In a security system without authorization, every successfully authenticated user would have unrestricted access to every queue and every topic in the broker. Using the simple authorization plug-in, on the other hand, you can restrict access to specific destinations based on a user's group membership.
To configure the simple authorization plug-in, add an authorizationPlugin
element to the list of plug-ins in the broker configuration, as shown in Example 4.1.
Example 4.1. Simple Authorization Plug-In Configuration
<beans> <broker ...> ... <plugins> ... <authorizationPlugin> <map> <authorizationMap> <authorizationEntries> <authorizationEntry queue=">" read="admins" write="admins" admin="admins" /> <authorizationEntry queue="USERS.>" read="users" write="users" admin="users" /> <authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" /> <authorizationEntry topic=">" read="admins" write="admins" admin="admins" /> <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" /> <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" /> </authorizationEntries> <tempDestinationAuthorizationEntry> <tempDestinationAuthorizationEntry read="admins" write="admins" admin="admins"/> </tempDestinationAuthorizationEntry> </authorizationMap> </map> </authorizationPlugin> </plugins> ... </broker> </beans>
The simple authorization plug-in contains two different kinds of entry, as follows:
A named destination is just an ordinary JMS queue or topic (these destinations are
named, in contrast to temporary destinations which have no permanent identity).The
authorization entries for ordinary destinations are defined by the
authorizationEntry
element, which supports the following attributes:
queue
ortopic
—you can specify either aqueue
or atopic
attribute, but not both in the same element. To apply authorization settings to a particular queue or topic, simply set the relevant attribute equal to the queue or topic name. The greater-than symbol,>
, acts as a wildcard. For example, an entry with,queue="USERS.>"
, would match any queue name beginning with theUSERS.
string.read
—specifies a comma-separated list of groups that have permission to consume messages from the matching destinations.write
—specifies a comma-separated list of groups that have permission to publish messages to the matching destinations.admin
—specifies a comma-separated list of groups that have permission to create destinations in the destination subtree.
A temporary destination is a special feature of JMS that enables you to create a queue for a particular network connection. The temporary destination exists only as long as the network connection remains open and, as soon as the connection is closed, the temporary destination is deleted on the server side. The original motivation for defining temporary destinations was to facilitate request-reply semantics on a destination, without having to define a dedicated reply destination.
Because temporary destinations have no name, the
tempDestinationAuthorizationEntry
element does not support any
queue
or topic
attributes. The attributes supported by the
tempDestinationAuthorizationEntry
element are as follows:
read
—specifies a comma-separated list of groups that have permission to consume messages from all temporary destinations.write
—specifies a comma-separated list of groups that have permission to publish messages to all temporary destinations.admin
—specifies a comma-separated list of groups that have permission to create temporary destinations.