thanks for your information.
Plugin is a good way to go. But normally, third party developers have their own framework. It is not easy to integrate openfire and their framework through plugins.
Anyway, i already got solution to solve my own problem - to add constrains on MUC creation.
In our case, only some specific users are allowed to create room. The logic of whether a user is allowed to create a room or not is runing in our own framework, which itself is a big system.
There are two ways to solve the problem.
First, as you said, add plugin for MUC creation, this plugin will check with our framework before create the MUC room.
Second, external system will check whether the user is allowed to create a room, and then it connect to the openfire and create a room, modify the owner, configure the room (like persistent room, max users etc) by XEP-0045 protocol.
I already tested that the second way, it works.