Access Control File Syntax (Sun Java System Message Queue 4.1 Administration Guide)

Sun Java System Message Queue 4.1 Administration Guide

Access Control File Syntax

Each broker has it own access control file, created automatically when the broker is started. The file is named accesscontrol.properties and is located at a path of the form

   …/instances/brokerInstanceName/etc/accesscontrol.properties

(See Appendix A, Platform-Specific Locations of Message Queue Data for the exact location, depending on your platform.)

The file is formatted as a Java properties file. It starts with a version property defining the version of the file:

   version=JMQFileAccessControlModel/100

This is followed by three sections specifying the access control for three categories of operations:

Creating connections
Creating message producers or consumers, or browsing a queue destination
Auto-creating physical destinations

Each of these sections consists of a sequence of authorization rules specifying which users or groups are authorized to perform which specific operations. These rules have the following syntax:

   resourceType.resourceVariant.operation.access.principalType=principals

Table 9–5 describes the various elements.

Table 9–5 Authorization Rule Elements


Element	Description
`resourceType`	Type of resource to which rule applies: `connection`: Connections `queue`: Queue destinations `topic`: Topic destinations
`resourceVariant`	Specific resource (connection service type or destination) to which rule applies An asterisk (``) may be used as a wild-card character to denote all resources of a given type: for example, a rule beginning with `queue.` applies to all queue destinations.
`operation`	Operation to which rule applies; see pertinent sections below for possible values
`access`	Level of access authorized: `allow`: Authorize user to perform operation `deny`: Prohibit user from performing operation
`principalType`	Type of principal (user or group) to which rule applies: `user`: Individual user `group`: User group
`principals`	List of principals (users or groups) to whom rule applies, separated by commas An asterisk (``) may be used as a wild-card character to denote all users or all groups: for example, a rule ending with `user=` applies to all users.

For example, the authorization rule

   queue.q1.consume.allow.user=*

allows all users to consume messages from the queue destination q1. The rule

   queue.*.consume.allow.user=Snoopy

allows user Snoopy to consume messages from all queue destinations. The rule

   topic.t1.produce.deny.user=Snoopy

prevents Snoopy from producing messages to the topic destination t1.

Note –

You can use Unicode escape (\\uXXXX) notation to specify non-ASCII user, group, or destination names. If you have edited and saved the access control file with these names in a non-ASCII encoding, you can use the Java native2ascii tool to convert the file to ASCII. See the Java Internationalization FAQ at

   http://java.sun.com/j2se/1.4/docs/guide/intl/faq.html

for more information.