Message Level Authorization in Apache ActiveMQ

2 min read

While the last post covered Broker Level Authentication, this blogpost is about more strict authorization on message level.
I didn't have this fine granular authorization out there in real life projects, but I want to do it myself and give readers a tutorial to widen their knowledge about security in ActiveMQ and ease their beginning with it.
Sometimes it can be useful to restrict access to brokers and on top of it to certain messages. ActiveMQ doesn't come with a plugin for it out of the box. You have to implement it more or less on your own.

Create a Java project with Maven

You have to start with creating a new Java project based on Maven.
In the next step, I recommend to add the activemq-all maven dependency (in the same version as your activemq installation to your project to be sure you use the correct imports and classes).
A list of all activemq versions and corresponding maven dependency snippets is available here.
After that it's time to add a new Java class to your formerly created project. My Message Level Policy class looks like this: Note: Your class has to implement the MessageAuthorizationPolicy interface and you have to add the public boolean isAllowedToConsume(...) method to your class as well. Within this method you can implement your logic to decide who is allowed to consume your messages. In my example admins are allowed to consume, only.

Add the Policy to ActiveMQ

Open a console, cd into your project folder and build your maven application by calling mvn clean install command.
Now it's time to copy the jar file from the target project folder to the lib folder of your ActiveMQ installation to make it available for ActiveMQ. In the last configuration step you have to add the following snippet into broker tag of the activemq.xml: Hint: Don't forget to change it to your fully qualified classname, not mine ;-)

Test the Policy by consuming messages

First you have to start the broker via the following command on your console:
./bin/activemq start
Check if your policy is working by using the activemq script to consume sample messages:
./bin/activemq consumer --user admin --password password
This should work, because the formerly created policy class allowes user admin to consume the messages. In addition to that it should not be possible to consume messages with other users than user admin. You can test it by using another user:
./bin/activemq consumer --user consumer --password password
This consumer should not consume any single message.

If you have questions, want my source code, a youtube video or something like that, just leave a comment or get in contact with me via twitter. Have fun with ActiveMQ!


Be Social, Share!