channel"));
qcf.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
// Create a connection
queueCon = qcf.createQueueConnection();
//Create queue session
queueSession = queueCon.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);
//Create queue
queueSend = queueSession.createQueue(prop.getProperty("QName"));
//Create queue sender
queueSender = queueSession.createSender(queueSend);
//start connection
queueCon.start();
//send message
TextMessage tMsg;
tMsg = queueSession.createTextMessage();
tMsg.setText(content);
queueSender.send(tMsg);
//stop connection
queueCon.stop(); |
|
Well let's have a look at this code
| Code: |
//initialize Queue Connection Factory
qcf = new MQQueueConnectionFactory();
qcf.setHostName(prop.getProperty("HostName"));
qcf.setPort(Integer.parseInt(prop.getProperty("Port")));
qcf.setQueueManager(prop.getProperty("QManagerName"));
qcf.setChannel(prop.getProperty("Channel"));
qcf.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
|
This is not at all typical of JMS and is not portable as it references the provider classes (MQQueueConnectionFactory).
In the using Java manual there are nice snippets of code that show how to retrieve the qcf from the context, which would make it provider neutral...
| Code: |
//Create queue
queueSend = queueSession.createQueue(prop.getProperty("QName"));
|
Now I don't know what he has in the properties but it should really be in uri format:
| Quote: |
| "queue://qmgr/qname?att1=val1&attn=valn" |
On the other hand I would expect that the queue object be supplied by the context...(makes it more provider neutral)
The other trick that could be used it not to use a defined sender (session.createSender(q)) but an anonymous one (session.createSender(null).) In case of an anonymous sender the destination information must be passed to the send method.
Now let's have a look at the permissions.
I would expect to have at least open inq put on the ALIAS queue to allow the user to put there. And please remember the authentication alias that he could be using. Typically JMS will provide you with that in the QCF setup for the JNDI. He is not using any of this here and is not passing any of this information when opening the connection. (qcf.createQueueConnection(username, passwd) pwd being unimportant here).
So your guess is as good as mine as to the username being passed (for a client connection using java probably none) and he might get blocked that way.
Enjoy 
[edit] enq changed to inq[/edit]
_________________
MQ & Broker admin
Last edited by fjb_saper on Tue Aug 08, 2006 2:42 pm; edited 1 time in total |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 08, 2006 2:35 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I think you meant "+inq", not "enq".
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Aug 08, 2006 2:41 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| jefflowrey wrote: |
| I think you meant "+inq", not "enq". |
Indeed thanks for picking that up.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Tue Aug 08, 2006 10:26 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
Thankls for your answers.
Just to make sure you understood my security problem: I do not have a problem with the userid passed because i use the MCA user of the SVRCONN channel for security. my problem is why is the application touching the qlocal although i only passed a qalias queue in the parameter?
_________________
Regards, Butcher |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 09, 2006 12:24 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Mr Butcher wrote: |
Thankls for your answers.
Just to make sure you understood my security problem: I do not have a problem with the userid passed because i use the MCA user of the SVRCONN channel for security. my problem is why is the application touching the qlocal although i only passed a qalias queue in the parameter? |
My guess is you are missing the inq authorization. I believe JMS requires this one as a rule.
Anyways any of the authorizations on the Alias queue is moot if it has been revoked from the target queue. The Alias queue can only be used to restrict authorizations, not to grant more than what has been granted to the original (target) queue.
Usually the group is granted no authorization at all on the target queue. (This is different from being refused authorizations. In an authorization dump the group should not even be associated in any manner with the target queue). The authorizations are then granted to the alias queue.
However remember that the alias queue is in reality just a pointer to the real queue, an alias that behaves a little bit differently. So once you have obtained the handle you could have a handle to the real object. Though you can only execute the operations on the handle as permitted by the alias queue.
Hope this helps some
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Aug 09, 2006 12:47 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
JMS needs information from the queue definition that is not available from the alias queue.
Like Backout Queue names.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
