Hi I did that for several users, and I think I blogged about that. Let me find it out.
Regards JB On Wed, Jun 25, 2025 at 4:16 PM Soosai Nayagam, Alban S. (TR Technology) <alban.soosainaya...@thomsonreuters.com.invalid> wrote: > > Hi All, > We are relatively new to ActiveMQ classic and are trying to implement role > based authentication and authorization using the default Jetty based web > console. > The following SimpleAuthenticationPlugin and authorizationPlugin have been > added to the activemq.xml config file: > > <plugins> > <!-- Simple Authentication Plugin --> > <simpleAuthenticationPlugin> > <users> > > <authenticationUser username="admin" password="admin123" > groups="admins"/> > <authenticationUser username="developer" > password="dev123" groups="developers"/> > <authenticationUser username="user" password="user123" > groups="users"/> > <authenticationUser username="readonly" > password="readonly123" groups="users,guests"/> > > </users> > </simpleAuthenticationPlugin> > > <authorizationPlugin> > <map> > <authorizationMap> > <authorizationEntries> > <!-- Admin Group - Full Access to Everything --> > <authorizationEntry admin="admins" read="admins" > write="admins" topic=">" /> > <authorizationEntry admin="admins" read="admins" > write="admins" queue=">" /> > <authorizationEntry admin="admins" read="admins" > write="admins" topic="ActiveMQ.Advisory.>" /> > > <!-- Developer Group - Development environment > access --> > <authorizationEntry read="developers" > write="developers" topic="DEV.>" /> > <authorizationEntry read="developers" > write="developers" queue="DEV.>" /> > <authorizationEntry read="developers" > write="developers" topic="TEST.>" /> > <authorizationEntry read="developers" > write="developers" queue="TEST.>" /> > > <!-- Public resources for all authenticated > users --> > <authorizationEntry > read="users,developers,managers,admins" topic="PUBLIC.>" /> > <authorizationEntry > read="users,developers,managers,admins" queue="PUBLIC.>" /> > </authorizationEntries> > </authorizationMap> > </map> > </authorizationPlugin> > </plugins> > > Also updated the jetty-realm.properties as below: > > # Admin users > admin: admin123, admins > # Developer users > developer: dev123, developers > tester: test123, developers > user: user123, users > > At jetty.xml, the following securityConstraints have been defined: > > <bean id="securityConstraint" > class="org.eclipse.jetty.util.security.Constraint"> > <property name="name" value="BASIC" /> > <property name="roles" value="users,admins" /> > <!-- set authenticate=false to disable login --> > <property name="authenticate" value="true" /> > </bean> > <bean id="adminSecurityConstraint" > class="org.eclipse.jetty.util.security.Constraint"> > <property name="name" value="BASIC" /> > <property name="roles" value="admins" /> > <!-- set authenticate=false to disable login --> > <property name="authenticate" value="true" /> > </bean> > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" > value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> > </bean> > <bean id="adminSecurityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="adminSecurityConstraint" /> > <property name="pathSpec" value="*.action" /> > </bean> > > With this setup, the broker is only allowing the admin user to write to the > queues and topics through web console. Normal user is not able to write to > the queues and topics. > But when we change the above security constraints as below, it allows the > normal user to write to all the queues and topics without regard to the > authorization rules defined. > > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" > value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico, > /admin/sendMessage/" /> > </bean> > <bean id="adminSecurityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="adminSecurityConstraint" /> > <property name="pathSpec" value="*.action" /> > </bean> > > Can anyone please let me know how to achieve specific role based access > through the jetty web console? Is it the usual practive to use Jetty web > console for role based access or do we need to use other web consoles such as > hawtio or Tomcat for such use cases? > > > Thanks & Regards, > > · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · > · · · · · · · · > > Alban Soosai Nayagam > > Senior Middleware Engineer – MIDDLEWARE-TR > > Thomson Reuters > C 1-437-241-6539 > > Escalation<https://trten.sharepoint.com/sites/intr-ihn-service-portfolio/SitePages/IHN-Contact-%26-Escalation(1).aspx> > > > > This e-mail is for the sole use of the intended recipient and contains > information that may be privileged and/or confidential. If you are not an > intended recipient, please notify the sender by return e-mail and delete this > e-mail and any attachments. Certain required legal entity disclosures can be > accessed on our website: > https://www.thomsonreuters.com/en/resources/disclosures.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org For additional commands, e-mail: users-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
