This is an automated email from the ASF dual-hosted git repository.
asf-gitbox-commits pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new b8f48403a Automatic Site Publish by Buildbot
b8f48403a is described below
commit b8f48403a38c5791d02229c76a0cc0aab60466fb
Author: buildbot <[email protected]>
AuthorDate: Thu May 28 22:57:38 2026 +0000
Automatic Site Publish by Buildbot
---
.../classic/documentation/networks-of-brokers.html | 27 ++++++++++++
.../components/classic/documentation/security.html | 49 ++++++++++++++++++++--
2 files changed, 73 insertions(+), 3 deletions(-)
diff --git a/output/components/classic/documentation/networks-of-brokers.html
b/output/components/classic/documentation/networks-of-brokers.html
index 385d14ab4..9bfc0dcb7 100644
--- a/output/components/classic/documentation/networks-of-brokers.html
+++ b/output/components/classic/documentation/networks-of-brokers.html
@@ -388,6 +388,33 @@ sources are networked, in the event of a failure, inflight
messages can be lost.
<p>This is all fine and well in small networks and environments whit small
number of destinations and consumers. But as things starts to grow a default
model (listen to everything, share everything) won’t scale well. That’s why
there are many ways you can use to filter destinations that will be shared
between brokers.</p>
+<h4 id="authorization-for-advisories">Authorization for advisories</h4>
+
+<p>If using the authorization plugin ensure that the user used for the network
connections has permissions to the advisory destinations;</p>
+
+<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><broker>
+ ..
+ <plugins>
+ ..
+ <authorizationPlugin>
+ <map>
+ <authorizationMap>
+ <authorizationEntries>
+ ...
+ <!-- Grant users that will be used to create a network of
brokers permission for consumer and virtual destination consumer advisories
-->
+ <authorizationEntry topic="ActiveMQ.Advisory.Consumer.>"
read="bridge-user,admin" write="bridge-user,admin"
admin="bridge-user,admin"/>
+ <authorizationEntry
topic="ActiveMQ.Advisory.VirtualDestination.Consumer.>"
read="bridge-user,admin" write="bridge-user" admin="bridge-user,admin"/>
+ ...
+ </authorizationEntries>
+ </authorizationMap>
+ </map>
+ </authorizationPlugin>
+ ..
+ </plugins>
+ ..
+</broker>
+</code></pre></div></div>
+
<h4 id="dynamic-networks">Dynamic networks</h4>
<p>Let’s start with dynamically configured networks. This means that we only
want to send messages to the remote broker when there’s a consumer there. If we
want to limit this behavior only on certain destinations we will use <code
class="language-plaintext
highlighter-rouge">dynamicallyIncludedDestinations</code>, like</p>
diff --git a/output/components/classic/documentation/security.html
b/output/components/classic/documentation/security.html
index d650fb42f..f92d4ef63 100644
--- a/output/components/classic/documentation/security.html
+++ b/output/components/classic/documentation/security.html
@@ -178,8 +178,47 @@
<h4 id="authorization-example">Authorization Example</h4>
-<p>The following <a
href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml">example</a>
shows these 2 plugins in operation. Though note its very easy to write your
own plugin. <strong>Note</strong> that full access rights should generally be
given to the ActiveMQ.Advisory destinations because by default an
ActiveMQConnection uses destination advisories to get early knowledge of temp
destination creation and [...]
-If necessary, the use of advisories in this manner can be disabled via the
<em>watchTopicAdvisories</em> boolean attribute of ActiveMQConnectionFactory
and for a networkConnector, via the network connector
<em>staticBridge</em>(5.6) boolean attribute.</p>
+<p>The following <a
href="https://github.com/apache/activemq/blob/main/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml">example</a>
shows these 2 plugins in operation. Though note its very easy to write your
own plugin.</p>
+
+<p><strong>Note:</strong> All users need permission to create
ActiveMQ.Advisory destinations, which is given by the “admin” acl. This is to
allow the creation of advisory destinations generated as a side effect of user
operations. For example, sending a message for the first time may trigger
producer advisory destination creation.
+However, normal users should generally <strong>not</strong> be given access to
read/write all Advisories because those are messages meant for admin users.</p>
+
+<p>The following advisory permissions are required for proper operations:</p>
+<ul>
+ <li>All users should be given access to advisories for temporary
destinations because ActiveMQConnection uses those advisories to get early
knowledge of temp destination creation and deletion.</li>
+ <li>In addition, dynamic network connectors use advisories to determine
consumer demand so the users that will be used to create bridges need access to
those advisories.</li>
+</ul>
+
+<p>If necessary, the use of advisories in this manner can be disabled via the
<em>watchTopicAdvisories</em> boolean attribute of ActiveMQConnectionFactory
and for a networkConnector, via the network connector
<em>staticBridge</em>(5.6) boolean attribute.</p>
+
+<p><strong>Example configuration:</strong></p>
+<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><broker>
+ ..
+ <plugins>
+ ..
+ <authorizationPlugin>
+ <map>
+ <authorizationMap>
+ <authorizationEntries>
+ <!-- Some destination a user may access -->
+ <authorizationEntry queue="TEST.Q" read="users" write="users"
admin="users" />
+ <!-- Grant all users permission to create advisory topics,
but only admins to read/write -->
+ <authorizationEntry topic="ActiveMQ.Advisory.>"
read="admin" write="admin" admin="*"/>
+ <!-- Grant all users permission to read/write advisories for
temporary destinations -->
+ <authorizationEntry topic="ActiveMQ.Advisory.TempQueue"
read="*" write="*" admin="*"/>
+ <authorizationEntry topic="ActiveMQ.Advisory.TempTopic"
read="*" write="*" admin="*"/>
+ <!-- Grant users that will be used to create a network of
brokers permission for consumer advisories -->
+ <authorizationEntry topic="ActiveMQ.Advisory.Consumer.>"
read="bridge-user,admin" write="bridge-user,admin"
admin="bridge-user,admin"/>
+ <authorizationEntry
topic="ActiveMQ.Advisory.VirtualDestination.Consumer.>"
read="bridge-user,admin" write="bridge-user" admin="bridge-user,admin"/>
+ </authorizationEntries>
+ </authorizationMap>
+ </map>
+ </authorizationPlugin>
+ ..
+ </plugins>
+ ..
+</broker>
+</code></pre></div></div>
<h3 id="broker-to-broker-authentication-and-authorization">Broker-to-Broker
Authentication and Authorization</h3>
@@ -216,7 +255,11 @@ If necessary, the use of advisories in this manner can be
disabled via the <em>w
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue="TEST.Q" read="users" write="users"
admin="users" />
- <authorizationEntry topic="ActiveMQ.Advisory.>" read="*"
write="*" admin="*"/>
+ <authorizationEntry topic="ActiveMQ.Advisory.>"
read="admin" write="admin" admin="*"/>
+ <authorizationEntry topic="ActiveMQ.Advisory.TempQueue"
read="*" write="*" admin="*"/>
+ <authorizationEntry topic="ActiveMQ.Advisory.TempTopic"
read="*" write="*" admin="*"/>
+ <authorizationEntry topic="ActiveMQ.Advisory.Consumer.>"
read="bridge-user,admin" write="bridge-user,admin"
admin="bridge-user,admin"/>
+ <authorizationEntry
topic="ActiveMQ.Advisory.VirtualDestination.Consumer.>"
read="bridge-user,admin" write="bridge-user" admin="bridge-user,admin"/>
</authorizationEntries>
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry read="admin" write="admin"
admin="admin"/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact