This topic describes how user IDs are propagated in messages when
interoperating with WebSphere MQ using a WebSphere MQ server.
Service integration messages contain two user identifiers:
- a system user identifier - In general, the system user identifier is set
to the identity of the user that produced the message, which is specified
when the user connects to the bus. The system user identifier stored in the
message cannot be modified by application code.
- an application user identifier - This corresponds to the ‘JMSXUserID’
message property and can be set by application code.
WebSphere MQ can be configured to set the ‘user identifier’ field of the
WebSphere MQ message descriptor (MQMD) from the system user identifier used
in the service integration message. However, there is only a single field
for user identifiers in the MQMD. Additional processing is required to preserve
the service integration application user identifier when interoperating with
WebSphere MQ using a WebSphere MQ server. If the destination permits the use
of RFH2 headers, the application user identifier present in the message will
be placed into the 'sib' folder of the RFH2 header using a key of 'jsApiUserId'.
When a message is received from queue points or mediations points localized
on a WebSphere MQ server bus member then,
depending on whether the associated WebSphere MQ server definition permits
the user identifiers to be trusted, the following actions are carried out:
- If the WebSphere MQ server is configured to trust user identifiers, the
system user identifier in the service integration message, is copied from
the user identifier present in the WebSphere MQ message's MQMD.
- If the WebSphere MQ server is configured not to trust user identifiers,
the system user identifier in the service integration message is set to the
name of the WebSphere MQ server the message
has been received from.
Consider an example where the following objects have been configured:
- A WebSphere MQ server, QM1
- A WebSphere MQ server bus member with the trustUserIds attribute set to
FALSE.
- A queue-type destination, Q1 assigned to the WebSphere MQ server bus member.
If you configured these objects, when a message is received from Q1,
the user identifier is always set to QM1 (ignoring the user identifier that
exists in the message). This happens because the WebSphere MQ server bus
member does not trust the user identifiers received in inbound messages, instead
it always uses the name of the WebSphere MQ server that
the message is received from.
Regardless of how the system user identifier of the service integration
message is set, the application user identifier is always set from the 'jsApiUserId'
RFH2 value. If this is not present, either because the value pair is not present
in the 'sib' folder of the RFH2 header, or because the message does not have
a RFH2 header, then this field will not be set.
As security user identifiers are transported in the MQMD message descriptor,
they are limited to 12 characters in length. Longer user identifiers are truncated.