activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From greenapple <>
Subject Re: Adding users on the fly ACTIVEMQ
Date Fri, 25 Apr 2008 04:13:27 GMT

Thanks Abdul for your time,

Exactly I am trying to do the following:

Say a new application yyy requested to use JMS. 

My job as a JMS admin is to create the queues needed (on the fly), add users
and groups (on the fly) and grant permissions to certain users and groups to
read/write/both/etc (also on the fly).

By on the fly, I mean: without having to restart ActiveMQ. TIBCO EMS for
example had some user interface to do this.

I am very new to ActiveMQ and have been playing with it for a couple of

It seems to me that this information needs to go somewhere else other than
activemq.xml (as you have mentioned) since activemq.xml is only loaded at
startup (correct?). I have some ideas.

I am thinking to implement the AuthorizationMap in a way similar to
DefaultAuthorizationMap and fill it up with entries through some UI. Then
create a AuthorizationPlugin and install the plugin.

My questions are: can I create a AuthorizationPlugin and install it while
ActiveMQ is running (so that it will be effective on the fly)? Can I install
many AuthorizationPlugins?

As far as adding users on the fly, I was able to do that through adding
users directly to and Is there a cleaner

Could you please direct me to some JAAS user realm documentation?

I have more ideas but I am going to sleep on them for now :-)

Thanks again,

Abdul Alhazred wrote:
> Right. OK, there are a couple of different issues.
> 1) If ALL you want to do is add users and the permissions of the users
> will be set up entirely in the activemq.sql file, then you would just need
> to create a JAAS auth realm and if you say want to use JDBC then write or
> acquire a JDBC JAAS auth module. I wrote one in an afternoon that worked
> with my user base, it is fairly easy.
> 2) If you want to have DYNAMIC mapping to queues and topics, say you need
> to be able to have a queue for each user that only they can read from,
> then you need to implement an AuthorizationMap (or else put everyone in
> the activemq.xml file entries, which kind of defeats the purpose).
> 3) If you say wanted to use LDAP for either or both of these things, then
> you would use a JAAS LDAP auth module and an LDAP AuthorizationMap (which
> actually I believe exists, see the javadoc). Depending on your schema
> requirements you may need to configure or tweak the code in either of
> those.
> Finally, yes, LDAP requires an LDAP server. LDAP is a pretty useful
> technology, but setting up and running LDAP servers is somewhat of a pain.
> Note however that Active Directory can do your LDAP for you if you are in
> an MS environment, which is a great thing if you have already user
> provisioning etc set up for that. NDS is another commercial product that
> provides LDAP service. Sun also has an LDAP server, and there are a few
> others out there as well. OpenLDAP is your basic OSS implementation. I
> have a feeling there are also OS J2EE components which can provide LDAP
> services. Not familiar with them, but I bet you can find something. 
> Getting your data INTO LDAP and managing it are a whole other kettle of
> fish. There are command line and GUI tools that will do it. Basically
> they're similar to RDBMS tools like the mysql command line tool, except
> they work with LDAP databases.
> greenapple wrote:
>> Thanks Abdul and Dejan,
>> Do you need an LDAP server to use LDAP authorization? My knowledge is
>> minimal in LDAP.
>> I found out through trial and error that you can add users on the fly
>> using JAAS authentication and by editing and
>> But somehow, doing this does not seem right since I would like to provide
>> a UI for users to 
>> Thanks,
>> Abdul Alhazred wrote:
>>> greenapple wrote:
>>>> I have activemq running and a new user asks for an account. Is it
>>>> possible to add users and groups on the fly to the list of users and
>>>> groups in activemq without restarting it?
>>>> If so, how? Can I do it programmatically? 
>>> Well, you'd need to have an implementation of an AuthorizationMap that
>>> picks up its data from someplace. I think I saw there is an LDAP one.
>>> The default just gets it from the XML in the config file, which is
>>> obviously no good for your purposes. There doesn't seem to be one that
>>> supports JDBC right now, but I know one of these days soon I'm going to
>>> have to write one because all my JAAS stuff is in there (I did write a
>>> JAAS auth module for JDBC which works). You'll probably need something
>>> like that too in order to authenticate the users from your data store.
>>> As a guess I'd say it might take a couple days to unravel the
>>> AuthorizationMap interface and implement something that works. Have a go
>>> at it! 

View this message in context:
Sent from the ActiveMQ - User mailing list archive at

View raw message