Full access rights should always be given to the 'ActiveMQ.Advisory' destinations, else your clients will receive the exception you got below. See the 'Authorization Example' in the security page.
http://activemq.apache.org/security.html Regarding your last question, the only thought I have is to predefine the destinations, via the broker xml file. Then you shouldn't have to grant 'admin' rights to the clients for the destinations, because they will have already been created. However, in your case, you are using dynamic destinations which you can't really predefine. Joe Get a free ActiveMQ user guide @ http://www.ttmsolutions.com Sandro Tosi wrote: > > Perfect Joe, that works as a charm!! > > But I still got some question to ask :) > > I even need to add the authentication for 'topic=">"' together with > 'queue=">"' because otherwise no "dynamic" queue creation was able (here I > mean when Mule connects to ActiveMQ to read from a non-existing queue, > that queue is "automatically" registered); not a big deal but still... > > Another problem with that "dynamic queue creation": it seems I need to > have an admin user to be able to create that queue: if I use > "user/password" to log in from Mule I receive: > > WARN Service - Failed to remove connection > ConnectionInfo {commandId = 1, responseRequired = true, connectionId = > ID:de_tosisa-3398-1221496082109-0:0, clientId = > ID:de_tosisa-3398-1221496082109-1:0, userName = user, password = password, > brokerPath = null, brokerMasterConnector = false, manageable = true, > clientMaster = true} > java.lang.SecurityException: User user is not authorized to create: > topic://ActiveMQ.Advisory.Connection > > while using system/manager I got no problem. Is there a way to avoid > granting admin rights to normal users or not? > > TIA, > Sandro > > > Joe Fernandez wrote: >> >> You have both the <jaasAuthenticationPlugin> and >> <simpleAuthenticationPlugin> elements defined, and the >> <simpleAuthenticationPlugin> is outside the <broker> element. You can't >> have both elements defined. I believe you were trying to use the >> <simpleAuthenticationPlugin>. Here's an example. >> >> >> <plugins> >> <simpleAuthenticationPlugin> >> <users> >> <authenticationUser username="system" password="manager" >> groups="users,admins"/> >> <authenticationUser username="user" password="password" >> groups="users"/> >> <authenticationUser username="guest" password="password" >> groups="guests"/> >> </users> >> </simpleAuthenticationPlugin> >> >> <!-- lets configure a destination based authorization mechanism >> --> >> <authorizationPlugin> >> <map> >> <authorizationMap> >> <authorizationEntries> >> <authorizationEntry queue=">" read="users,admins" >> write="users,admins" admin="admins" /> >> </authorizationEntries> >> </authorizationMap> >> </map> >> </authorizationPlugin> >> >> </plugins> >> >> If you're not using Camel, comment out or remove the <camelContext> >> element if it exists in your config file. If you are using Camel, then >> consult the Camel site for info on how to configure Camel. >> >> http://activemq.apache.org/camel/configuring-camel.html >> >> Joe >> > > -- View this message in context: http://www.nabble.com/Protect-queues-access-with-password-tp19453220p19497324.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
