Thursday, March 6, 2014

Security in weblogic (print Roles and Policies)




Security in weblogic (Roles and Policies)
Lot of times we come across a situation where we need to figure out what exactly a resource on weblogic has which roles and which polices.

If we have few thousands of Roles and Policies it is impossible to compare from a existing environments
 Capturing from Weblogic console is a tedious task and time consuming .

I came up with utility WLST script which will list/display the entire Roles and Polices on that weblogic domain.



listAllPolicies.py




from weblogic.management.security.authentication import UserReaderMBean
from weblogic.management.security.authentication import GroupReaderMBean
from weblogic.management.security.authentication import MemberGroupListerMBean
from weblogic.security.providers.authentication import DefaultAuthenticatorMBean
from weblogic.management.security.authentication import AuthenticationProviderMBean
from weblogic.management.security.authentication import GroupEditorMBean
from weblogic.management.utils import NameListerMBean
from weblogic.management.security.authorization import RoleMapperMBean
from weblogic.security.providers.xacml.authorization import XACMLAuthorizerMBean
from weblogic.management.utils import PropertiesListerMBean
from weblogic.management.security.authorization import RoleReaderMBean
from weblogic.security.providers.xacml.authorization import XACMLRoleMapperMBean
from weblogic.security.providers.xacml.authorization import XACMLAuthorizerMBean

connect("weblogic","weblogic","t3://adminIP:6500")
realm1=cmo.getSecurityConfiguration().getDefaultRealm()
atns = realm1.getAuthorizers()
realm=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer('XACMLAuthorizer')
## if you are using any custom Authorizer us the custome authorizer name ####
#realm=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer('DefaultAuthorizer')
print realm
print realm1
print atns
for i in atns:
     print "______________________"
     print i
     if isinstance(i,XACMLAuthorizerMBean):
         userReader = i
         print "here"
         cursor = i.listAllPolicies(1000)
         #listpolicy= i.listPoliciesByResourceType('type=<jndi>',0)
         print 'policies are: '
         print cursor
         #print listpolicy
         while userReader.haveCurrent(cursor):
             print userReader.getCurrentProperties(cursor)
             userReader.advance(cursor)
         userReader.close


OUTPUT Something Like Below





The below script will list/display all the Roles in the entire weblogic domain
 


listAllRoles.py



import weblogic.security.service.URLResource
connect("weblogic","weblogic","t3://adminIP:6500")
securityRealm=cmo.getSecurityConfiguration().getDefaultRealm()
## By Default it is XACMLRoleMapper#########################
authorizer=securityRealm.lookupRoleMapper("XACMLRoleMapper")
# Custom_user Created Role Mapper############################
#authorizer=securityRealm.lookupRoleMapper("DefaultRoleMapper")
print authorizer.getProviderClassName()
print authorizer.getName()
cursor = authorizer.listAllRoles(1000)
print cursor
userReader = authorizer 
while userReader.haveCurrent(cursor):
             usrrd = userReader.getCurrentProperties(cursor)
             print usrrd
             #print usrrd.get('Expression')
             #print usrrd.get('RoleName') 
             userReader.advance(cursor)
userReader.close(cursor)
 
OUTPUTSomething Like Below





Removing Root level JNDI policy using WLST :





Connect to the weblogic domain using WLST
./<MW_HOME>/wlserver_10.3/common/bin/wlst.sh
Connect(‘username’,’password’,’t3://adminip:port’)

Cd(‘SecurityConfiguration/<DOM_NAME>/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer’)
cmo.removePolicy('type=<jndi>')






Creating  Root level JNDI policy using WLST :






Connect to the weblogic domain using WLST
./<MW_HOME>/wlserver_10.3/common/bin/wlst.sh
Connect(‘username’,’password’,’t3://adminip:port’)
Cd(‘SecurityConfiguration/<DOM_NAME>/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer’)
cmo.createPolicy('type=<jndi>','Grp(everyone)')

 


Updating additional Root level JNDI policy using WLST :

cmo.setPolicyExpression('type=<jndi>','Grp(everyone)|Grp(Administrators)')









Updating with additional Roles
cmo.setPolicyExpression('type=<jndi>','Grp(everyone)|Grp(Administrators)|Rol(Admin)|Rol(MY_BIND_ROLE)')





Updating/Adding Roles in JNDI
cd(‘SecurityConfiguration/<DOMAIN_NAME>/DefaultRealm/myrealm/RoleMappers/XACMLRoleMapper’)
cmo.createRole('type=<jndi>','JMSRole','')

 



Removing the Policy
 cmo.removeRole('type=<jndi>','JMSRole')























Posted by at 14 comments:
Subscribe to: Posts (Atom)