Chapter 20 Working With Routes : Routing and Authorization

Routing and Authorization
User & Password
When a server’s authorization parameter is enabled, other servers that actively connect to it must authenticate themselves by name and password, or by X.509 certificate.
Figure 40 Routing: Authorization
In Figure 40, servers A and B both configure active routes to one another.
ACL
When routing a secure topic or queue, servers consult the ACL specification before forwarding each message. The servers must grant one another appropriate permissions to send, receive, publish or subscribe.
For example, in Figure 40, you don’t need an ACL for messages to flow from A (where a producer is sending to) to B (where a consumer is consuming from) because B has authorization turned off and messages are being sent to and consumed from queues. However, if messages were to flow from B to A (producer connects to B and consumer connects to A), then server A's ACL should grant user B send permission on the queue Q2.
If we were to use topics in this example, then for messages to flow from A to B, you would need A to grant B the subscribe and durable permission on the topic (global on both servers). And for messages to flow from B to A, you would have to grant topic B publish permission on the topic.
See Also
Chapter 8, Authentication and Permissions