Sun GlassFish Message Queue 4.4 Administration Guide

Access Control File Syntax

Each broker has it own access control file, created automatically when the broker is started. The file is named and is located at a path of the form


(See Appendix A, Distribution-Specific Locations of Message Queue Data for the exact location, depending on your platform.)

The file is formatted as a Java properties file. It starts with a version property defining the version of the file:


This is followed by three sections specifying the access control for three categories of operations:

Each of these sections consists of a sequence of authorization rules specifying which users or groups are authorized to perform which specific operations. These rules have the following syntax:


Table 9–5 describes the various elements.

Table 9–5 Authorization Rule Elements




Type of resource to which the rule applies:  

    connection: Connections

    queue: Queue destinations

    topic: Topic destinations


Specific resource (connection service type or destination) to which the rule applies 

An asterisk (*) may be used as a wild-card character to denote all resources of a given type: for example, a rule beginning with queue.* applies to all queue destinations.


Operation to which the rule applies 

This syntax element is not used for resourceType=connection.


Level of access authorized:  

    allow: Authorize user to perform operation

    deny: Prohibit user from performing operation


Type of principal (user or group) to which the rule applies:  

    user: Individual user

    group: User group


List of principals (users or groups) to whom the rule applies, separated by commas 

An asterisk (*) may be used as a wild-card character to denote all users or all groups: for example, a rule ending with user=* applies to all users.

Example 9–3 Example 1

Rule: queue.q1.consume.allow.user=*

Description: allows all users to consume messages from the queue destination q1.

Example 9–4 Example 2

Rule: queue.*.consume.allow.user=Snoopy

Description: allows user Snoopy to consume messages from all queue destinations.

Example 9–5 Example 3

Rule: topic.t1.produce.deny.user=Snoopy

Description: prevents Snoopy from producing messages to the topic destination t1

Note –

You can use Unicode escape (\\uXXXX) notation to specify non-ASCII user, group, or destination names. If you have edited and saved the access control file with these names in a non-ASCII encoding, you can use the Java native2ascii tool to convert the file to ASCII. See the Java Internationalization FAQ at

for more information.