WebSphere Message Brokers
File: aq18560_
Writer: Terry Cowling

Concept topic

This build: July 31, 2007 21:35:39

Stream authority

In WebSphere MQ Publish/Subscribe, all publish and subscribe authority checks are performed against the stream queue. Publishing applications need authority to put messages to the stream queue. The WebSphere MQ Publish/Subscribe broker also checks the authority of subscribing applications which require browse authority on the stream queue. A subscribing application also needs to have put authority for the queue that it nominates to receive its publications.

A similar check is made by WebSphere Message Broker brokers, but there is no checking for subscribe, or browse, authority. Instead, WebSphere Message Broker uses Access Control Lists (ACLs), which you can create using the workbench, to provide the required authorities for individual topics. For more information about ACLs, see Authorization to access runtime resources.

Before you migrate an WebSphere MQ Publish/Subscribe broker to WebSphere Message Broker, or migrate your WebSphere MQ Publish/Subscribe applications to run on a WebSphere Message Broker, you must consider the following security implications:

Stream authorities

Stream authorities

The figure shows the stream authorities that are required. This example assumes that you have updated the default ACL on the topic root for principal PublicGroup with authority for publish, subscribe, and persistent delivery all set to deny.

Using this example, assume that the following groups are defined:
You must grant and deny authorities by setting up ACLs as follows:
  1. PDefault must be granted publish authority on the root, and SDefault must be granted subscribe authority on the root.
  2. PDefault must be denied publish authority on $SYS/STREAM/, and SDefault must be denied subscribe authority on $SYS/STREAM/.

    These settings ensure that publishers and subscribers on the default stream are unable to publish on, or subscribe to, other streams without an explicit ACL that overrides the relevant setting.

  3. PStreamX must be granted publish authority on $SYS/STREAM/StreamX/, and SStreamX must be granted subscribe authority on $SYS/STREAM/StreamX/.

    These settings override any setting on parent topics and limit publish and subscribe activity to users within these specific groups.

  4. PStreamY must be granted publish authority on $SYS/STREAM/StreamY/, and SStreamY must be granted subscribe authority on $SYS/STREAM/StreamY/.

    These settings override any setting on parent topics and limit publish and subscribe activity to users within these specific groups.

If you want to set up exceptions to this situation, you can do so by introducing an ACL at the appropriate point. For example, if you wanted to grant authority to publishers to the default stream, PDefault, to publish on StreamX, you must create an explicit ACL at point (3) to grant that authority; this overrides the denial of authority at point (2). In this scenario, users in PDefault would still be unable to publish on StreamY.

Related concepts
Authorization to access runtime resources
Related tasks
Subscribing
Related reference
MQRFH2 header
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:35:39

aq18560_ This topic's URL is: