From afa6937f280bd588a0f9b15e3d7a3f0e293227eb Mon Sep 17 00:00:00 2001
From: "Christopher L. Shannon" <cshannon@apache.org>
Date: Thu, 28 May 2026 19:07:37 -0400
Subject: [PATCH] Update docs and default configs for advisory topics

---
 SECURITY.md                                       |  2 ++
 .../org/apache/activemq/security/jaas-broker.xml  | 10 ++++++++--
 assembly/src/release/conf/activemq.xml            | 15 ++++++++++++++-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 7f82baf2787..bd1f5784565 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -55,6 +55,8 @@ Users are advised to secure their environments
 
 8. Limit inbound and outbound network connectivity to and from an ActiveMQ server.
 
+9. Normal users need permission to create advisory topics but should generally **not** be given permission to read/write to those topics as those messages are meant for admins. A notable exception is for temporary destination advisory topics. For more information see the authorization section [here](https://activemq.apache.org/components/classic/documentation/security#authorization). 
+
 ## ActiveMQ Security Improvement Project
 
 The Apache ActiveMQ team has initiated a security hardening project to move from a default configuration that is geared for developer testing and learning to a secured-by-default stance.
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
index c36fec53e6f..246921584fd 100644
--- a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
@@ -45,8 +45,14 @@
               <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
               <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
               <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
-              
-              <authorizationEntry topic="ActiveMQ.Advisory.>" read="*" write="guests,users" admin="guests,users"/>
+
+              <!-- Grant all users the ability to create/delete advisory destinations
+               but only admins read/write -->
+              <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="guests,users"/>
+
+              <!-- All users need full access to temporary destination advisories -->
+              <authorizationEntry topic="ActiveMQ.Advisory.TempQueue" read="*" write="*" admin="*"/>
+              <authorizationEntry topic="ActiveMQ.Advisory.TempTopic" read="*" write="*" admin="*"/>
             </authorizationEntries>
             
             <!-- let's assign roles to temporary destinations. comment this entry if we don't want any roles assigned to temp destinations  -->
diff --git a/assembly/src/release/conf/activemq.xml b/assembly/src/release/conf/activemq.xml
index d5658cd7f49..db176d44850 100644
--- a/assembly/src/release/conf/activemq.xml
+++ b/assembly/src/release/conf/activemq.xml
@@ -73,6 +73,17 @@
                  in bin/env (an empty value blocks ObjectMessage deserialization
                  entirely; specify only packages you explicitly trust).
 
+            NOTE ABOUT ADVISORY TOPICS:
+              1. All users need permission to create ActiveMQ.Advisory destinations,
+                 which is given by the "admin" acl. However, normal users should
+                 generally NOT be given access to read/write for advisories (except temp)
+                 as those messages are meant for admin users.
+              2. A notable exception to number 1 is regular users should be given access to
+                 advisories for temporary destinations because ActiveMQConnection uses those advisories.
+              3. In addition, dynamic network connectors use advisories to determine
+                 consumer demand so the users that will be used to create bridges need access
+                 consumer and virtual destination consumer advisories.
+
             For more information, see:
               https://activemq.apache.org/security
         -->
@@ -86,7 +97,9 @@
                         <authorizationEntries>
                             <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
                             <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
-                            <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins,users" write="admins,users" admin="admins,users" />
+                            <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="admins,users" />
+                            <authorizationEntry topic="ActiveMQ.Advisory.TempQueue" read="admins,users" write="admins,users" admin="admins,users"/>
+                            <authorizationEntry topic="ActiveMQ.Advisory.TempTopic" read="admins,users" write="admins,users" admin="admins,users"/>
                         </authorizationEntries>
                     </authorizationMap>
                 </map>