| Author |
Message
|
| javagals |
 Posted: Wed Aug 13, 2008 4:34 am Post subject: Add userID in Message Descriptor using receive Exit |
 |
|
Apprentice
Joined: 13 Aug 2008
Posts: 34
|
Hello,
I have managed to create a receive exit which display's the content of the message descriptor and message contents. I am trying to update the message descriptor field UserIdentifier with the authorized id. I am gettting the authorized id from security exit but I am not able to update the UserIndentifier field using receive exit.
Could you please kindly let me know (with some sample code) how to update UserIdentifier field on each messaged using receive exit.
Regards,
Sridhar Javagal |
|
| Back to top |
|
 |
| javagals |
| Posted: Wed Aug 13, 2008 4:55 am Post subject: |
|
|
Apprentice
Joined: 13 Aug 2008
Posts: 34
|
I am using following approach to implement this task (Not successful yet)
1. Copy the Agent buffer to a local buffer.
2. Get a pointer to MQMD2 structure in local buffer
3. Get UserIdentifier field from channel definition
4. Copy this field to MQMC2 structure of local buffer
5. Point exit buffer to this local buffer
6. Update exit buffer length & data length
7. update ExitResponse2 to use exit buffer.
With this I get error message "Data lenght is longer than the buffer". I have allocated a buffer of 1024bytes and data length is only 160bytes. I dont know how to resolve this?
Regards, |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Aug 13, 2008 6:05 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
If you want a svrconn channel to run with a particular ID, just set MCAUSER.
If this isn't a SVRCONN channel, and a channel exit is an appropriate solution, then I suggest you use a message exit.
However I'd like to to understand what your (business) problem is and why you have felt impelled to attack it using a a channel exit. Some problems do end up needing attack at this level, but in my experience not that many.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| javagals |
| Posted: Wed Aug 13, 2008 6:15 am Post subject: |
|
|
Apprentice
Joined: 13 Aug 2008
Posts: 34
|
Business scenario :
Different clients connect to MQ Server with respective id and put message on a queue. A service consumes all these messages and it needs to know the CLIENTID (to begin with) for further processing.
Problem:
Client ID or UserIdentification is always overwritten by MCAUSER. I need to update it with the supplied client ID.
Appoach to solve this problem:
I have written a receiver exit program which extracts the user ID from the channel definition. I am not able to set it in the message descriptor.
Please let me know if there is a better solution or if you think this is a good approach please let me know how to set userID on message dscriptor.
Thank you,
Sridhar Javagal |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Aug 13, 2008 6:30 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
See my reply on your other thread.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| javagals |
| Posted: Wed Aug 13, 2008 6:51 am Post subject: |
|
|
Apprentice
Joined: 13 Aug 2008
Posts: 34
|
Thanks David.
I got the userId bit working. I can pass userId from client to server.
Second requirement I have is to check if the userId passed is same as the userId used to connect to channel.
I have managed to write a security exit program which accepts username/password from the client and check it with the central LDAP server. Once authenticated, channel connection is initiated.
I use MQEnvironment.userId and MQEnvironment.password to supply username password to channel connection.
I use sendMsg.userId to send "userId" and I need to be sure that this id is same as the id used to authenicate.
Could you please kindly let me know how to check or update message userId field with Channel definition UserIdentifier field.
Regards,
Sridhar Javagal |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Aug 13, 2008 11:21 pm Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
>Second requirement I have is to check if the userId passed is same as the userId used to connect to channel
If you don't give the client user set all context authority, then the messages they put *will* have their userid (or the MCAUSER) in the MQMD regardless of how they pre-populate the identity context fields of the MQMD.
>security exit program which accepts username/password
The userid and password set in MQEnvironment are passed as clear text. No security there I fear.
As the client would appear to be a Java application then they can assert any userid they wish if they are connecting to an svrconn channel with blank MCAUSER. If MCAUSER is blank and the client doesn't assert a specific userid, then they effectively connect as mqm.
A C client can do the same with a small amount of effort.
Consider using SSL for authentication with each client having their own certificate and connecting to a unique svrconn channel with MCAUSER hard coded. Alternatively use SSL with all clients connecting to same svrconn channel and use (e.g.) BlockIP2 to set the MCAUSER of the channel instance based upon their DN as they connect to the QM.
Remember that on Unix servers, MQ permissions should be managed using groups (setmqaut -g groupname) not users because if you grant to a user (principal) then you will actually grant to that user's primary group which may well have "unintended" consequences.
Like I said in an earlier post look to exits as the *last* resort, generally there's an easier/cleaner way to do what you want even if it does involve reading the friendly manuals.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| javagals |
| Posted: Thu Aug 14, 2008 5:01 am Post subject: |
|
|
Apprentice
Joined: 13 Aug 2008
Posts: 34
|
In your view what is best way forward for the following.
1. Authenticate client. Client supplies userId and password. Server authenticate against ldap server.
2. Add authenticated userId in UserIdentifier field for every incoming msg
3. Add custom Format in Format field for every incoming msg.
4. Add remote ip address of client on ApplicationIdData field for every incoming msg.
Please note that soultion design should make sure client has very little burden. Something like supplying userId/password while connecting and nothing while sending messages.
According to MQ Documentation and my own experience writing security exit and receiver exit does the job. Please let me know if you think there is someother way of implementing this. |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Thu Aug 14, 2008 11:56 pm Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
Authentication using the technique you propose is totally insecure.
Use the technique I suggested in my previous post for authentication. Once they are connected all their activity on the QM will take place with the authority of the user you've either hard coded on the channel defn, or with the userid you've set using (e.g. BlockIP2).
Unless you give then set context authority, all the messages they put WILL have the userid on the active instance of the channel in the MQMD - problem solved.
Dave
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sat Aug 16, 2008 2:40 pm Post subject: Re: Add userID in Message Descriptor using receive Exit |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| javagals wrote: |
| I have managed to create a receive exit which display's the content of the message descriptor and message contents. I am trying to update the message descriptor field UserIdentifier with the authorized id. I am gettting the authorized id from security exit but I am not able to update the UserIndentifier field using receive exit. |
This is the wrong approach. You need to look up "Alternate UserId" as that is what is designed for.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| javagals |
| Posted: Wed Sep 03, 2008 6:29 am Post subject: |
|
|
Apprentice
Joined: 13 Aug 2008
Posts: 34
|
Hello Guys,
Thanks for your help. I have managed to create receiver exit which successfully updates format, userid and remote client ip in message header.
Thank you
_________________
Sridhar Javagal
Solution design and delivery |
|
| Back to top |
|
|
|
|
