ActiveMQ Classic Simple Authentication for Role Based Access to Web Console

Wed, 25 Jun 2025 07:17:33 -0700 

Hi All,
We are relatively new to ActiveMQ classic and are trying to implement role 
based authentication and authorization using the default Jetty based web 
console.
The following SimpleAuthenticationPlugin and authorizationPlugin have been 
added to the activemq.xml config file:

<plugins>
            <!-- Simple Authentication Plugin -->
            <simpleAuthenticationPlugin>
                <users>

                    <authenticationUser username="admin" password="admin123" 
groups="admins"/>
                     <authenticationUser username="developer" password="dev123" 
groups="developers"/>
                     <authenticationUser username="user" password="user123" 
groups="users"/>
                    <authenticationUser username="readonly" 
password="readonly123" groups="users,guests"/>

                </users>
            </simpleAuthenticationPlugin>

            <authorizationPlugin>
                <map>
                    <authorizationMap>
                        <authorizationEntries>
                            <!-- Admin Group - Full Access to Everything -->
                            <authorizationEntry admin="admins" read="admins" 
write="admins" topic=">" />
                            <authorizationEntry admin="admins" read="admins" 
write="admins" queue=">" />
                            <authorizationEntry admin="admins" read="admins" 
write="admins" topic="ActiveMQ.Advisory.>" />

                            <!-- Developer Group - Development environment 
access -->
                            <authorizationEntry read="developers" 
write="developers" topic="DEV.>" />
                            <authorizationEntry read="developers" 
write="developers" queue="DEV.>" />
                            <authorizationEntry read="developers" 
write="developers" topic="TEST.>" />
                            <authorizationEntry read="developers" 
write="developers" queue="TEST.>" />

                               <!-- Public resources for all authenticated 
users -->
                            <authorizationEntry 
read="users,developers,managers,admins" topic="PUBLIC.>" />
                            <authorizationEntry 
read="users,developers,managers,admins" queue="PUBLIC.>" />
                      </authorizationEntries>
                    </authorizationMap>
                </map>
            </authorizationPlugin>
        </plugins>

Also updated the jetty-realm.properties as below:

# Admin users
admin: admin123, admins
# Developer users
developer: dev123, developers
tester: test123, developers
user: user123, users

At jetty.xml, the following securityConstraints have been defined:

    <bean id="securityConstraint" 
class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC" />
        <property name="roles" value="users,admins" />
        <!-- set authenticate=false to disable login -->
        <property name="authenticate" value="true" />
    </bean>
    <bean id="adminSecurityConstraint" 
class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC" />
        <property name="roles" value="admins" />
         <!-- set authenticate=false to disable login -->
        <property name="authenticate" value="true" />
    </bean>
    <bean id="securityConstraintMapping" 
class="org.eclipse.jetty.security.ConstraintMapping">
        <property name="constraint" ref="securityConstraint" />
        <property name="pathSpec" 
value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" />
    </bean>
    <bean id="adminSecurityConstraintMapping" 
class="org.eclipse.jetty.security.ConstraintMapping">
        <property name="constraint" ref="adminSecurityConstraint" />
        <property name="pathSpec" value="*.action" />
    </bean>

With this setup, the broker is only allowing the admin user to write to the 
queues and topics through web console. Normal user is not able to write to the 
queues and topics.
But when we change the above security constraints as below, it allows the 
normal user to write to all the queues and topics without regard to the 
authorization rules defined.

    <bean id="securityConstraintMapping" 
class="org.eclipse.jetty.security.ConstraintMapping">
        <property name="constraint" ref="securityConstraint" />
        <property name="pathSpec" 
value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico, /admin/sendMessage/" 
/>
    </bean>
    <bean id="adminSecurityConstraintMapping" 
class="org.eclipse.jetty.security.ConstraintMapping">
        <property name="constraint" ref="adminSecurityConstraint" />
        <property name="pathSpec" value="*.action" />
    </bean>

Can anyone please let me know how to achieve specific role based access through 
the jetty web console? Is it the usual practive to use Jetty web console for 
role based access or do we need to use other web consoles such as hawtio or 
Tomcat for such use cases?


Thanks & Regards,

· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · 
· · · · · · ·

Alban Soosai Nayagam

Senior Middleware Engineer – MIDDLEWARE-TR

Thomson Reuters
C 1-437-241-6539

Escalation<https://trten.sharepoint.com/sites/intr-ihn-service-portfolio/SitePages/IHN-Contact-%26-Escalation(1).aspx>



This e-mail is for the sole use of the intended recipient and contains 
information that may be privileged and/or confidential. If you are not an 
intended recipient, please notify the sender by return e-mail and delete this 
e-mail and any attachments. Certain required legal entity disclosures can be 
accessed on our website: 
https://www.thomsonreuters.com/en/resources/disclosures.html

Reply via email to