(activemq) branch main updated: Update docs and default configs for advisory topics (#2055)

Fri, 29 May 2026 06:33:00 -0700 

This is an automated email from the ASF dual-hosted git repository.

cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq.git


The following commit(s) were added to refs/heads/main by this push:
     new ba73f37574 Update docs and default configs for advisory topics (#2055)
ba73f37574 is described below

commit ba73f37574dc6949ac8171cbc907979f1ebdb4e8
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Fri May 29 09:32:40 2026 -0400

    Update docs and default configs for advisory topics (#2055)
---
 SECURITY.md                                               |  2 ++
 .../org/apache/activemq/security/jaas-broker.xml          | 10 ++++++++--
 assembly/src/release/conf/activemq.xml                    | 15 ++++++++++++++-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 7f82baf278..bd1f578456 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -55,6 +55,8 @@ Users are advised to secure their environments
 
 8. Limit inbound and outbound network connectivity to and from an ActiveMQ 
server.
 
+9. Normal users need permission to create advisory topics but should generally 
**not** be given permission to read/write to those topics as those messages are 
meant for admins. A notable exception is for temporary destination advisory 
topics. For more information see the authorization section 
[here](https://activemq.apache.org/components/classic/documentation/security#authorization).
 
+
 ## ActiveMQ Security Improvement Project
 
 The Apache ActiveMQ team has initiated a security hardening project to move 
from a default configuration that is geared for developer testing and learning 
to a secured-by-default stance.
diff --git 
a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
 
b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
index c36fec53e6..246921584f 100644
--- 
a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
+++ 
b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
@@ -45,8 +45,14 @@
               <authorizationEntry topic=">" read="admins" write="admins" 
admin="admins" />
               <authorizationEntry topic="USERS.>" read="users" write="users" 
admin="users" />
               <authorizationEntry topic="GUEST.>" read="guests" 
write="guests,users" admin="guests,users" />
-              
-              <authorizationEntry topic="ActiveMQ.Advisory.>" read="*" 
write="guests,users" admin="guests,users"/>
+
+              <!-- Grant all users the ability to create/delete advisory 
destinations
+               but only admins read/write -->
+              <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" 
write="admins" admin="guests,users"/>
+
+              <!-- All users need full access to temporary destination 
advisories -->
+              <authorizationEntry topic="ActiveMQ.Advisory.TempQueue" read="*" 
write="*" admin="*"/>
+              <authorizationEntry topic="ActiveMQ.Advisory.TempTopic" read="*" 
write="*" admin="*"/>
             </authorizationEntries>
             
             <!-- let's assign roles to temporary destinations. comment this 
entry if we don't want any roles assigned to temp destinations  -->
diff --git a/assembly/src/release/conf/activemq.xml 
b/assembly/src/release/conf/activemq.xml
index d5658cd7f4..db176d4485 100644
--- a/assembly/src/release/conf/activemq.xml
+++ b/assembly/src/release/conf/activemq.xml
@@ -73,6 +73,17 @@
                  in bin/env (an empty value blocks ObjectMessage 
deserialization
                  entirely; specify only packages you explicitly trust).
 
+            NOTE ABOUT ADVISORY TOPICS:
+              1. All users need permission to create ActiveMQ.Advisory 
destinations,
+                 which is given by the "admin" acl. However, normal users 
should
+                 generally NOT be given access to read/write for advisories 
(except temp)
+                 as those messages are meant for admin users.
+              2. A notable exception to number 1 is regular users should be 
given access to
+                 advisories for temporary destinations because 
ActiveMQConnection uses those advisories.
+              3. In addition, dynamic network connectors use advisories to 
determine
+                 consumer demand so the users that will be used to create 
bridges need access
+                 consumer and virtual destination consumer advisories.
+
             For more information, see:
               https://activemq.apache.org/security
         -->
@@ -86,7 +97,9 @@
                         <authorizationEntries>
                             <authorizationEntry queue=">" read="admins" 
write="admins" admin="admins" />
                             <authorizationEntry topic=">" read="admins" 
write="admins" admin="admins" />
-                            <authorizationEntry topic="ActiveMQ.Advisory.>" 
read="admins,users" write="admins,users" admin="admins,users" />
+                            <authorizationEntry topic="ActiveMQ.Advisory.>" 
read="admins" write="admins" admin="admins,users" />
+                            <authorizationEntry 
topic="ActiveMQ.Advisory.TempQueue" read="admins,users" write="admins,users" 
admin="admins,users"/>
+                            <authorizationEntry 
topic="ActiveMQ.Advisory.TempTopic" read="admins,users" write="admins,users" 
admin="admins,users"/>
                         </authorizationEntries>
                     </authorizationMap>
                 </map>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact

Reply via email to