HTML and CSS Reference
In-Depth Information
Application Authorization
After successful authentication, you want to grant access to certain application resources,
while denying access to some others. In this section, we review what you need to do to
grant users and groups access to specific queues and topics.
Listing 7-5 shows a configuration that, when added to the ACTIVEMQ_HOME/conf/
activemq.xml file, restricts deliberate access to the message broker destinations.
The configuration shows how to enable or disable access to the users depending
on the application requirements. Similar to the authentication snippet, the
authorizationPlugin must be surrounded by the <plugins> tag. The order of
authorization and authentication within the plugins tag is not relevant.
Listing 7-5. Restricting Deliberate Access to the Message Broker Destinations
<authorizationEntry queue=">" read="admins"write="admins"
admin="admins" />
<authorizationEntry queue="USERS.>" read="users" write="users"
admin="users" />
<authorizationEntry queue="GUEST.>" read="guests"
write="guests,users" admin="guests,users" />
<authorizationEntry queue="TEST.Q" read="guests" write="guests" />
<authorizationEntry topic=">" read="admins" write="admins"
admin="admins" />
<authorizationEntry topic="USERS.>" read="users" write="users"
admin="users" />
<authorizationEntry topic="GUEST.>" read="guests"
write="guests,users" admin="guests,users" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,
users" write="guests,users" admin="guests,users"/>
The sample configuration in Listing 7-5 specifies that admins have full access to all
the queues and topics, while guests have access only to queues and topics that have a
GUEST . prefix in their name.
Restart ActiveMQ to pick up the configuration changes. When you reload the sample
demo application in the web browser, be sure to change the default password to the value
of password , then click Connect. The user will be authenticated but will not be able to
send or receive messages, as the topic name doesn't have the right prefix.
Figure 7-6 shows that the user can connect to the system but cannot send to the test
Search WWH ::

Custom Search