Authorization rules in the access control file are applied according to the following principles:
Any operation not explicitly authorized through an authorization rule is implicitly prohibited. For example, if the access control file contains no authorization rules, all users are denied access to all operations.
Authorization rules for specific users override those applying generically to all users. For example, the rules
queue.q1.produce.allow.user=* queue.q1.produce.deny.user=Snoopy
authorize all users except Snoopy to send messages to queue destination q1.
Authorization rules for a specific user override those for any group to which the user belongs. For example, if user Snoopy is a member of group user, the rules
queue.q1.consume.allow.group=user queue.q1.consume.deny.user=Snoopy
authorize all members of user except Snoopy to receive messages from queue destination q1.
Authorization rules applying generically to all users override those applying to all groups. For example, the rules
topic.t1.produce.deny.group=* topic.t1.produce.allow.user=*
authorize all users to publish messages to topic destination t1, overriding the rule denying such access to all groups.
Authorization rules for specific resources override those applying generically to all resources of a given type. For example, the rules
topic.*.consume.allow.user=Snoopy topic.t1.consume.deny.user=Snoopy
authorize Snoopy to subscribe to all topic destinations except t1.
Authorization rules authorizing and denying access to the same resource and operation for the same user or group cancel each other out, resulting in authorization being denied. For example, the rules
queue.q1.browse.deny.user=Snoopy queue.q1.browse.allow.user=Snoopy
prevent Snoopy from browsing queue q1. The rules
topic.t1.consume.deny.group=user topic.t1.consume.allow.group=user
prevent all members of group user from subscribing to topic t1.
When multiple authorization rules are specified for the same resource, operation, and principal type, only the last rule applies. The rules
queue.q1.browse.allow.user=Snoopy,Linus queue.q1.browse.allow.user=Snoopy
authorize user Snoopy, but not Linus, to browse queue destination q1.