Sunday, June 9, 2013

WLST, applying security policy to a JMS Module

The requirement is: only an authenticated user belonging to the Administrator group can access any JMS queue in a JMS module.

On Console, to understand what this operation entails, I associate this policy to PV_OSB_TESTModule JMSModule:
Group = Administrators

There is no change in the config.xml and other config files. All goes in LDAP.

http://suhasonstuff.blogspot.com/2011/05/adding-weblogic-security-policies-using.html?_sm_au_=iVVVJWHWn1D3340S

http://atheek.wordpress.com/2011/12/20/granting-integration-monitors-access-to-osb-test-console/

To visualize the policyId, I do the following in the WLConsole:
myrealm/migration/export and I export to folder /tmp/exportmyrealm
these files are generated:
DefaultAuthenticator.dat
DefaultCredentialMapper.dat
exportIndex.dat
XACMLAuthorizer.dat
XACMLRoleMapper.dat

I dig into XACMLAuthorizer.dat and I see:

<Policy PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Fjms@G@M@Oapplication@EPV_OSB_TESTModule" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>Grp(Administrators)</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<jms>, application=PV_OSB_TESTModule</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="primary-rule" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Administrators</AttributeValue><SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:group" DataType="http://www.w3.org/2001/XMLSchema#string"/></Apply></Condition></Rule><Rule RuleId="deny-rule" Effect="Deny"></Rule></Policy>

NOTE: it should be "type= & lt ; jms & gt ;" (remove the blanks.... XML encoding is HELLONEARTH)
This WLST can automate the operation:
connect('weblogic', 'weblogic1', 't3://myserver.acme.com:9001')  
easeSyntax()

cd /SecurityConfiguration/osbpl1do/DefaultRealm/myrealm/Authorizers/XACMLAuthorizer
xacmlFile=open('policy.xml','r')
xacmlDoc=xacmlFile.read()
cmo.addPolicy(xacmlDoc)


This can be automated for any JMSModule, just change PV_OSB_TESTModule to YourModuleName in the policy.xml and WLST.

No comments: