apache · cshannon · May 29, 2026 · May 28, 2026
diff --git a/SECURITY.md b/SECURITY.md
@@ -55,6 +55,8 @@ Users are advised to secure their environments
 
 8. Limit inbound and outbound network connectivity to and from an ActiveMQ server.
 
+9. Normal users need permission to create advisory topics but should generally **not** be given permission to read/write to those topics as those messages are meant for admins. A notable exception is for temporary destination advisory topics. For more information see the authorization section [here](https://activemq.apache.org/components/classic/documentation/security#authorization). 
+
 ## ActiveMQ Security Improvement Project
 
 The Apache ActiveMQ team has initiated a security hardening project to move from a default configuration that is geared for developer testing and learning to a secured-by-default stance.

diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml
@@ -45,8 +45,14 @@
               <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
               <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
               <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
-
-              <authorizationEntry topic="ActiveMQ.Advisory.>" read="*" write="guests,users" admin="guests,users"/>
+
+              <!-- Grant all users the ability to create/delete advisory destinations
+               but only admins read/write -->
+              <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="guests,users"/>
+
+              <!-- All users need full access to temporary destination advisories -->
+              <authorizationEntry topic="ActiveMQ.Advisory.TempQueue" read="*" write="*" admin="*"/>
+              <authorizationEntry topic="ActiveMQ.Advisory.TempTopic" read="*" write="*" admin="*"/>
             </authorizationEntries>
 
             <!-- let's assign roles to temporary destinations. comment this entry if we don't want any roles assigned to temp destinations  -->

diff --git a/assembly/src/release/conf/activemq.xml b/assembly/src/release/conf/activemq.xml
@@ -73,6 +73,17 @@
                  in bin/env (an empty value blocks ObjectMessage deserialization
                  entirely; specify only packages you explicitly trust).
 
+            NOTE ABOUT ADVISORY TOPICS:
+              1. All users need permission to create ActiveMQ.Advisory destinations,
+                 which is given by the "admin" acl. However, normal users should
+                 generally NOT be given access to read/write for advisories (except temp)
+                 as those messages are meant for admin users.
+              2. A notable exception to number 1 is regular users should be given access to
+                 advisories for temporary destinations because ActiveMQConnection uses those advisories.
+              3. In addition, dynamic network connectors use advisories to determine
+                 consumer demand so the users that will be used to create bridges need access
+                 consumer and virtual destination consumer advisories.
+
             For more information, see:
               https://activemq.apache.org/security
         -->
@@ -86,7 +97,9 @@
                         <authorizationEntries>
                             <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
                             <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
-                            <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins,users" write="admins,users" admin="admins,users" />
+                            <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="admins,users" />
+                            <authorizationEntry topic="ActiveMQ.Advisory.TempQueue" read="admins,users" write="admins,users" admin="admins,users"/>
+                            <authorizationEntry topic="ActiveMQ.Advisory.TempTopic" read="admins,users" write="admins,users" admin="admins,users"/>
                         </authorizationEntries>
                     </authorizationMap>
                 </map>