HTTP Adapter - Security question/issue

All,

Once a (communication) user can post messages to XI via the HTTP adapter, the sender can take the identity of any sender (“spoofing”). Simply specifying another Sender in the URL allows to take someone else's identity.

The question now is: how to avoid that a HTTP sender would take the identity of another sender? Or is there an authorization mechanism (hidden feature) that allows me to link certain accounts to certain sending Parties or Business systems?

For adapters that use a Sender Agreement, the security of the underlying middleware can be used. Example:

The J2EE JMS adapter reads messages from a queue where only specific users are allowed to put messages on (the JMS broker

Kind regards, Guy Crets