The WebLogic Scripting Tool (WLST) is a command-line scripting interface that system administrators and operators use to monitor and manage WebLogic Server instances and domains. This Appendix documents the commands to manage advanced policies with Oracle Entitlements Server using the WSLT. It contains the following sections.
The WLST scripting environment is based on Jython, the Java scripting interpreter. By following the Jython language syntax, Oracle Entitlements Server extends the scripting language to allow for management of advanced policies. The new scripts are supported on the WebLogic Application Server, the WebSphere Application Server and the JBossApplication Server in both offline and online modes. The following links offer more information on the WLST and related subjects.
The following sections in this book document the general process for creating a simple policy and adding advanced elements to it.
This section describes the WLST commands in both online mode. Offline mode is not supported.
Create an Application (also referred to as an Application Policy) using the specified name.
createApplicationPolicy(appStripe="<appStripeName>")
./wlst.sh createAdvancedPolicy.py -appStripe <appStripeName>
appStripeName – name of the Application Policy to be created.
Update the specified Resource Type with the new properties.
updateResourceType(appStripe="<appStripeName>", resourceTypeName="<resourceTypeName>", displayName="<displayName>", description="<description>', allowedActions="<actions>', delimiter="<delimiter>', attributes="<attributes>', provider="<resTypeProvider>', matcher="<matcherClass>', hierarchicalResource="<hierarchicalResource>", resourceNameDelimiter="<resourceNameDelimiter>")
./wlst.sh updateResourceType.py -appStripe <appStripeName> -resourceTypeName <resourceTypeName> [-displayName <displayName>] [-description <description>] [-allowedActions <actions>] [-delimiter <delimiter>] [-attributes <attributes>] [-provider <resTypeProvider>] [-matcher <matcherClass>] [-hierarchicalResource <hierarchicalResource> [-resourceNameDelimiter <resourceNameDelimiter>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
resourceTypeName – Name of the Resource Type to be updated. Required.
displayName – Display name for the Resource Type. Optional.
description – Short description of the Resource Type. Optional.
actions - A comma-separated list of the allowed action(s) to be added or removed from the Resource Type. Actions prefixed with a dash (-) will be removed from the list; those without the prefix will be added to the list. Optional.
delimiter – The delimiter used in the actions list. If unspecified, a comma is the default (,). Optional.
attributes – A comma-separated list of attribute name(s) to be added or removed from the attribute set of the Resource Type. Attribute names prefixed with a dash (-) will be removed from the list; those without the prefix will be added to the list. Optional. Can be null.
resTypeProvider – Provider class name for this Resource Type. Optional. Can be null.
matcherClass – Matcher class name for this Resource Type. If unspecified, the default matcher class used is oracle.security.jps.ResourcePermission. Optional. Can be null.
hierarchicalResource - Flag showing whether the Resource Type supports hierarchical resources. It is an optional parameter with a default value of false. Can be null.
resourceNameDelimiter - Character to be used as a delimiter in names of hierarchical resources of this Resource Type. It is an optional parameter with a default value of a forward slash (/). A value should not be provided if the hierarchicalResource parameter is not given a value of true.
Update the specified Resource with the new properties.
updateResource (appStripe="<appStripeName>", resourceName="<resourceName>", type="<resourceType>", displayName="<displayName>", description="<description>", attributes="<attributes>")
./wlst.sh updateResource.py -appStripe <appStripeName> -resourceName <resourceName> -type <resourceType> [-displayName <displayName>] [-description <description>] [-attributes <attributes>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
resourceName – Name of Resource to be updated. Required.
type – Name of the Resource Type associated with the Resource. Required.
displayName – Display name for the Resource Type. Optional.
description – Short description of the Resource Type. Optional.
attributes – A semi-colon separated list of attribute(s) to be added or removed from the Resurce's attribute set. Optional. The following rules govern how to write an attribute value.
To add a single-valued attribute, the format is <attribute name>:<value>
To add a multi-valued attribute, the format is <attribute name>:<value 1>,<value 2>,...,<value n>
To remove an attribute, the format is -<attribute name>
Create a new Policy within the specified Application.
createPolicy (appStripe="<appStripeName>", policyName="<policyName>",
[displayName="<displayName>"], [description="<description>"],
ruleExpression="<ruleExpression> {entitlements="<entitlements>"|
resourceActions="<resActions>"},
{principals="<principals>"|-codeSource="<codeSource>"}",
[obligations="<obligations>"], [semantic="<semantic>"]
./wlst.sh createPolicy.py -appStripe <appStripeName>
-policyName <policyName> [-displayName <displayName>]
[-description <description>] -ruleExpression <ruleExpression>
{-entitlements <entitlements>|-resourceActions <resActions>}
{-principals <principals>|-codeSource <codeSource>}
[-obligations <obligations>] [-semantic <semantic>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
policyName – Name of policy to be created. Required.
displayName – Display name for the Policy. Optional.
description – Short description of the Policy. Optional.
ruleExpression – A rule expression is evaluated for the policy decision. Required. The following rules govern how to write an expression.
The ruleExpression begins with a name. The name is followed by a colon (:) which is then followed by an effect (GRANT/DENY). The effect is followed by a second colon (:) and an expression. The expression is comprised of functions and attributes. If there is no Condition to be evaluated for the ruleExpression, the second colon (:) and the expression following it are not required.
All functions, including built-in ones are specified as a valid function name followed by a list of parameters enclosed within parentheses [()].
Attributes and function names must be valid Java identifiers.
Integer literal parameters begin with a digit between 1-9 followed by digits between 0-9. They can optionally be prefixed by a dash (-) for negative integers.
String literals are enclosed within double quotes ("").
Date and Time literals are specified as GMT strings followed by the letter d and t, respectively. Case-insensitive.
Standard DataTypes supported are string, int, boolean, date and time.
Supported Operators: && and || are used to combine two boolean expressions. ! is used on a boolean expression. == is used to check equality between two strings, integers, dates or times. >, <, >= and <= is used to compare two integers, dates or times.
All operators and functions besides &&, || and ! take only values and attributes as parameters. The others can take boolean expressions as well as parameters.
entitlements – A comma-separated list of Permission Set entry name(s). Should be present only if resActions (Resource actions) is absent.
resActions – A comma-separated list of Resource action(s). Should be present only if entitlements is absent. Resource actions are specified as an existing Resource Type followed by a colon (:). This is then followed by an existing Resource name, followed by a comma-separated list (within parentheses) of valid actions for the Resource. For example:
resType1:res1(act1, act2),resType2:res2(act1),resType2:res3(act2)
principals – A comma-separated list of Principals. Should be present only if codeSource is absent. Principals are specified as a name followed by a colon (:) and a fully-qualified class-name. For example:
admin:com.example.myPrincipal, manager:com.example.myPrincipal
codeSource – Code-source as a string. It should be present only if Principals are absent. Optional.
obligations – A comma-separated list of Obligations. Optional. Obligations are specified as an Obligation name followed by a comma-separated list of Obligation attribute assignments within parentheses. If the assignment is a literal, it must be prefixed by a name followed by a colon (:). When assignment is an attribute, the name is optional. For example:
ob1(attr1,str1:"a String"),ob2(a2:attr2)
semantic – Either and or or can be chosen as the policy semantic. Optional.
Update an existing Policy in the specified application.
updatePolicy (appStripe="<appStripeName>", policyName="<policyName>", [displayName="<displayName>"], [description="<description>"], [ruleExpression="<ruleExpression>"], [obligations="<obligations>"], [entitlements="<entitlements>"|resourceActions="<resActions>"], [principals="<principals>"|codeSource="<codeSource>"])
./wlst.sh updatePolicy.py -appStripe <appStripeName> -policyName <policyName> [-displayName <displayName>] [-description <description>] [-ruleExpression <ruleExpression>] [-obligations <obligations>] [-entitlements <entitlements>|-resourceActions <resActions>] [-principals <principals>|-codeSource <codeSource>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
policyName – Name of policy to be updated. Required.
displayName – Display name for the Policy. Optional.
description – Short description of the Poicy. Optional.
ruleExpression – A rule expression is evaluated for the policy decision. Required. The following rules govern how to write an expression.
The ruleExpression begins with a name. The name is followed by a colon (:) which is then followed by an effect (GRANT/DENY). The effect is followed by a second colon (:) and an expression. The expression is comprised of functions and attributes. If there is no Condition to be evaluated for the ruleExpression, the second colon (:) and the expression following it are not required.
All functions, including built-in ones are specified as a valid function name followed by a list of parameters enclosed within parentheses [()].
Attributes and function names must be valid Java identifiers.
Integer literal parameters begin with a digit between 1-9 followed by digits between 0-9. They can optionally be prefixed by a dash (-) for negative integers.
String literals are enclosed within double quotes ("").
Date and Time literals are specified as GMT strings followed by the letter d and t, respectively. Case-insensitive.
Standard DataTypes supported are string, int, boolean, date and time.
Supported Operators: && and || are used to combine two boolean expressions. ! is used on a boolean expression. == is used to check equality between two strings, integers, dates or times. >, <, >= and <= is used to compare two integers, dates or times.
All operators and functions besides &&, || and ! take only values and attributes as parameters. The others can take boolean expressions as well as parameters.
entitlements – A comma-separated list of Permission Set entry name(s). Should be present only if resActions (Resource actions) is absent.
resActions – A comma-separated list of Resource action(s). Should be present only if entitlements is absent. Resource actions are specified as an existing Resource Type followed by a colon (:). This is then followed by an existing Resource name, followed by a comma-separated list (within parentheses) of valid actions for the Resource. For example:
resType1:res1(act1, act2),resType2:res2(act1),resType2:res3(act2)
principals – A comma-separated list of Principals. Should be present only if codeSource is absent. Principals are specified as a name followed by a colon (:) and a fully-qualified class-name. For example:
admin:com.example.myPrincipal, manager:com.example.myPrincipal
codeSource – Code-source as a string. It should be present only if Principals are absent. Optional.
obligations – A comma-separated list of Obligations. Optional. Obligations are specified as an Obligation name followed by a comma-separated list of Obligation attribute assignments within parentheses. If the assignment is a literal, it must be prefixed by a name followed by a colon (:). When assignment is an attribute, the name is optional. For example:
ob1(attr1,str1:"a String"),ob2(a2:attr2)
Remove an existing Policy from the specified application.
deletePolicy (appStripe="<appStripeName>", policyName="<policyName>")
./wlst.sh deletePolicy.py -appStripe <appStripeName> -policyName <policyName>
appStripeName – The Application (also referred to as an Application Policy) name. Required.
policyName – Name of policy to be updated. Required.
List the Policies in the specified Application.
listPolicies (appStripe="<appStripeName>")
./wlst.sh listPolicies.py -appStripe <appStripeName>
appStripeName – The Application (also referred to as an Application Policy) name. Required.
Create a new Attribute in an application. Default attributes are not supported.
createAttribute (appStripe="<appStripeName>", attributeName="<attributeName>", [displayName="<displayName>"], [description="<description>"], type="<type>", category="<category>", [isSingle="<true/false>'], [values="<values>"])
./wlst.sh createAttribute.py -appStripe <appStripeName> -attributeName <attributeName> [-displayName <displayName>] [-description <description>] -type <type> -category <category> [-isSingle <true/false>][-values <values>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
attributeName – Name of the attribute to be created. Required.
displayName – Display name for the attribute. Optional.
description – Short description of the attribute. Optional.
type - Fully qualified class name of the type. Required.
category - Attribute category. Either “Dynamic” or “Resource”. Required.
isSingle – Whether the attribute is single-valued or multiple-valued. Default value is true. Optional.
values – Initial attribute values. Optional.
Update values of an Attribute already defined in an Application. Default attributes are not supported.
updateAttribute (-appStripe="<appStripeName>", attributeName="<attributeName>", [displayName="<displayName>"], [description="<description>"], [values="<values>"])
./wlst.sh updateAttribute.py -appStripe <appStripeName> -attributeName <attributeName> [-displayName <displayName>] [-description <description>] [-values <values>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
attributeName – Name of the Attribute to be created. Required.
displayName – Display name for the Attribute. Optional.
description – Short description of the attribute. Optional.
values - A comma-separated list of Attribute values. In the case where this value is an empty string, the Attribute will be updated to have no assigned value. Optional.
Delete the specified Attribute from the specified Application. Default Attributes are not supported.
deleteAttribute (appStripe="<appStripeName>", attributeName="<attributeName>", [cascade="<true/false>"])
./wlst.sh deleteAttribute.py -appStripe <appStripeName> -attributeName <attributeName> [-cascade <true/false>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
attributeName – Name of the Attribute to be created. Required.
cascade – A boolean value indicating whether the delete is to be cascaded. If unspecified, the value defaults to false. Optional.
List all Attributes defined in the given Application.
listAttributes (appStripe="<appStripeName>", [hideBuiltIn="<hideBuiltIn>"])
./wlst.sh listAttributes.py -appStripe <appStripeName> [-hideBuiltIn <hideBuiltIn>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
hideBuiltIn – A boolean value indicating whether to hide built-in attributes. The value defaults to true. Optional.
Create a Function in the specified Application.
createFunction (appStripe="<appStripeName>", functionName="<functionName>", [displayName="<displayName>"], [description="<description>"], className="<className>", returnType="<returnType>", [paramTypes="<paramTypes>"])
./wlst.sh createFunction.py -appStripe <appStripeName> -functionName <functionName> [-displayName <displayName>] [-description <description>] –className <className> -returnType <returnType> [-paramTypes <paramTypes>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
functionName – Name of the the Function being created. Required.
displayName – Display name for the Function. Optional.
description – Short description of the Function. Optional.
className - Name of the class to which the function belongs. Required.
returnType – Return type of the Function. Required.
paramTypes – List the types of parameters concatenated using a comma (,). If unspecified, the function doesn't take any parameter as input. Optional.
Update the Function with the given values.
updateFunction (appStripe="<appStripeName>", functionName="<functionName>" [displayName="<displayName>"], [description="<description>"], [className="<className>"], [returnType="<returnType>"], [paramTypes="<paramTypes>"])
./wlst.sh updateFunction.py -appStripe <appStripeName> -functionName <functionName> [-displayName <displayName>] [-description <description>] [–className <className>] [-returnType <returnType>] [-paramTypes <paramTypes>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
functionName – Name of the Function being updated. Required.
displayName – Display name for the Function. Optional.
description – Short description of the Function. Optional.
className - Name of the class to which the Function belongs. Required.
returnType – Return type of the Function. Required.
paramTypes – List the types of parameters concatenated using a comma (,). If unspecified, parameter types of the function are not changed. If an empty string is the value, the Function is updated to take no input parameter. Optional.
Delete the Function in the specified Application.
deleteFunction (appStripe="<appStripeName>", functionName="<functionName>", [cascade="<true/false>"])
./wlst.sh deleteFunction.py -appStripe <appStripeName> -functionName <functionName> [-cascade <true/false>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
functionName – Name of the Function being updated. Required.
cascade – A boolean value indicating whether the delete is to be cascaded. If unspecified, the value defaults to false. Optional.
List all Functions in the specified Application.
listFunctions (appStripe="<appStripeName>", [hideBuiltIn="<hideBuiltIn>"]
./wlst.sh listFunctions.py -appStripe <appStripeName> [-hideBuiltIn <hideBuiltIn>]
appStripeName – The Application (also referred to as an Application Policy) name. Required.
hideBuiltIn – A boolean value indicating whether to hide built-in functions. The value defaults to true. Optional.
Get details of the given Function in the specified Application.
getFunction (appStripe="<appStripeName>", functionName="<functionName>")
./wlst.sh getFunction.py -appStripe <appStripeName> -functionName <functionName>
appStripeName – The Application (also referred to as an Application Policy) name. Required.
functionName – Name of the Function being obtained.
Example C-1 illustrates how to create a single policy with a rule (containing one attribute comparison and one function invocation) and with an Obligation (containing two Obligation attributes).
Example C-1 Sample Script For Policy Creation
createApplicationPolicy(appStripe="jpsWebApp_wlst_test") createResourceType(appStripe="jpsWebApp_wlst_test", resourceTypeName="resType1", provider="myProvider", matcher="myMatcher", allowedActions="action1,action2", delimiter=",") createResourceType(appStripe="jpsWebApp_wlst_test", resourceTypeName="resType2", provider="myProvider", matcher="myMatcher", allowedActions="action1,action2", delimiter=",") createResource(appStripe="jpsWebApp_wlst_test",name="res1",type="resType1") createResource(appStripe="jpsWebApp_wlst_test",name="res2",type="resType2") createResource(appStripe="jpsWebApp_wlst_test",name="res3",type="resType2") createAttribute(appStripe="jpsWebApp_wlst_test", attributeName="attr1", type="date", category="dynamic") createAttribute(appStripe="jpsWebApp_wlst_test", attributeName="attr2", type="time", category="dynamic") createAttribute(appStripe="jpsWebApp_wlst_test", attributeName="abc", type="int", category="dynamic") createAttribute(appStripe="jpsWebApp_wlst_test", attributeName="c", type="int", category="dynamic") createAttribute(appStripe="jpsWebApp_wlst_test", attributeName="aString", type="string", category="dynamic") createFunction(appStripe="jpsWebApp_wlst_test", functionName="boolFunction", className="com.example.myClassName", returnType="oracle.security.jps.service.policystore.info.OpssBoolean") paramTypes="oracle.security.jps.service.policystore.infoOpssString, oracle.security.jps.service.policystore.info.OpssInteger") createPolicy(appStripe="jpsWebApp_wlst_test", policyName="policy1", ruleExpression="rule1:grant: !(abc > -1162) && (c==2)&& (\"a String\" == aString)", resourceActions="resType1:res1(act1, act2),resType2:res2(act1),resType2:res3(act2)", principals="admin:com.example.MyPrincipal", obligations="ob3(attr1,str1:\"a String\"),ob4(a2:attr2)", semantic="or" updatePolicy(appStripe="jpsWebApp_wlst_test", policyName="policy1", ruleExpression="rule3:deny:boolFunction(\"abc\",c)", resourceActions="-resType2:res3(act2),resType2:res3(act1)", obligations="-ob1,email(addr:\"me@mycompany.com\")") listPolicies(appStripe="jpsWebApp_wlst_test") deletePolicy(appStripe="jpsWebApp_wlst_test", policyName="policy1")