Service integration messages contain two user IDs - a system
user ID and an application user ID.
WebSphere® MQ can set the user
identifier field of the
WebSphere MQ message descriptor (MQMD)
from the system user ID used in the service integration message. Additional
processing is required to preserve the service integration application
user ID when interoperating with
WebSphere MQ by
using a WebSphere MQ server.
Service integration messages contain two user IDs:
- a system user ID: In general, the system user ID is set to the
identity of the user that produced the message, which is specified
when the user connects to the bus. The system user ID stored in the
message cannot be modified by application code.
- an application user ID: This corresponds to the JMSXUserID message
property and can be set by application code.
WebSphere MQ can be configured
to set the user identifier field of the
WebSphere MQ message descriptor (MQMD)
from the system user ID used in the service integration message. However,
there is only one field for user IDs in the MQMD. If the destination
permits the use of MQRFH2 headers, the application user ID present
in the message is placed into the <sib> folder
of the RFH2 header using a key of jsApiUserId.
When a message is received from queue points or mediations points
localized on a WebSphere MQ server bus member then, depending
on whether the associated WebSphere MQ server definition
permits the user IDs to be trusted, the following actions are completed:
- If the WebSphere MQ server is configured to trust
user IDs, the system user ID in the service integration message is
copied from the user ID in the MQMD.
- If the WebSphere MQ server is not configured to
trust user IDs, the system user ID in the service integration message
is set to the name of the WebSphere MQ server from which
the message has been received.
Consider an example where the following objects have been configured:
- A WebSphere MQ server, QM1
- A WebSphere MQ server bus member with the trustUserIds attribute
set to FALSE.
- A queue-type destination, Q1 assigned to the WebSphere MQ
server bus member.
If you configured these objects, when a message is received from
Q1, the user ID is always set to
QM1 (ignoring the
user ID that exists in the message). This happens because the WebSphere MQ server bus member does not
trust the user IDs received in inbound messages, instead it always
uses the name of the WebSphere MQ server that the
message is received from.
Regardless of how the system user ID of the service integration
message is set, the application user ID is always set from the jsApiUserId
RFH2 value. If this is not present, either because the value pair
is not present in the <sib> folder of the RFH2
header, or because the message does not have a RFH2 header, then this
field will not be set.
As security user IDs are transported in the MQMD message descriptor,
they are limited to 12 characters in length. Longer user IDs are truncated.