cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Schneider (JIRA)" <>
Subject [jira] Commented: (CXF-2055) jms transport: Support passing username of producer to SecurityContext
Date Sat, 21 Feb 2009 08:48:02 GMT


Christian Schneider commented on CXF-2055:

Weblogic seems to support JMSXUserID as from version 9.0. See

> jms transport: Support passing username of producer to SecurityContext
> ----------------------------------------------------------------------
>                 Key: CXF-2055
>                 URL:
>             Project: CXF
>          Issue Type: New Feature
>          Components: Transports
>    Affects Versions: 2.1.4
>            Reporter: Christian Schneider
>            Priority: Minor
>             Fix For: 2.2
> The HTTP transport sets a SecurityContext object in the message. This allows the server
implementor to retrieve the user principal and its roles from the message. For JAX-WS the
principal and roles are then also available in the WebServiceContext.
> JMS vendors support retrieving the username of the prodcuer that sent a message. In the
JMSDestination this information could be added to the message in a new SecurityContext object.
> Unfortunately there is no common standard for this. So we need to figure out how each
vendor does this:
> In Tibco you have to add the following line to queues.conf: > sender_name_enforced.
This means that tibco should add the authenticated user name in the jms property JMS_TIBCO_SENDER
to every message in every queue. 
> In ActiveMq I have found from the documentation that you can use the option populateJMSXUserID.
Then ActiveMQ sets the property JMSXUserID.
> Perhaps we can find the necessary settings for other jms servers too like IBM MQ.
> I would propose to simply check the possible locations where the usename could be set
in the different providers. It is important though that we make sure the producer canĀ“t simply
set the property we use by himself as this would defy any security.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message