2.9.3 Storage Security
Data objects are stored, and the storage is protected by the owning component. The system defines discretionary access control lists (DACLs) on each data object so that unauthorized access is not allowed. For queue manager data objects, the owning queue manager authorizes the user that requests access to these objects. For Directory Service data objects, the application and the queue manager are responsible for defining ACLs, and the Directory Service is responsible for authenticating and authorizing the requester according to the defined ACLs.
Adding a message object to a queue object is controlled by the queue manager according to the ACLs specified on the queue object. The message carries the sender identity, which is used by the queue manager to perform access checks. The queue manager authenticates the sender as described in section 2.9.4.1.4. Without the implementation of sender authentication, a malicious user can provide a fake user identity in a message and bypass the access control defined for the queue object.