Securing the ActiveMQ installation
- Last UpdatedFeb 18, 2025
- 4 minute read
By default, the ActiveMQ broker does not have authentication.
For information on securing your ActiveMQ connection, see Apache ActiveMQ Security.
Simple authentication for ActiveMQ
The Service Bus connection item in AVEVA™ Production Management has a username, password and URI property to be able to establish a connection to an ActiveMQ server.
In AVEVA Production Management, the username and password properties are mandatory. However, Active MQ out of the box, does not have any authentication enabled. So while AVEVA Production Management expects username and password to be mandatory, the user can enter anything in these fields and there is a successful connection to ActiveMQ.
ActiveMQ provides plugable security through various different providers. For more information visit http://activemq.apache.org/security.html.
This simple authentication plug in provides the quickest way to enable authentication in a broker. With this approach, all of the user data is embedded in the broker configuration file. It is useful for testing purposes and for small-scale systems with relatively few users, but it does not scale well for large systems.
Broker configuration for simple authentication
Simple authentication can be configured by adding a simpleAuthenticationPlugin element to the list of plug-ins in the broker configuration.
<beans>
<broker ...>
...
<plugins>
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="system" password="manager" groups="users,admins"/>
<authenticationUser username="user" password="password"
groups="users"/>
<authenticationUser username="guest"
password="password"
groups="guests"/>
</users>
</simpleAuthenticationPlugin>
</plugins>
...
</broker>
</beans>
For each user, add an authenticationUser element as shown, setting the username, password, and groups attributes. In order to authenticate a user successfully, the username/password credentials received from a client must match the corresponding attributes in one of the authenticationUser elements.
The groups attribute assigns a user to one or more groups (formatted as a comma-separated list). If authorization is enabled, the assigned groups are used to check whether a user has permission to invoke certain operations. If authorization is not enabled, the groups are ignored.
Authorization plug-in
In a security system without authorization, every successfully authenticated user would have unrestricted access to every queue and every topic in the broker. Using the authorization plug-in, on the other hand, you can restrict access to specific destinations based on a user's group membership.
Configuring the authorization plug-in
Add an authorizationPlugin element to the list of plug-ins in the broker configuration.
The authorization plug-in contains two different kinds of entry, as follows:
-
Authorization entries for named destinations.
-
Authorization entries for temporary destinations.
<beans>
<broker ...>
...
<plugins>
...
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">"
read="admins"
write="admins"
admin="admins" />
<authorizationEntry queue="USERS.>"
read="users"
write="users"
admin="users" />
<authorizationEntry queue="GUEST.>"
read="guests"
write="guests,users"
admin="guests,users" />
<authorizationEntry topic=">"
read="admins"
write="admins"
admin="admins" />
<authorizationEntry topic="USERS.>"
read="users"
write="users"
admin="users" />
<authorizationEntry topic="GUEST.>"
read="guests"
write="guests,users"
admin="guests,users" />
</authorizationEntries>
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry
read="admins"
write="admins"
admin="admins"/>
</tempDestinationAuthorizationEntry>
</authorizationMap>
</map>
</authorizationPlugin>
</broker>
</beans>
Authorization entries for named destinations
A named destination is an ordinary JMS queue or topic. These destinations are named, in contrast to temporary destinations which have no permanent identity. The authorization entries for ordinary destinations are defined by the authorizationEntry element, which supports the following attributes:
-
queue or topic—You can specify either a queue or a topic attribute, but not both in the same element. To apply authorization settings to a particular queue or topic, simply set the relevant attribute equal to the queue or topic name. The greater-than symbol, >, acts as a wildcard. For example, an entry with, queue="USERS.>", would match any queue name beginning with the USERS. string.
-
read—Specifies a comma-separated list of groups that have permission to consume messages from the matching destinations.
-
write—Specifies a comma-separated list of groups that have permission to publish messages to the matching destinations.
-
admin—Specifies a comma-separated list of groups that have permission to create destinations in the destination subtree.
Authorization entries for temporary destinations
A temporary destination is a special feature of JMS that enables you to create a queue for a particular network connection. The temporary destination exists only as long as the network connection remains open and, as soon as the connection is closed, the temporary destination is deleted on the server side. The original motivation for defining temporary destinations was to facilitate request-reply semantics on a destination, without having to define a dedicated reply destination.
Because temporary destinations have no name, the tempDestinationAuthorizationEntry element does not support any queue or topic attributes. The attributes supported by the tempDestinationAuthorizationEntry element are as follows:
-
read—Specifies a comma-separated list of groups that have permission to consume messages from all temporary destinations.
-
write—Specifies a comma-separated list of groups that have permission to publish messages to all temporary destinations.
-
admin—Specifies a comma-separated list of groups that have permission to create temporary destinations.