activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jgunz <>
Subject Authorization/Security Question
Date Thu, 30 Aug 2007 13:52:01 GMT

I'm having trouble getting my head around some of ActiveMQs authorization
settings. I have a relatively specific use case I'm trying to meet, but
can't quite figure out what the appropriate permission settings are. The
read and write permissions I understand. The admin and temporary destination
permissions I do not.

I securely handle communication from a client side process to the server
side ActiveMQ broker. All communication on the client is considered
potentially malicious. I have two main groups of ActiveMQ users, server
processes, and client processes. An admin group can be used for overall

Inbound traffic is pretty straight forward. The server processes can have
read+write on all inbound.> topics as well as admin permissions. The client
processes can have write access only to inbound.dirty.> topics. There's no
real need for clients to create or remove any topics for inbound
communication because the server processes.

Outbound traffic is where I get lost. I want to be able to create client
specific topics (that is, topics intended for 1 authorized client that will
have a customized message stream supplied by the server). I was envisioning
having the client create temporary topics, so that they were the only ones
who could consume them, and then sending these to the server to write to.
These channels would live under outbound.private.> topics.

In order to do this though, do I have to give clients admin privileges on
outbound.private.>? This seems funny to me because ultimately I don't want
clients to be able to see each other's private outbound channels and I
certainly don't want them to be able to remove them. So how should I
appropriately permission the outbound topic hierarchy to only allow client
reads, and further restrict certain topics to specific connections?

Any suggestions or comments would be greatly appreciated. Thanks.

View this message in context:
Sent from the ActiveMQ - User mailing list archive at

View raw message