1. Securing Applications with Oracle Platform Security Services
  2. Administration with Scripts and MBeans

E Administration with Scripts and MBeans

This appendix describes the administrative tasks that you carry out with WebLogic Scripting Tool (WLST) commands and the OPSS MBean API.

It includes the following sections:

Configuring Services with Scripts

If your application uses the User and Role API and must access a provider user attribute different from the default cn attribute, then you must configure the authentication provider to use the desired user attribute and initialize the provider properly.

Use the following procedure to create a script that changes the provider initialization, so that the User and Role API uses the specified user attribute to access data in the configured provider:

  1. Create a script file with the following content:
    import sys
connect('userName', 'userPassword', 'url', 'adminServerName')
domainRuntime()

val = None
key = None
si = None
for  i in range(len(sys.argv)):
    if sys.argv[i] == "-si":
        si = sys.argv[i+1]
    if sys.argv[i] == "-key":
        key  = sys.argv[i+1]
    if sys.argv[i] == "-value":
        val = sys.argv[i+1]
 
on = ObjectName("com.oracle.jps:type=JpsConfig")
sign = ["java.lang.String","java.lang.String","java.lang.String"]
params = [si,key,val]
mbs.invoke(on, "updateServiceInstanceProperty", params, sign)
mbs.invoke(on, "persist", None, None)
  2. Replace userName, userPass, localHost, and portNumber by the appropriate values to connect to the Administration Server in the domain you are interested. Note that the use of connect requires that the server to which you want to connect be up and running when the script is called. Assume that the script is saved as /tmp/updateServiceInstanceProperty.py.
  3. Change to the $ORACLE_HOME/common/bin directory and run wlst.sh:
    >cd $ORACLE_HOME/common/bin
>wlst.sh /tmp/updateServiceInstanceProperty.py -si servInstName -key propKey -value propValue

    where:

    • servInstName is the name of the service instance provider whose properties you want to modify.

    • propKey identifies the name of the property to insert or modify.

    • propValue is the name of the value to add or update.

    The command modifies the $DOMAIN_HOME/config/fmwconfig/jps-config.xml domain configuration file by adding or updating a property to the passed instance provider. If you pass a key that matches the name of a property, then that property is updated with the passed value.

  4. Restart Oracle WebLogic Server.

Example E-1 Example of Use

Assume that the domain uses the idstore.ldap authentication provider. Then: 

wlst.sh /tmp/updateServiceInstanceProperty.py -si idstore.ldap -key "myPropName" -value "myValue"

adds (or updates) the specified property of that instance provider:

<serviceInstance provider="idstore.ldap.provider" name="idstore.ldap">
   ...
   <property name="myPropName" value="myValue"/>
   ...
</serviceInstance>

Configuring Services with MBeans

OPSS provides a set of JMX-compliant Java EE Beans that are used by Fusion Middleware Control and scripts to manage, configure, and monitor services. Use of MBeans is recommended in Java EE applications only.

The following sections explain how to use OPSS MBeans:

See also:

OPSS API References

Supported OPSS MBeans

Table E-1 lists the MBeans that OPSS supports, their basic function, and the object name to use (in custom scripts or Java SE programs) to perform a task:

Table E-1 List of OPSS MBeans

MBean Function MBeanServer Object Name

Jps Configuration

Manages domain configuration in jps-config.xml. This MBean provides the only way to modify configuration data.

Update or write operations require server restart to effect changes.

com.oracle.jps:type=JpsConfig

Credential Store

Manages credential data.

Update or write operations do not require server restart to effect changes. All changes take place immediately. Access is restricted to security administrators only.

com.oracle.jps:type=JpsCredentialStore

Global Policy Store

Manages global policies in the security store configured in the default context.

Update or write operations do not require server restart to effect changes. All changes take place immediately.

com.oracle.jps:type=JpsGlobalPolicyStore

Application Policy Store

Manages application policies in the security store configured in the default context.

Update or write operations do not require server restart to effect changes. All changes take place immediately.

com.oracle.jps:type=JpsApplicationPolicyStore

Administration Policy Store

Validates whether a user logged into the current JMX context belongs to a particular role. It does not facilitate any configuration modifications.

com.oracle.jps:type=JpsAdminPolicyStore

Using OPSS MBeans

To call an OPSS MBean, write a script and run it using WLST, or write a Java program, or use the MBean browser in Fusion Middleware Control.

To call an OPSS MBean with Fusion Middleware Control:

  1. In the appropriate domain, first choose AdminServer, and then System MBean Browser. The System MBean Browser page is displayed.
  2. In that page, expand the nodes Application Defined MBeans, com.oracle.jps and Domain.
  3. Choose an MBean and use the Attributes, Operations, and Notifications tabs in the right pane to inspect the MBean attribute values and the methods.

    For example, to retrieve a credential with a given map and key, use scripting to call the MBean operation JpsCredentialMXBean.getPortableCredential(map, key).

See also:

Programming with OPSS MBeans

Navigating MBeans (WLST Online) in Understanding the WebLogic Scripting Tool

Programming with OPSS MBeans

The following example illustrates how to call the JpsConfiguration MBean. Note that:

  • It assumes that the following JAR files are in the class path:

    • $ORACLE_HOME/oracle_common/modules/oracle.jps/jps-api.jar

    • $ORACLE_HOME/oracle_common/modules/oracle.jps/jps-mbeans.jar

    • $ORACLE_HOME/oracle_common/modules/oracle.jmx/jmxframework.jar

    • $ORACLE_HOME/oracle_common/modules/oracle.idm/identitystore.jar

    • $WEBLOGIC_HOME/server/lib/wljmxclient.jar

  • The connection is established by the init method.

  • Any update operation is followed by a call to persist.

import java.io.IOException;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;

import javax.management.InstanceNotFoundException;
import javax.management.MBeanException;
import javax.management.MBeanServerConnection;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.ReflectionException;
import javax.management.openmbean.CompositeData;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.naming.Context;
 
import oracle.security.jps.mas.mgmt.jmx.credstore.PortableCredential;
import oracle.security.jps.mas.mgmt.jmx.credstore.PortablePasswordCredential;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableApplicationRole;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableCodeSource;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableGrant;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableGrantee;
import oracle.security.jps.mas.mgmt.jmx.policy.PortablePermission;
import oracle.security.jps.mas.mgmt.jmx.policy.PortablePrincipal;
import oracle.security.jps.mas.mgmt.jmx.policy.PortableRoleMember;
import oracle.security.jps.mas.mgmt.jmx.util.JpsJmxConstants;
 
public class InvokeJpsMbeans {
    private static JMXConnector connector;
    private static MBeanServerConnection wlsMBeanConn;
    private static ObjectName configName;
    private static ObjectName credName;
    private static ObjectName appPolName;
    private static ObjectName gloPolName;
    private static ObjectName adminPolName;

    private final static String STR_NAME =String.class.getName();

    public static void main(String args[]) {
        // Intialize connection and retrieve connection object
        init();

        //Check registration
        if (isRegistered(configName)) 
            System.out.println("Jps Config MBean is registered");
        if (isRegistered(credName))
            System.out.println("Jps Credential Mbean is registered");
        if (isRegistered(appPolName)) 
            System.out.println("Jps Application policy Mbean is registered");
        if (isRegistered(gloPolName))
            System.out.println("Jps Global policy Mbean is registered");
        if (isRegistered(adminPolName)) 
           System.out.println("Jps Admin Policy Mbean is registered");

        //invoke MBeans
        invokeConfigMBeanMethods();
        invokeCredentialMBeanMethods();
        invokeApplicationPolicyMBeanMethods();
        invokeGlobalPolicyMBeanMethods();
        invokeAdminPolicyMBeanMethhods();
    }
    
    private static void invokeConfigMBeanMethods() {
        String KEY = "myKey";
        String VALUE = "myValue";
        String strVal;
        try {
            strVal = (String) wlsMBeanConn.invoke(configName, "updateProperty",
                     new Object[] { KEY, VALUE }, 
                     new String[] { STR_NAME, STR_NAME });
            wlsMBeanConn.invoke(configName,"persist",null,null);

            strVal = (String) wlsMBeanConn.invoke(configName, "getProperty", 
                     new Object[] { KEY }, new String[] { STR_NAME });
            System.out.println("Updated the property: " + strVal.equals(strVal));

            strVal = (String) wlsMBeanConn.invoke(configName, "removeProperty",
                     new Object[] { KEY }, new String[] { STR_NAME });
            wlsMBeanConn.invoke(configName,"persist",null,null);
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }
 
private static void  invokeCredentialMBeanMethods() {
        
        String USER = "jdoe";
        String PASSWORD = "password";
        String ALIAS = "mapName";
 String KEY = "keyValue";
         
 PortableCredential cred = new PortablePasswordCredential(USER, PASSWORD.toCharArray());
       
  try {
       //seed a password credential
       wlsMBeanConn.invoke(credName, "setPortableCredential", new Object[] { ALIAS, KEY, cred.toCompositeData(null) }, new String[] { STR_NAME, STR_NAME, CompositeData.class.getName() });
        boolean bContainsMap = (Boolean) wlsMBeanConn.invoke(credName, "containsMap", new Object[] { ALIAS }, new String[] { STR_NAME });
        System.out.println("Credstore contains map: " + ALIAS + " - " +bContainsMap);
 
        boolean bContainsCred = (Boolean) wlsMBeanConn.invoke(credName, "containsCredential", new Object[] { ALIAS, KEY }, new String[] { STR_NAME, STR_NAME });
        System.out.println("Contains Credential; " + bContainsCred);
 
        CompositeData cd = (CompositeData) wlsMBeanConn.invoke(credName, "getPortableCredential", new Object[] { ALIAS, KEY }, new String[] { STR_NAME, STR_NAME });
        cred = PortableCredential.from(cd);
 
        PortablePasswordCredential pc = (PortablePasswordCredential) cred;
 
        System.out.println("User name should be " +  USER + " Retrieved - " + pc.getName());
        System.out.println("Password should be " + PASSWORD + "retrieved - " +  new String(pc.getPassword()));
            
        //delete entire map
        wlsMBeanConn.invoke(credName, "deleteCredentialMap", new Object[] {ALIAS}, new String[] {STR_NAME} );
            
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
 
    }

private static void invokeApplicationPolicyMBeanMethods() {
        //add grants to approles
        
        //first create application policy
        String TESTGET_APP_ROLES_MEMBERS = "testgetAppRolesMembers";
        try {
            wlsMBeanConn.invoke(appPolName, "deleteApplicationPolicy", new Object[] { TESTGET_APP_ROLES_MEMBERS }, new String[] { STR_NAME });
        } catch (Exception e ) {
            System.out.println("IGNORE: App " + TESTGET_APP_ROLES_MEMBERS + " might not exist");
        }
        try {
            wlsMBeanConn.invoke(appPolName, "createApplicationPolicy", new Object[] { TESTGET_APP_ROLES_MEMBERS }, new String[] { STR_NAME });
            // add remove members to applicaiton roles
            // Create App Role here
            String APP_ROLE_NAME = "ravenclaw_house";
            wlsMBeanConn.invoke(appPolName, "createApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, APP_ROLE_NAME, null, null, null }, new String[] { STR_NAME, STR_NAME, STR_NAME, STR_NAME, STR_NAME });
            
            CompositeData cd = (CompositeData) wlsMBeanConn.invoke(appPolName, "getApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, APP_ROLE_NAME }, new String[] { STR_NAME, STR_NAME });
            PortableApplicationRole appRole = PortableApplicationRole.from(cd);
            
            //Add custom principal here
            PortableRoleMember prm_custom = new PortableRoleMember("My.Custom.Principal","CustomPrincipal",null,null,null);
 
            CompositeData[] arrCompData = { prm_custom.toCompositeData(null) };
            cd = (CompositeData) wlsMBeanConn.invoke(appPolName, "addMembersToApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, appRole.toCompositeData(null), arrCompData }, new String[] { STR_NAME, CompositeData.class.getName(), CompositeData[].class.getName() });
            
            // Chk if member got added
            CompositeData[] arrCD = (CompositeData[]) wlsMBeanConn.invoke(appPolName, "getMembersForApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, appRole.toCompositeData(null) }, new String[] { STR_NAME, CompositeData.class.getName() });
            PortableRoleMember[] actRM = getRMArrayFromCDArray(arrCD);
            PortableRoleMember[] expRM = { prm_custom};
            chkRoleMemberArrays(actRM, expRM);
 
            cd = (CompositeData) wlsMBeanConn.invoke(appPolName, "removeMembersFromApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, appRole.toCompositeData(null), arrCompData }, new String[] { STR_NAME, CompositeData.class.getName(), CompositeData[].class.getName() });
 
            // Chk if member got removed
            arrCD = (CompositeData[]) wlsMBeanConn.invoke(appPolName, "getMembersForApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, appRole.toCompositeData(null) }, new String[] { STR_NAME, CompositeData.class.getName() });
            System.out.println("length should be zero :" + arrCD.length);
 
            // Remove the App Role
            wlsMBeanConn.invoke(appPolName, "removeApplicationRole", new Object[] { TESTGET_APP_ROLES_MEMBERS, APP_ROLE_NAME }, new String[] { STR_NAME, STR_NAME });
            wlsMBeanConn.invoke(appPolName, "deleteApplicationPolicy", new Object[] { TESTGET_APP_ROLES_MEMBERS }, new String[] { STR_NAME });
 
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }

    private static PortableRoleMember[] getRMArrayFromCDArray(CompositeData[] arrCD) {
        PortableRoleMember[] actRM = new PortableRoleMember[arrCD.length];
        int idx = 0;
        for (CompositeData cdRM : arrCD) {
            actRM[idx++] = PortableRoleMember.from(cdRM);
        }
        return actRM;
    }

    private static void chkRoleMemberArrays(PortableRoleMember[] arrExpectedRM, PortableRoleMember[] arrActRM) {
 
        List < PortableRoleMember > lstExpRM = new ArrayList < PortableRoleMember >(Arrays.asList(arrExpectedRM));
        List < PortableRoleMember > lstActRM = new ArrayList < PortableRoleMember >(Arrays.asList(arrActRM));
 
        for (PortableRoleMember actRM : lstActRM) {
            for (int idx = 0; idx < lstExpRM.size(); idx++) {
                PortableRoleMember expRM = (PortableRoleMember) lstExpRM.get(idx);
                if (expRM.equals(actRM)) {
                    lstExpRM.remove(idx);
                    break;
                }
            }
        }
        System.out.println("List should be empty - " + lstExpRM.size());
    }

    private static void  invokeAdminPolicyMBeanMethhods() {
        //Connection is established as weblogic user, who by OOTB gets all permissions
        Boolean bool;
        try {
            bool = (Boolean) wlsMBeanConn.invoke(adminPolName,"checkRole",new Object[]{"Admin"}, new String[]{STR_NAME});
            System.out.println("Werblogic has Admin role: " + bool);
            bool = (Boolean) wlsMBeanConn.invoke(adminPolName,"checkRole",new Object[] {"Configurator"}, new String[]{STR_NAME});
            System.out.println("Werblogic has Configurator role: " + bool);
            bool = (Boolean) wlsMBeanConn.invoke(adminPolName,"checkRole", new Object[]{new String[] {"Operator", "Admin", "Configurator"}},
                    new String[]{String[].class.getName()});
            System.out.println("Werblogic has Admin,Operator,Configurator role: " + bool);
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }

    private static void invokeGlobalPolicyMBeanMethods() {
        // lets create a grant in system policy
        PortablePrincipal CUSTOM_JDOE = new PortablePrincipal("oracle.security.jps.internal.core.principals.CustomXmlUserImpl", "jdoe", PortablePrincipal.PrincipalType.CUSTOM);
        PortablePrincipal CUSTOM_APP_ADMINS = new PortablePrincipal("oracle.security.jps.internal.core.principals.CustomXmlEnterpriseRoleImpl", "oc4j-app-administrators", PortablePrincipal.PrincipalType.CUSTOM);
        PortablePrincipal[] arrPrincs = {CUSTOM_JDOE, CUSTOM_APP_ADMINS};
        //codesource URL        
        String URL = "http://www.oracle.com/as/jps-api.jar";
        PortableCodeSource pcs = new PortableCodeSource(URL);
        PortableGrantee pge = new PortableGrantee(arrPrincs, pcs);
        PortablePermission CSF_PERM = new PortablePermission("oracle.security.jps.service.credstore.CredentialAccessPermission", "context=SYSTEM,mapName=MY_MAP,keyName=MY_KEY", "read");
        PortablePermission[] arrPerms = {CSF_PERM};
        PortableGrant grnt = new PortableGrant(pge, arrPerms);
        CompositeData[] arrCompData = { grnt.toCompositeData(null) };
        try {
            System.out.println("Creating System Policy grant");
            wlsMBeanConn.invoke(gloPolName, "grantToSystemPolicy", new Object[] { arrCompData }, new String[] { CompositeData[].class.getName() });
            System.out.println("Deleting the created grant");
            wlsMBeanConn.invoke(gloPolName, "revokeFromSystemPolicy", new Object[] { arrCompData }, new String[] { CompositeData[].class.getName() });
            
        } catch (InstanceNotFoundException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (MBeanException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (ReflectionException e) {
            // auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }

    private static boolean isRegistered(ObjectName name) {
        try {
            return wlsMBeanConn.isRegistered(name);
        } catch (IOException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
        return false;
    }
 
    private static void init() {
        String protocol = "t3";
        String jndi_root = "/jndi/";
        String wlserver = "myWLServer";
        String host =  "myHost.com";
        int port =  7001;
        String adminUsername = "myAdminName";
        String adminPassword = "myAdminPassw";
        JMXServiceURL url;
        try {
            url = new JMXServiceURL(protocol,host,port,jndi_root+wlserver);
            HashMap<String, Object> env = new HashMap<String, Object>();
            env.put(Context.SECURITY_PRINCIPAL, adminUsername);
            env.put(Context.SECURITY_CREDENTIALS, adminPassword);
            env.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES,
                    "weblogic.management.remote");
            connector = JMXConnectorFactory.connect(url, env);
            wlsMBeanConn = connector.getMBeanServerConnection();
                        //create object names
	// the next string is set to com.oracle.jps:type=JpsConfig
            configName = new
                 ObjectName(JpsJmxConstants.MBEAN_JPS_CONFIG_FUNCTIONAL);
// the next string is set to com.oracle.jps:type=JpsApplicationPolicyStore
            appPolName = new
                 ObjectName(JpsJmxConstants.MBEAN_JPS_APPLICATION_POLICY_STORE);
// the next string is set to com.oracle.jps:type=JpsGlobalPolicyStore
            gloPolName = new
                 ObjectName(JpsJmxConstants.MBEAN_JPS_GLOBAL_POLICY_STORE);
// the next string is set to com.oracle.jps:type=JpsAdminPolicyStore
            adminPolName = new
                 ObjectName(JpsJmxConstants.MBEAN_JPS_ADMIN_POLICY_STORE);
// the next string is set to com.oracle.jps:type=JpsCredentialStore
            credName = new ObjectName(JpsJmxConstants.MBEAN_JPS_CREDENTIAL_STORE);
        } catch (MalformedURLException e) {
            // take proper action
            e.printStackTrace();
        } catch (IOException e) {
            // take proper action
            e.printStackTrace();
        } catch (MalformedObjectNameException e) {
            // auto-generated catch block
            e.printStackTrace();
        }
    }
}

Restricting Access to MBeans

The information in this section is not restricted to OPPS MBeans but applies, more generally, to Oracle Fusion Middleware MBeans.

A logical role is a role specified declaratively or programmatically by a Java EE application. It is defined in an application deployment descriptor and used in the application code. You can map logical roles to enterprise groups or users, but you cannot map these roles to application roles.

The security access to MBeans is based on logical roles rather than on security permissions. MBeans are annotated with role-based constraints that are enforced at runtime by the JMX Framework.

The following sections illustrate the use of annotations, list the particular access restrictions, and explain the mapping of logical roles to enterprise groups:

Annotation Examples

The following example illustrates the use of enterprise group annotations (in bold text) in an MBean interface: 

@Description(resourceKey = "demo.ScreenCustomizerRuntimeMBean.description",
             resourceBundleBaseName = "demo.runtime.Messages")
@ImmutableInfo("true")
@Since("1.1")
public interface ScreenCustomizerRuntimeMXBean {
  @Description(resourceKey = "demo.ScreenCustomizerRuntimeMBean.Active",
               resourceBundleBaseName = "demo.runtime.Messages") 
  @AttrributeGetterRequiredGlobalSecurityRole(GlobalSecurityRole.Operator)
    public boolean isActive();
  @AttrributeSetterRequiredGlobalSecurityRole(GlobalSecurityRole.Admin)
    public void setActive(boolean val);
 
  @Description(resourceKey =
                     "demo.ScreenCustomizerRuntimeMBean.ActiveVirtualScreenId",
               resourceBundleBaseName = "demo.runtime.Messages") 
  @DefaultValue("0")
  @LegalValues( {"0", "2", "4", "6", "8" })
  @RequireRestart(ConfigUptakePolicy.ApplicationRestart) 
  @OperationRequiredGlobalSecurityRole(GlobalSecurityRole.Admin)
     public void setActiveVirtualScreenId(int id) throws IllegalArgumentException;
  …
}

where:

  • @AtrributeGetterRequiredGlobalSecurityRole specifies that the user must belong to the role Operator to access the get isActive method.

  • @AtrributeSetterRequiredGlobalSecurityRole specifies that the user must belong to the Admin role to access the setActive method.

  • @OperationRequiredGlobalSecurityRole specifies that the user must belong to the Admin role to access the setActiveVirtualScreenId method MBean.

Note that all these three annotations apply just to a specific item in the interface.

The following example illustrates the use of an annotation (in bold text) with a different scope:

@Description(resourceKey = "demo.ScreenCustomizerRuntimeMBean.description",
             resourceBundleBaseName = "demo.runtime.Messages")
@ImmutableInfo("true")
@Since("1.1")
@MBeanRequiredGlobalSecurityRole(GlobalSecurityRole.Admin)
public interface ScreenCustomizerRuntimeMXBean { … }

@MbeanRequiredGlobalSecurityRole specifies that the user must belong to the Admin role to access any operation or attribute of the MBean, so its scope is the entire MBean. Annotations with method or attribute scope override annotations that apply to the entire MBean.

GlobalSecurityRole defines the set of global, logical roles that are mapped to actual roles in the environment before performing security checks. This enumeration includes the value NONE to indicate that any user has read and write access to the annotated operation or attribute.

Mapping Logical Roles to Enterprise Groups

Table E-2 shows the mapping of logical roles to enterprise groups.

Table E-2 Mapping of Logical Roles to WebLogic Server Groups

Logical Role Default Permissions WebLogic Group

Admin

Read and write access to all MBeans

Admin

Configurator

Read and write access to configuration MBeans

Admin

Operator

Read access to configuration MBeans. Read and write access to runtime MBeans

Operator

Monitor

Read access to all MBeans

Monitor

ApplicationAdmin

Read and write access to all application MBeans

Admin

ApplicationConfigurator

Read and write access to all application MBeans

Admin

ApplicationOperator

Read access to application configuration MBeans. Read and write access to application runtime MBeans

Operator

ApplicationMonitor

Read access to all application runtime and configuration MBeans

Monitor

See also:

Users, Groups, and Security Roles in Securing Resources Using Roles and Policies for Oracle WebLogic Server

Particular Access Restrictions

By default, all MBean write and update operations require that the user be a member of the Admin or Configurator roles. In addition, operations annotated with the @Impact(value=1) tag require that the user be a member of the Admin role, and operations annotated with the tag @Impact(value=0) require that the user be a member of the Admin or Operator roles.

Table E-3 describes the roles required to access attributes and operations in MBeans:

Table E-3 Roles Required per Operation

Operations with Impact Value MBean Type Requires One of the Roles

INFO or attribute getter

System configuration MBean

Monitor, Operator, Configurator, Admin

INFO or attribute getter

Application configuration MBean

Monitor, Operator, Configurator, Admin, ApplicationMonitor, ApplicationOperator, ApplicationConfigurator, ApplicationAdmin

ACTION, ACTION_INFO, UNKNOWN, or attribute setter

System configuration MBean

Admin, Configurator

ACTION, ACTION_INFO, UNKNOWN, or attribute setter

Application configuration MBean

Admin, Configurator, ApplicationAdmin, ApplicationConfigurator

INFO or attribute getter

System runtime MBean

Monitor, Operator, Configurator, Admin

INFO or attribute getter

Application runtime MBean

Monitor, Operator, Configurator, Admin, ApplicationMonitor, ApplicationOperator, ApplicationAdmin

ACTION, ACTION_INFO, UNKNOWN, or attribute setter

System runtime MBean

Admin, Operator

ACTION, ACTION_INFO, UNKNOWN, or attribute setter

Application runtime MBean

Admin, Operator, ApplicationAdmin, ApplicationOperator