Hi Jean, Have you had an opportunity to look into this?
Thanks & Regards, …………………………………………………………………………. Basavaraj G Dodawad Sr.Middleware Engineer | MIDDLEWARE-TR email: basavaraj.doda...@thomsonreuters.com cell: +919148194944 Escalation -----Original Message----- From: Dodawad, Basavaraj (TR Technology) Sent: 01 July 2025 07:38 To: users@activemq.apache.org Subject: RE: [EXT] Re: ActiveMQ Classic Simple Authentication for Role Based Access to Web Console Thank you, Jean, for your prompt response. Your assistance is greatly help us achieve our goal. Thanks & Regards, …………………………………………………………………………. Basavaraj G Dodawad Sr.Middleware Engineer | MIDDLEWARE-TR email: basavaraj.doda...@thomsonreuters.com cell: +919148194944 Escalation -----Original Message----- From: Jean-Baptiste Onofré <j...@nanthrax.net> Sent: 01 July 2025 06:32 To: users@activemq.apache.org Subject: [EXT] Re: ActiveMQ Classic Simple Authentication for Role Based Access to Web Console External Email: Use caution with links and attachments. Hi I did that for several users, and I think I blogged about that. Let me find it out. Regards JB On Wed, Jun 25, 2025 at 4:16 PM Soosai Nayagam, Alban S. (TR Technology) <alban.soosainaya...@thomsonreuters.com.invalid> wrote: > > Hi All, > We are relatively new to ActiveMQ classic and are trying to implement role > based authentication and authorization using the default Jetty based web > console. > The following SimpleAuthenticationPlugin and authorizationPlugin have been > added to the activemq.xml config file: > > <plugins> > <!-- Simple Authentication Plugin --> > <simpleAuthenticationPlugin> > <users> > > <authenticationUser username="admin" password="admin123" > groups="admins"/> > <authenticationUser username="developer" > password="dev123" groups="developers"/> > <authenticationUser username="user" password="user123" > groups="users"/> > <authenticationUser username="readonly" > password="readonly123" groups="users,guests"/> > > </users> > </simpleAuthenticationPlugin> > > <authorizationPlugin> > <map> > <authorizationMap> > <authorizationEntries> > <!-- Admin Group - Full Access to Everything --> > <authorizationEntry admin="admins" read="admins" > write="admins" topic=">" /> > <authorizationEntry admin="admins" read="admins" > write="admins" queue=">" /> > <authorizationEntry admin="admins" > read="admins" write="admins" topic="ActiveMQ.Advisory.>" /> > > <!-- Developer Group - Development environment > access --> > <authorizationEntry read="developers" > write="developers" topic="DEV.>" /> > <authorizationEntry read="developers" > write="developers" queue="DEV.>" /> > <authorizationEntry read="developers" > write="developers" topic="TEST.>" /> > <authorizationEntry read="developers" > write="developers" queue="TEST.>" /> > > <!-- Public resources for all authenticated > users --> > <authorizationEntry > read="users,developers,managers,admins" topic="PUBLIC.>" /> > <authorizationEntry > read="users,developers,managers,admins" queue="PUBLIC.>" /> > </authorizationEntries> > </authorizationMap> > </map> > </authorizationPlugin> > </plugins> > > Also updated the jetty-realm.properties as below: > > # Admin users > admin: admin123, admins > # Developer users > developer: dev123, developers > tester: test123, developers > user: user123, users > > At jetty.xml, the following securityConstraints have been defined: > > <bean id="securityConstraint" > class="org.eclipse.jetty.util.security.Constraint"> > <property name="name" value="BASIC" /> > <property name="roles" value="users,admins" /> > <!-- set authenticate=false to disable login --> > <property name="authenticate" value="true" /> > </bean> > <bean id="adminSecurityConstraint" > class="org.eclipse.jetty.util.security.Constraint"> > <property name="name" value="BASIC" /> > <property name="roles" value="admins" /> > <!-- set authenticate=false to disable login --> > <property name="authenticate" value="true" /> > </bean> > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" > value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> > </bean> > <bean id="adminSecurityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="adminSecurityConstraint" /> > <property name="pathSpec" value="*.action" /> > </bean> > > With this setup, the broker is only allowing the admin user to write to the > queues and topics through web console. Normal user is not able to write to > the queues and topics. > But when we change the above security constraints as below, it allows the > normal user to write to all the queues and topics without regard to the > authorization rules defined. > > <bean id="securityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="securityConstraint" /> > <property name="pathSpec" > value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico, > /admin/sendMessage/" /> > </bean> > <bean id="adminSecurityConstraintMapping" > class="org.eclipse.jetty.security.ConstraintMapping"> > <property name="constraint" ref="adminSecurityConstraint" /> > <property name="pathSpec" value="*.action" /> > </bean> > > Can anyone please let me know how to achieve specific role based access > through the jetty web console? Is it the usual practive to use Jetty web > console for role based access or do we need to use other web consoles such as > hawtio or Tomcat for such use cases? > > > Thanks & Regards, > > · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · > · · · · · · · · · · · · > > Alban Soosai Nayagam > > Senior Middleware Engineer – MIDDLEWARE-TR > > Thomson Reuters > C 1-437-241-6539 > > Escalation<https://urldefense.com/v3/__https://trten.sharepoint.com/si > tes/intr-ihn-service-portfolio/SitePages/IHN-Contact-*26-Escalation(1) > .aspx__;JQ!!GFN0sa3rsbfR8OLyAw!fnivj1dFaZrtJwBrY52aCrYeT0EzNgJDIZWpD7D > 8xZOQa7ZCJbXhnLw7hvfoQmUCDe8dH8IbsDi9e5fz2Gr0180q$ > > > > > This e-mail is for the sole use of the intended recipient and contains > information that may be privileged and/or confidential. If you are not > an intended recipient, please notify the sender by return e-mail and > delete this e-mail and any attachments. Certain required legal entity > disclosures can be accessed on our website: > https://www.thomsonreuters.com/en/resources/disclosures.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org For additional commands, e-mail: users-h...@activemq.apache.org For further information, visit: https://urldefense.com/v3/__https://activemq.apache.org/contact__;!!GFN0sa3rsbfR8OLyAw!fnivj1dFaZrtJwBrY52aCrYeT0EzNgJDIZWpD7D8xZOQa7ZCJbXhnLw7hvfoQmUCDe8dH8IbsDi9e5fz2Ho-oPno$
