To change the level of security, you must change the value of the class attribute in the SessionContext node of the WebSphere MQ adapter configuration.
Before the request is executed by the WebController, the WebController determines the credentials the request must execute under. This is determined by the specified class, which uses the CommandProperty object to determine the credentials of the request.
There are two levels of security available:
- Level 1
- Limited security.
- Level 2
- User ID and password required for every request.
You can also create your own customized security class. The only restriction is that it must implement the ProgramAdapterSessionContext interface.
Security Level 1: Limited security
This level of security is enabled by default at installation. It assumes that all requests are to be processed by a default user ID unless otherwise specified. If the request is to be processed by another user ID, this user ID is specified in the request. The password of the specified user ID is not required and the request is processed by WebSphere Commerce using the credentials of the specified user.
The class that implements this security level is messaging.programadapter.security.DefaultCredentialsProgramAdapterSessionContextImpl.
Security Level 2: Logon and Password for every request
This level of security requires that a request sent to WebSphere Commerce contains a user ID and password. If the password does not match the specified user ID, a security exception is thrown and the request is rejected. If the user ID and password are not specified in the request, the request is processed as a guest user. This means that commands that need authorization before executing must have the credentials specified in the request.
The class that implements this security level is messaging.programadapter.security.CredentialsSpecifiedProgramAdapterSessionContextImpl.
The validation of credentials uses the same technique used when customers interact with WebSphere Commerce through a browser. This takes into consideration whether the user registration is handled by WebSphere Commerce or a third party software.
All of the WebSphere Commerce supported XML integration messages support this level of security, although credential specification is not mandatory.