setmqaut syntax
>>-setmqaut--- -m QMgrName--- -n ObjectName--- -t ObjectType----> .--------------------------. V | >-----+----------------------+-------+- -p PrincipalName-+--+---> '- -s ServiceComponent-' '- -g GroupName-----' .------------------------------------------. V | >---------+-| MQI authorizations |------------+--+------------->< +-| Context authorizations |--------+ +-| Administration authorizations |-+ '-| Generic authorizations |--------' MQI authorizations .-----------------------. V | |---------+- +get -----+----+-----------------------------------| +- -get -----+ +- +browse --+ +- -browse --+ +- +put -----+ +- -put -----+ +- +inq -----+ +- -inq -----+ +- +set -----+ +- -set -----+ +- +connect -+ +- -connect -+ +- +altusr --+ '- -altusr --' Context authorizations .-----------------------. V | |---------+- +passid --+----+-----------------------------------| +- -passid --+ +- +passall -+ +- -passall -+ +- +setid ---+ +- -setid ---+ +- +setall --+ '- -setall --'
Administration authorizations .-------------------. V | |--------+- +crt -+----+----------------------------------------| +- -crt -+ +- +dlt -+ +- -dlt -+ +- +chg -+ +- -chg -+ +- +dsp -+ +- -dsp -+ +- +clr -+ '- -clr -' Generic authorizations .----------------------. V | |---------+- +allmqi -+----+------------------------------------| +- -allmqi -+ +- +alladm -+ +- -alladm -+ +- +all ----+ '- -all ----'setmqaut example
setmqaut -m "topsecurity.queue.manager.name" -t queue -n topsecurity.queue.name -g topsecuritygroup +allshould give all rights to the queue "topsecurity.queue.name" defined with queuemanager "topsecurity.queue.manager.name" where topsecuritygroup is the ID of the group to be given the authorizations.
TopsecurityMQClient.java
package dk.topsecurity; import javax.jms.*; import javax.naming.*; import javax.naming.directory.*; import java.util.*; public class TopsecurityMQClient implements ExceptionListener { /** * Setting up authorisation username. Used by classes in com.ibm.mqjms.jar * Setting up queue connection factory (QCF) * Setting up name of queue, as defined in the MQ setup * Setting up url for file-based, external JNDI provider * Setting up context factory to use with external JNDI */ public String mq_username = "Administrator"; public String mq_qcf = "TOPSECURITY_QCF"; public String mq_qname = "TOPSECURITY.QUEUE"; public String mq_url = "file:/C:/jms-jndi-directory"; public String mq_jndi = "com.sun.jndi.fscontext.RefFSContextFactory"; ... private void setupQueueConnection() throws Exception { |
/* authentication related part - completely remove when running MQ and * J2EE client on same machine under same user - or different machines * and identical user names. Otherwise enter the username used for the * MQ installation. Failure to do so, will cause the program to exit with * authentication exception. */ System.out.println("Initial user.name="+System.getProperty("user.name")); System.setProperty("user.name",mq_username); System.out.println("Authrorisation required user.name="+System.getProperty("user.name")); /*end of authentication related part*/ |
Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, mq_jndi); env.put(Context.PROVIDER_URL, mq_url); InitialDirContext ctx = new InitialDirContext(env); com.ibm.mq.jms.MQQueueConnectionFactory factory = (com.ibm.mq.jms.MQQueueConnectionFactory)ctx.lookup(mq_qcf); System.out.println("Factory = " +factory); /* Create a QueueConnection, QueueSession * When a connection is made, use the createQueueSession method on the * QueueConnection to obtain a session. Parameters: * boolean= determines whether the session is transacted or non-transacted. * int = that determines the acknowledge mode. * Simplest case is that of the non-transacted session with AUTO_ACKNOWLEDGE * - p319 in the IBM redbook. */ connection = factory.createQueueConnection(); session = connection.createQueueSession(false, Session.AUTO_ACKNOWLEDGE); ioQueue = (Queue)ctx.lookup(mq_qname); connection.start(); connection.setExceptionListener(this); queueSender = session.createSender(ioQueue); } ... } |
MQSecurity.policy
grant codebase "file:*" { permission java.io.FilePermission "c:/jms-jndi-directory", "read"; permission java.io.FilePermission "c:/jms-jndi-directory/.bindings", "read"; permission java.io.FilePermission "c:/jms-jndi-directory/TOPSECURITY_QCF", "read"; permission java.io.FilePermission "c:/jms-jndi-directory/TOPSECURITY.QUEUE", "read"; }; grant codebase "file:TopsecurityMQ_client.jar" { permission java.util.PropertyPermission "user.name", "read"; permission java.util.PropertyPermission "user.name", "write"; }; grant codeBase "file:com.ibm.mq.jar" { permission java.net.SocketPermission "*","connect"; permission java.lang.RuntimePermission "loadLibrary.*"; }; grant codeBase "file:com.ibm.mqjms.jar" { permission java.util.PropertyPermission "MQJMS_LOG_DIR","read"; permission java.util.PropertyPermission "MQJMS_TRACE_LEVEL","read"; permission java.util.PropertyPermission "MQJMS_TRACE_DIR","read"; permission java.util.PropertyPermission "MQ_JAVA_INSTALL_PATH","read"; permission java.util.PropertyPermission "file.separator","read"; permission java.util.PropertyPermission "os.name","read"; permission java.util.PropertyPermission "user.name","read"; permission java.util.PropertyPermission "com.ibm.mq.jms.cleanup","read"; permission java.util.PropertyPermission "com.ibm.mq.localaddress","read"; }; |
sendMQsecurity.cmd
set BEA_HOME=C:\bea set WL_HOME=C:\bea\weblogic81 java -classpath .;.\weblogic.jar;.\com.ibm.mq.jar;.\com.ibm.mqjms.jar;.\fscontext.jar;.\providerutil.jar;.\dbhcore.jar;TopsecurityMQ_client.jar -Djava.security.manager -Djava.security.policy=MQSecurity.policy dk/topsecurity/TopsecurityMQClient |