Security in weblogic (Roles and
Policies)
Lot of times we come across a
situation where we need to figure out what exactly a resource on weblogic has
which roles and which polices.
If we have few thousands of Roles
and Policies it is impossible to compare from a existing environments
Capturing from Weblogic console is a tedious
task and time consuming .
I came up with utility WLST script
which will list/display the entire Roles and Polices on that weblogic domain.
listAllPolicies.py
from weblogic.management.security.authentication import UserReaderMBean
from weblogic.management.security.authentication import GroupReaderMBean
from weblogic.management.security.authentication import MemberGroupListerMBean
from weblogic.security.providers.authentication import DefaultAuthenticatorMBean
from weblogic.management.security.authentication import AuthenticationProviderMBean
from weblogic.management.security.authentication import GroupEditorMBean
from weblogic.management.utils import NameListerMBean
from weblogic.management.security.authorization import RoleMapperMBean
from weblogic.security.providers.xacml.authorization import XACMLAuthorizerMBean
from weblogic.management.utils import PropertiesListerMBean
from weblogic.management.security.authorization import RoleReaderMBean
from weblogic.security.providers.xacml.authorization import XACMLRoleMapperMBean
from weblogic.security.providers.xacml.authorization import XACMLAuthorizerMBean
connect("weblogic","weblogic","t3://adminIP:6500")
realm1=cmo.getSecurityConfiguration().getDefaultRealm()
atns = realm1.getAuthorizers()
realm=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer('XACMLAuthorizer')
## if you are using any custom Authorizer us the custome authorizer name ####
#realm=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer('DefaultAuthorizer')
print realm
print realm1
print atns
for i in atns:
print "______________________"
print i
if isinstance(i,XACMLAuthorizerMBean):
userReader = i
print "here"
cursor = i.listAllPolicies(1000)
#listpolicy= i.listPoliciesByResourceType('type=<jndi>',0)
print 'policies are: '
print cursor
#print listpolicy
while userReader.haveCurrent(cursor):
print userReader.getCurrentProperties(cursor)
userReader.advance(cursor)
userReader.close
OUTPUT Something Like Below
The below script will list/display
all the Roles in the entire weblogic domain
import weblogic.security.service.URLResource
connect("weblogic","weblogic","t3://adminIP:6500")
securityRealm=cmo.getSecurityConfiguration().getDefaultRealm()
## By Default it is XACMLRoleMapper#########################
authorizer=securityRealm.lookupRoleMapper("XACMLRoleMapper")
# Custom_user Created Role Mapper############################
#authorizer=securityRealm.lookupRoleMapper("DefaultRoleMapper")
print authorizer.getProviderClassName()
print authorizer.getName()
cursor = authorizer.listAllRoles(1000)
print cursor
userReader = authorizer
while userReader.haveCurrent(cursor):
usrrd = userReader.getCurrentProperties(cursor)
print usrrd
#print usrrd.get('Expression')
#print usrrd.get('RoleName')
userReader.advance(cursor)
userReader.close(cursor)
OUTPUTSomething Like Below
Removing Root level JNDI policy
using WLST :
Connect to the weblogic domain using
WLST
./<MW_HOME>/wlserver_10.3/common/bin/wlst.sh
Connect(‘username’,’password’,’t3://adminip:port’)
Cd(‘SecurityConfiguration/<DOM_NAME>/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer’)
cmo.removePolicy('type=<jndi>')
Creating Root
level JNDI policy using WLST :
Connect to the weblogic domain using
WLST
./<MW_HOME>/wlserver_10.3/common/bin/wlst.sh
Connect(‘username’,’password’,’t3://adminip:port’)
Cd(‘SecurityConfiguration/<DOM_NAME>/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer’)
cmo.createPolicy('type=<jndi>','Grp(everyone)')
Updating additional Root level JNDI policy using WLST :
cmo.setPolicyExpression('type=<jndi>','Grp(everyone)|Grp(Administrators)')
Updating with additional Roles
cmo.setPolicyExpression('type=<jndi>','Grp(everyone)|Grp(Administrators)|Rol(Admin)|Rol(MY_BIND_ROLE)')
Updating/Adding Roles in JNDI
cd(‘SecurityConfiguration/<DOMAIN_NAME>/DefaultRealm/myrealm/RoleMappers/XACMLRoleMapper’)
cmo.createRole('type=<jndi>','JMSRole','')
Removing the Policy
cmo.removeRole('type=<jndi>','JMSRole')
Awesome .. i was into trouble. created a WLST using your blog. Thanks a lot .. Keep blogging
ReplyDeleteHi Pavan, very useful your post. I have one doubt, if i need change a security inside proxy.
ReplyDeleteCan i user anything this?
cmo.createPolicy('type=','path=tam/customermanagement/order/establishment/orderestablishmentnet/proxyservice','proxy=OrderEstablishmentNet12V1LCL','Grp(everyone)')
Where Type = alsb-proxy-service
ReplyDeleteYeah you can do that but before that try to run the
ReplyDeletelistAllPolicies.py script after deploying the proxies and try to find the exact proxy resourceid
and execute createPolicy or setPolicyExpression
Tks Pavan! I ran the listAllPolicies with success, i found de exact proxy, really i need change thousand proxies. but i try one first. when i ran the command for insert a grp for example. Like this.
ReplyDeletecmo.createPolicy('type=','path=tam/customermanagement/order/establishment/orderestablishmentnet/proxyservice','proxy=OrderEstablishmentNet12V1LCL','Grp(teste)')
I receive the error TypeError: createPolicy(): expected 2 args; got 4
When i try with setPolicyExpression i receive the same error.
Maybe these commands only used for jndi? I dont know how solve this.
tks
Where Type = alsb-proxy-service ( Blogspot comments not accept minor and major)
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIt works for me
ReplyDeleteconnect to WLST
cd to SecurityConfiguration/OSBDomain/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer
First Remove the Policy
cmo.removePolicy('type=, path=/ProxyServices, proxy=_HTTP_Proxy, action=invoke')
(Make sure you have right type,path,proxy and action from the listallpolices even "space matters , so you need to be very care ful)
Then add the policy
cmo.createPolicy('type=, path=/ProxyServices, proxy=_HTTP_Proxy, action=invoke','Rol(My_ROLE)')
This works if you do above
For your case
cmo.removePolicy('type=, path=tam/customermanagement/order/establishment/orderestablishmentnet/proxyservice, proxy=proxy=OrderEstablishmentNet12V1LCL, action=invoke')
cmo.createPolicy('type=, path=tam/customermanagement/order/establishment/orderestablishmentnet/proxyservice, proxy=proxy=OrderEstablishmentNet12V1LCL, action=invoke','Grp(teste)'
make sure you find the appropriate action from your listAllpolices for your proxy
Let me know how it goes
Attractive, post. I just stumbled upon your weblog and wanted to say that I have liked browsing your blog posts. After all, I will surely subscribe to your feed, and I hope you will write again soon! Integriti Access Control Melbourne
ReplyDeleteIt has fully emerged to crown Singapore's southern shores and undoubtedly placed her on the global map of residential landmarks. I still scored the more points than I ever have in a season for GS. I think you would be hard pressed to find somebody with the same consistency I have had over the years so I am happy with that. security guards
ReplyDeleteA debt of gratitude is in order for the blog entry amigo! Keep them coming... security guards
ReplyDeleteI finally found great post here.I will get back here. I just added your blog to my bookmark sites. thanks.Quality posts is the crucial to invite the visitors to visit the web page, that's what this web page is providing. security guards
ReplyDeleteI finally found great post here.I will get back here. I just added your blog to my bookmark sites. thanks.Quality posts is the crucial to invite the visitors to visit the web page, that's what this web page is providing. security guards
ReplyDeleteIt should be noted that whilst ordering papers for sale at paper writing service, you can get unkind attitude. In case you feel that the bureau is trying to cheat you, don't buy term paper from it. security firms leek
ReplyDelete