Skip Headers
Oracle® Fusion Middleware Application Security Guide
11g Release 1 (11.1.1)

Part Number E10043-12
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

E Administration with WLST Scripting and MBean Programming

This appendix describes advanced administrative tasks carried out with WLST scripts and MBean programming, in the following sections:

E.1 Configuring OPSS Service Provider Instances with a WLST Script

If your application uses the User and Role API and must access an authenticator user attribute different from the default attribute (which is cn), then using the WebLogic Administration Console, you would configure the authenticator to use the desired user attribute. But for the User and Role API to use an attribute different from the default, the authenticator must be, in addition, properly initialized.

The procedure below explains how to use a WLST script to change the authenticator initialization, so that the User and Role API uses the configured user attribute to access data in the configured authenticator.

For details about WebLogic scripting, see Oracle Fusion Middleware Oracle WebLogic Scripting Tool.

To add or update custom properties of a service instance, proceed as follows:

  1. Create a py script file with the following content:

    import sys
    connect('userName','userPass','t3://localHost:portNumber')
    domainRuntime()
    
    val = None
    key = None
    si = None
    for  i in range(len(sys.argv)):
        if sys.argv[i] == "-si":
            si = sys.argv[i+1]
        if sys.argv[i] == "-key":
            key  = sys.argv[i+1]
        if sys.argv[i] == "-value":
            val = sys.argv[i+1]
     
    on = ObjectName("com.oracle.jps:type=JpsConfig")
    sign = ["java.lang.String","java.lang.String","java.lang.String"]
    params = [si,key,val]
    mbs.invoke(on, "updateServiceInstanceProperty", params, sign)
    mbs.invoke(on, "persist", None, None)
    
  2. In the produced script, replace userName, userPass, localHost, and portNumber by the appropriate strings to connect to the administration server in the domain you are interested. Note that the use of connect requires that the server to which you want to connect be up and running when the script is invoked.

    Let's assume that the script is saved in the file /tmp/updateServiceInstanceProperty.py.

  3. Change to the directory $ORACLE_HOME/common/bin, which should contain the file wlst.sh:

    >cd $ORACLE_HOME/common/bin
    
  4. Run the following command:

    >wlst.sh /tmp/updateServiceInstanceProperty.py -si servInstName -key propKey -value propValue
    

    Where:

    • servInstName is the name of the service instance provider whose properties are to be modified.

    • propKey identifies the name of the property to insert or modify.

    • propValue is the name of the value to add or update.

    Any argument containing a space character must be enclosed with double quotes.

    Each invocation of the above command modifies the domain configuration file $DOMAIN_HOME/config/fmwconfig/jps-config.xml by adding or updating a property to the passed instance provider. If the passed key matches the name of an existing property, then that property is updated with the passed value.

  5. Restart the Oracle WebLogic server: the changes in configuration are not in effect until the server has been restarted.

Example of Use

Assume that the domain configuration file contains an authenticator named idstore.ldap. Then the following invocation:

wlst.sh /tmp/updateServiceInstanceProperty.py -si idstore.ldap -key "myPropName" -value "myValue"

adds (or updates) the specified property of that instance provider as illustrated in the following snippet:

<serviceInstance provider="idstore.ldap.provider" name="idstore.ldap">
   ...
   <property name="myPropName" value="myValue"/>
   ...
</serviceInstance>

When the authenticator is initialized with the above configuration, the User and Role API can use the user attribute mail to access user information in this authenticator.

E.2 Configuring OPSS Services with MBeans

Oracle Platform Security Services provides a set of JMX-compliant Java EE Beans that are used by Oracle Enterprise Manager Fusion Middleware Control and OPSS security scripts to manage, configure, and monitor Oracle Platform Security Services.

The use of MBeans is recommended in Java EE applications only.

Links to OPSS API javadocs, including the OPSS MBeans API javadoc, are available in Section H.1, "OPSS API References."

This section addresses the following topics:

E.2.1 List of Supported OPSS MBeans

Table E-1 lists the supported MBeans, their basic function, and the object name to use in custom WLST scripts or Java SE programs to perform a task:

Table E-1 List of OPSS MBeans

MBean Function MBeanServer Connection Name

Jps Configuration

Manages domain configuration data, that is in the file jps-config.xml. This MBean provides the only way to modify configuration data.

Update or write operations require server restart to effect changes.

com.oracle.jps:type=JpsConfig

Credential Store

Manages credential data, that is, the store service configured in the default context.

Update or write operations do not require server restart to effect changes. All changes are effected immediately. Access is restricted to administrators only.

com.oracle.jps:type=JpsCredentialStore

Global Policy Store

Manages global policies in the policy store configured in the default context.

Update or write operations do not require server restart to effect changes. All changes are effected immediately.

com.oracle.jps:type=JpsGlobalPolicyStore

Application Policy Store

Manages application policies in the policy store configured in the default context.

Update or write operations do not require server restart to effect changes. All changes are effected immediately.

com.oracle.jps:type=JpsApplicationPolicyStore

Administration Policy Store

Validates whether a user logged into the current JMX context belongs to a particular role. It does not facilitate any configuration modifications.

com.oracle.jps:type=JpsAdminPolicyStore


E.2.2 Invoking an OPSS MBean

There are two basic ways to invoke an OPSS MBean:

Note:

An alternative way to invoke an MBean is using the MBean browser in Fusion Middleware Control. This approach, however, allows only a limited number of operations and it involves composite data creation.

To access this browser, login to Fusion Middleware Control and then proceed as follows:

  1. Select the menu item AdminServer > System MBean Browser, in the appropriate domain, to display the page System MBean Browser.

  2. In the pane where the hierarchy is displayed, expand the nodes Application Defined MBeans, com.oracle.jps, and Domain: myDomain (where myDomain stands for the name of your domain); this last one has under it one node per OPSS MBean.

  3. After expanding any of those nodes, select an item, that is an MBean, and user the tabs Attributes, Operations, and Notifications in the right pane to inspect current attribute values or to invoke methods in the selected MBean.

For example, the Jps Configuration MBean is found at the following location in this hierarchy:

Application Defined MBeans/com.oracle.jps/Domain:myDomain/JpsConfig/JpsConfig

For complete details about this browser, see the Fusion Middleware Control online help system.

E.2.3 Programming with OPSS MBeans

The following code sample illustrates how to invoke the Jps Configuration MBean over the WebLogic Server t3 protocol; in this sample, note the following important points:

  • It assumes that the following JAR files are in the class path:

    • $ORACLE_HOME/oracle_common/modules/oracle.jps_11.1.1/jps-api.jar

    • $ORACLE_HOME/oracle_common/modules/oracle.jps_11.1.1/jps-mbeans.jar

    • $ORACLE_HOME/oracle_common/modules/oracle.jmx_11.1.1/jmxframework.jar

    • $ORACLE_HOME/oracle_common/modules/oracle.idm_11.1.1/identitystore.jar

    • $WEBLOGIC_HOME/server/lib/wljmxclient.jar

  • The connection is established by the method init.

  • Any update operation is followed by a call to persist.

import java.io.IOException;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;

import javax.management.InstanceNotFoundException;
import javax.management.MBeanException;
import javax.management.MBeanServerConnection;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.ReflectionException;
import javax.management.openmbean.CompositeData;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.naming.Context;
 
import oracle.security.jps.mas.mgmt.jmx.credstore.PortableCredential;
import oracle.security.jps.mas.mgmt.jmx.credstore.PortablePasswordCredential;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableApplicationRole;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableCodeSource;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableGrant;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableGrantee;
import oracle.security.jps.mas.mgmt.jmx.policy.PortablePermission;
import oracle.security.jps.mas.mgmt.jmx.policy.PortablePrincipal;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableRoleMember;
import oracle.security.jps.mas.mgmt.jmx.util.JpsJmxConstants;
 
public class InvokeJpsMbeans {
    private static JMXConnector connector;
    private static MBeanServerConnection wlsMBeanConn;
    private static ObjectName configName;
    private static ObjectName credName;
    private static ObjectName appPolName;
    private static ObjectName gloPolName;
    private static ObjectName adminPolName;

    private final static String STR_NAME =String.class.getName();

    public static void main(String args[]) {
        // Intialize connection and retrieve connection object
        init();

        //Check registration
        if (isRegistered(configName)) 
            System.out.println("Jps Config MBean is registered");
        if (isRegistered(credName))
            System.out.println("Jps Credential Mbean is registered");
        if (isRegistered(appPolName)) 
            System.out.println("Jps Application policy Mbean is registered");
        if (isRegistered(gloPolName))
            System.out.println("Jps Global policy Mbean is registered");
        if (isRegistered(adminPolName)) 
           System.out.println("Jps Admin Policy Mbean is registered");

        //invoke MBeans
        invokeConfigMBeanMethods();
        invokeCredentialMBeanMethods();
        invokeApplicationPolicyMBeanMethods();
        invokeGlobalPolicyMBeanMethods();
        invokeAdminPolicyMBeanMethhods();
    }
    
    private static void invokeConfigMBeanMethods() {
        String KEY = "myKey";
        String VALUE = "myValue";
        String strVal;
        try {
            strVal = (String) wlsMBeanConn.invoke(configName, "updateProperty",
                     new Object[] { KEY, VALUE }, 
                     new String[] { STR_NAME, STR_NAME });
            wlsMBeanConn.invoke(configName,"persist",null,null);

            strVal = (String) wlsMBeanConn.invoke(configName, "getProperty", 
                     new Object[] { KEY }, new String[] { STR_NAME });
            System.out.println("Updated the property: " + strVal.equals(strVal));

            strVal = (String) wlsMBeanConn.invoke(configName, "removeProperty",
                     new Object[] { KEY }, new String[] { STR_NAME });
            wlsMBeanConn.invoke(configName,"persist",null,null);
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }
 
private static void  invokeCredentialMBeanMethods() {
        
        String USER = "jdoe";
        String PASSWORD = "welcome1";
        String ALIAS = "mapName";
 String KEY = "keyValue";
         
 PortableCredential cred = new PortablePasswordCredential(USER, PASSWORD.toCharArray());
       
  try {
       //seed a password credential
       wlsMBeanConn.invoke(credName, "setPortableCredential", new Object[] { ALIAS, KEY, cred.toCompositeData(null) }, new String[] { STR_NAME, STR_NAME, CompositeData.class.getName() });
        boolean bContainsMap = (Boolean) wlsMBeanConn.invoke(credName, "containsMap", new Object[] { ALIAS }, new String[] { STR_NAME });
        System.out.println("Credstore contains map: " + ALIAS + " - " +bContainsMap);
 
        boolean bContainsCred = (Boolean) wlsMBeanConn.invoke(credName, "containsCredential", new Object[] { ALIAS, KEY }, new String[] { STR_NAME, STR_NAME });
        System.out.println("Contains Credential; " + bContainsCred);
 
        CompositeData cd = (CompositeData) wlsMBeanConn.invoke(credName, "getPortableCredential", new Object[] { ALIAS, KEY }, new String[] { STR_NAME, STR_NAME });
        cred = PortableCredential.from(cd);
 
        PortablePasswordCredential pc = (PortablePasswordCredential) cred;
 
        System.out.println("User name should be " +  USER + " Retrieved - " + pc.getName());
        System.out.println("Password should be " + PASSWORD + "retrieved - " +  new String(pc.getPassword()));
            
        //delete entire map
        wlsMBeanConn.invoke(credName, "deleteCredentialMap", new Object[] {ALIAS}, new String[] {STR_NAME} );
            
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
 
    }

private static void invokeApplicationPolicyMBeanMethods() {
        //add grants to approles
        
        //first create application policy
        String TESTGET_APP_ROLES_MEMBERS = "testgetAppRolesMembers";
        try {
            wlsMBeanConn.invoke(appPolName, "deleteApplicationPolicy", new Object[] { TESTGET_APP_ROLES_MEMBERS }, new String[] { STR_NAME });
        } catch (Exception e ) {
            System.out.println("IGNORE: App " + TESTGET_APP_ROLES_MEMBERS + " might not exist");
        }
        try {
            wlsMBeanConn.invoke(appPolName, "createApplicationPolicy", new Object[] { TESTGET_APP_ROLES_MEMBERS }, new String[] { STR_NAME });
            // add remove members to applicaiton roles
            // Create App Role here
            String APP_ROLE_NAME = "ravenclaw_house";
            wlsMBeanConn.invoke(appPolName, "createApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, APP_ROLE_NAME, null, null, null }, new String[] { STR_NAME, STR_NAME, STR_NAME, STR_NAME, STR_NAME });
            
            CompositeData cd = (CompositeData) wlsMBeanConn.invoke(appPolName, "getApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, APP_ROLE_NAME }, new String[] { STR_NAME, STR_NAME });
            PortableApplicationRole appRole = PortableApplicationRole.from(cd);
            
            //Add custom principal here
            PortableRoleMember prm_custom = new PortableRoleMember("My.Custom.Principal","CustomPrincipal",null,null,null);
 
            CompositeData[] arrCompData = { prm_custom.toCompositeData(null) };
            cd = (CompositeData) wlsMBeanConn.invoke(appPolName, "addMembersToApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, appRole.toCompositeData(null), arrCompData }, new String[] { STR_NAME, CompositeData.class.getName(), CompositeData[].class.getName() });
            
            // Chk if member got added
            CompositeData[] arrCD = (CompositeData[]) wlsMBeanConn.invoke(appPolName, "getMembersForApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, appRole.toCompositeData(null) }, new String[] { STR_NAME, CompositeData.class.getName() });
            PortableRoleMember[] actRM = getRMArrayFromCDArray(arrCD);
            PortableRoleMember[] expRM = { prm_custom};
            chkRoleMemberArrays(actRM, expRM);
 
            cd = (CompositeData) wlsMBeanConn.invoke(appPolName, "removeMembersFromApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, appRole.toCompositeData(null), arrCompData }, new String[] { STR_NAME, CompositeData.class.getName(), CompositeData[].class.getName() });
 
            // Chk if member got removed
            arrCD = (CompositeData[]) wlsMBeanConn.invoke(appPolName, "getMembersForApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, appRole.toCompositeData(null) }, new String[] { STR_NAME, CompositeData.class.getName() });
            System.out.println("length should be zero :" + arrCD.length);
 
            // Remove the App Role
            wlsMBeanConn.invoke(appPolName, "removeApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, APP_ROLE_NAME }, new String[] { STR_NAME, STR_NAME });
            wlsMBeanConn.invoke(appPolName, "deleteApplicationPolicy", new Object[] { TESTGET_APP_ROLES_MEMBERS }, new String[] { STR_NAME });
 
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }

    private static PortableRoleMember[] getRMArrayFromCDArray(CompositeData[] arrCD) {
        PortableRoleMember[] actRM = new PortableRoleMember[arrCD.length];
        int idx = 0;
        for (CompositeData cdRM : arrCD) {
            actRM[idx++] = PortableRoleMember.from(cdRM);
        }
        return actRM;
    }

    private static void chkRoleMemberArrays(PortableRoleMember[] arrExpectedRM, PortableRoleMember[] arrActRM) {
 
        List < PortableRoleMember > lstExpRM = new ArrayList < PortableRoleMember >(Arrays.asList(arrExpectedRM));
        List < PortableRoleMember > lstActRM = new ArrayList < PortableRoleMember >(Arrays.asList(arrActRM));
 
        for (PortableRoleMember actRM : lstActRM) {
            for (int idx = 0; idx < lstExpRM.size(); idx++) {
                PortableRoleMember expRM = (PortableRoleMember) lstExpRM.get(idx);
                if (expRM.equals(actRM)) {
                    lstExpRM.remove(idx);
                    break;
                }
            }
        }
        System.out.println("List should be empty - " + lstExpRM.size());
    }

    private static void  invokeAdminPolicyMBeanMethhods() {
        //Connection is established as weblogic user, who by OOTB gets all permissions
        Boolean bool;
        try {
            bool = (Boolean) wlsMBeanConn.invoke(adminPolName,"checkRole",new Object[]{"Admin"}, new String[]{STR_NAME});
            System.out.println("Werblogic has Admin role: " + bool);
            bool = (Boolean) wlsMBeanConn.invoke(adminPolName,"checkRole",new Object[] {"Configurator"}, new String[]{STR_NAME});
            System.out.println("Werblogic has Configurator role: " + bool);
            bool = (Boolean) wlsMBeanConn.invoke(adminPolName,"checkRole", new Object[]{new String[] {"Operator", "Admin", "Configurator"}},
                    new String[]{String[].class.getName()});
            System.out.println("Werblogic has Admin,Operator,Configurator role: " + bool);
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }

    private static void invokeGlobalPolicyMBeanMethods() {
        // lets create a grant in system policy
        PortablePrincipal CUSTOM_JDOE = new PortablePrincipal("oracle.security.jps.internal.core.principals.CustomXmlUserImpl", "jdoe", PortablePrincipal.PrincipalType.CUSTOM);
        PortablePrincipal CUSTOM_APP_ADMINS = new PortablePrincipal("oracle.security.jps.internal.core.principals.CustomXmlEnterpriseRoleImpl", "oc4j-app-administrators", PortablePrincipal.PrincipalType.CUSTOM);
        PortablePrincipal[] arrPrincs = {CUSTOM_JDOE, CUSTOM_APP_ADMINS};
        //code source URL        
        String URL = "http://www.oracle.com/as/jps-api.jar";
        PortableCodeSource pcs = new PortableCodeSource(URL);
        PortableGrantee pge = new PortableGrantee(arrPrincs, pcs);
        PortablePermission CSF_PERM = new PortablePermission("oracle.security.jps.service.credstore.CredentialAccessPermission", "context=SYSTEM,mapName=MY_MAP,keyName=MY_KEY", "read");
        PortablePermission[] arrPerms = {CSF_PERM};
        PortableGrant grnt = new PortableGrant(pge, arrPerms);
        CompositeData[] arrCompData = { grnt.toCompositeData(null) };
        try {
            System.out.println("Creating System Policy grant");
            wlsMBeanConn.invoke(gloPolName, "grantToSystemPolicy", new Object[] { arrCompData }, new String[] { CompositeData[].class.getName() });
            System.out.println("Deleting the created grant");
            wlsMBeanConn.invoke(gloPolName, "revokeFromSystemPolicy", new Object[] { arrCompData }, new String[] { CompositeData[].class.getName() });
            
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }

    private static boolean isRegistered(ObjectName name) {
        try {
            return wlsMBeanConn.isRegistered(name);
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
        return false;
    }
 
    private static void init() {
        String protocol = "t3";
        String jndi_root = "/jndi/";
        String wlserver = "myWLServer";
        String host =  "myHost.com";
        int port =  7001;
        String adminUsername = "myAdminName";
        String adminPassword = "myAdminPassw";
        JMXServiceURL url;
        try {
            url = new JMXServiceURL(protocol,host,port,jndi_root+wlserver);
            HashMap<String, Object> env = new HashMap<String, Object>();
            env.put(Context.SECURITY_PRINCIPAL, adminUsername);
            env.put(Context.SECURITY_CREDENTIALS, adminPassword);
            env.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES,
                    "weblogic.management.remote");
            connector = JMXConnectorFactory.connect(url, env);
            wlsMBeanConn = connector.getMBeanServerConnection();
                        //create object names
        // the next string is set to com.oracle.jps:type=JpsConfig
            configName = new
                 ObjectName(JpsJmxConstants.MBEAN_JPS_CONFIG_FUNCTIONAL);
// the next string is set to com.oracle.jps:type=JpsApplicationPolicyStore
            appPolName = new
                 ObjectName(JpsJmxConstants.MBEAN_JPS_APPLICATION_POLICY_STORE);
// the next string is set to com.oracle.jps:type=JpsGlobalPolicyStore
            gloPolName = new
                 ObjectName(JpsJmxConstants.MBEAN_JPS_GLOBAL_POLICY_STORE);
// the next string is set to com.oracle.jps:type=JpsAdminPolicyStore
            adminPolName = new
                 ObjectName(JpsJmxConstants.MBEAN_JPS_ADMIN_POLICY_STORE);
// the next string is set to com.oracle.jps:type=JpsCredentialStore
            credName = new ObjectName(JpsJmxConstants.MBEAN_JPS_CREDENTIAL_STORE);
        } catch (MalformedURLException e) {
            // take proper action
            e.printStackTrace();
        } catch (IOException e) {
            // take proper action
            e.printStackTrace();
        } catch (MalformedObjectNameException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }
}

For further details about programmatic configuration of services, see part Part V, "Developing with Oracle Platform Security Services APIs"

E.3 Access Restrictions

The information in this section is not restricted to OPPS MBeans but applies, more generally, to Oracle Fusion Middleware MBeans.

The security access to MBeans is based on logical roles rather than on security permissions. MBeans are annotated using role-based constraints that are enforced at run time by the JMX Framework.

This section illustrates the use of some annotations, describes what they mean, lists the particular access restrictions, and explains the mapping of logical roles to Oracle WebLogic Server enterprise groups.

E.3.1 Annotation Examples

The following code snippet illustrates the use of some enterprise group annotations (in bold text) in an MBean interface:

@Description(resourceKey = "demo.ScreenCustomizerRuntimeMBean.description",
             resourceBundleBaseName = "demo.runtime.Messages")
@ImmutableInfo("true")
@Since("1.1")
public interface ScreenCustomizerRuntimeMXBean {
  @Description(resourceKey = "demo.ScreenCustomizerRuntimeMBean.Active",
               resourceBundleBaseName = "demo.runtime.Messages") 
  @AttrributeGetterRequiredGlobalSecurityRole(GlobalSecurityRole.Operator)
    public boolean isActive();
  @AttrributeSetterRequiredGlobalSecurityRole(GlobalSecurityRole.Admin)
    public void setActive(boolean val);
 
  @Description(resourceKey =
                     "demo.ScreenCustomizerRuntimeMBean.ActiveVirtualScreenId",
               resourceBundleBaseName = "demo.runtime.Messages") 
  @DefaultValue("0")
  @LegalValues( {"0", "2", "4", "6", "8" })
  @RequireRestart(ConfigUptakePolicy.ApplicationRestart) 
  @OperationRequiredGlobalSecurityRole(GlobalSecurityRole.Admin)
     public void setActiveVirtualScreenId(int id) throws IllegalArgumentException;
  …
}

In the above code sample, the annotation:

  • @AtrributeGetterRequiredGlobalSecurityRole specifies that a user must belong to the role Operator to access the get method isActive.

  • @AtrributeSetterRequiredGlobalSecurityRole specifies that a user must belong to the role Admin to access the set method setActive.

  • @OperationRequiredGlobalSecurityRole specifies that a user must belong to the role Admin to access the MBean method setActiveVirtualScreenId.

Note that all three annotations above apply just to a specific item in the interface.

The following code snippet illustrates the use of another annotation (in bold text) with a different scope:

@Description(resourceKey = "demo.ScreenCustomizerRuntimeMBean.description",
             resourceBundleBaseName = "demo.runtime.Messages")
@ImmutableInfo("true")
@Since("1.1")
@MBeanRequiredGlobalSecurityRole(GlobalSecurityRole.Admin)
public interface ScreenCustomizerRuntimeMXBean { … }

In the above code sample, the annotation @MbeanRequiredGlobalSecurityRole specifies that a user must belong to the role Admin to access any operation or attribute of the MBean, that is, its scope is the entire MBean. Annotations with method or attribute scope override annotations that apply to the entire MBean.

The enumeration GlobalSecurityRole defines the set of global, logical roles that are mapped to actual roles in the environment before performing security checks. This enumeration includes the value NONE to indicate that any user has read and write access to the annotated operation or attribute.

For details, see the oracle.jmx.framework Javadoc documentation.

E.3.2 Mapping of Logical Roles to WebLogic Roles

Table E-2 shows the mapping of logical roles to enterprise groups.

Table E-2 Mapping of Logical Roles to WebLogic Groups

Logical Role Default Privileges WebLogic Group

Admin

Read and write access to all MBeans

Admin

Configurator

Read and write access to configuration MBeans

Admin

Operator

Read access to configuration MBeans; read and write access to all run time MBeans

Operator

Monitor

Read access to all MBeans

Monitor

ApplicationAdmin

Read and write access to all application MBeans

Admin

ApplicationConfigurator

Read and write access to all application MBeans

Admin

ApplicationOperator

Read access to application configuration MBeans; read and write access to application runtime MBeans

Operator

ApplicationMonitor

Read access to all application runtime and configuration MBeans

Monitor


For details about WebLogic roles, see sections Users, Groups, And Security Roles and in Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server.

E.3.3 Particular Access Restrictions

By default, all write and update operations require that the user be a member of the Admin or Configurator roles. In addition, operations annotated with the tag @Impact(value=1) require the user to be a member of the Admin role, and operations annotated with the tag @Impact(value=0) require the user to be a member of the Admin or Operator roles.

Table E-3 describes the roles required to access attributes and operations of Fusion Middleware Control MBeans:

Table E-3 Roles Required per Operation

Operations with impact value MBean type Require any of the roles

INFO or attribute getter

System configuration MBean

Monitor, Operator, Configurator, Admin

INFO or attribute getter

Application configuration MBean

Monitor, Operator, Configurator, Admin, ApplicationMonitor, ApplicationOperator, ApplicationConfigurator, ApplicationAdmin

ACTION, ACTION_INFO, UNKNOWN, or attribute setter

System configuration MBean

Admin, Configurator

ACTION, ACTION_INFO, UNKNOWN, or attribute setter

Application configuration MBean

Admin, Configurator, ApplicationAdmin, ApplicationConfigurator

INFO or attribute getter

System runtime MBean

Monitor, Operator, Configurator, Admin

INFO or attribute getter

Application runtime MBean

Monitor, Operator, Configurator, Admin, ApplicationMonitor, ApplicationOperator, ApplicationAdmin

ACTION, ACTION_INFO, UNKNOWN, or attribute setter

System runtime MBean

Admin, Operator

ACTION, ACTION_INFO, UNKNOWN, or attribute setter

Application runtime MBean

Admin, Operator, ApplicationAdmin, ApplicationOperator