This topic describes how user IDs are propagated in messages
when interoperating with WebSphere® MQ
using a WebSphere MQ server.
Service integration messages contain two user identifiers:
- a system user identifier - In general, the system user identifier
is set to the identity of the user that produced the message, which
is specified when the user connects to the bus. The system user identifier
stored in the message cannot be modified by application code.
- an application user identifier - This corresponds to the ‘JMSXUserID'
message property and can be set by application code.
WebSphere MQ can be
configured to set the ‘user identifier' field of the WebSphere MQ message descriptor (MQMD)
from the system user identifier used in the service integration message.
However, there is only a single field for user identifiers in the
MQMD. Additional processing is required to preserve the service integration
application user identifier when interoperating with WebSphere MQ using a WebSphere MQ server. If the destination
permits the use of RFH2 headers, the application user identifier present
in the message will be placed into the 'sib' folder of the RFH2 header
using a key of 'jsApiUserId'.
When a message is received from queue points or mediations points
localized on a WebSphere MQ
server bus member then, depending on whether the associated WebSphere MQ server definition
permits the user identifiers to be trusted, the following actions
are carried out:
- If the WebSphere MQ
server is configured to trust user identifiers, the system user identifier
in the service integration message, is copied from the user identifier
present in the WebSphere MQ
message's MQMD.
- If the WebSphere MQ
server is configured not to trust user identifiers, the system user
identifier in the service integration message is set to the name of
the WebSphere MQ server
the message has been received from.
Consider an example where the following objects have been configured:
- A WebSphere MQ server,
QM1
- A WebSphere MQ server
bus member with the trustUserIds attribute set to FALSE.
- A queue-type destination, Q1 assigned to the WebSphere MQ server bus member.
If you configured these objects, when a message is received from
Q1, the user identifier is always set to QM1 (ignoring the user identifier
that exists in the message). This happens because the WebSphere MQ server bus member does not
trust the user identifiers received in inbound messages, instead it
always uses the name of the WebSphere MQ
server that the message is received from.
Regardless of how the system user identifier of the service integration
message is set, the application user identifier is always set from
the 'jsApiUserId' RFH2 value. If this is not present, either because
the value pair is not present in the 'sib' folder of the RFH2 header,
or because the message does not have a RFH2 header, then this field
will not be set.
As security user identifiers are transported in the MQMD message
descriptor, they are limited to 12 characters in length. Longer user
identifiers are truncated.