Tuesday, October 22, 2013

WebLogic, debugging authorization issues

In weblogic server debug flags page, enable atz, and make yure your logging level is debug. IMPORTANT: to troubleshoot console issues, you should enable the flags and logs on the ADMIN, not on the Managed server.
For each operation you do on the console, you should see an entry like this, this one is for user weblogic, which is an Administrator:
####<Oct 22, 2013 11:13:21 AM CEST> <Debug> <SecurityAtz> <hqchacme104> <osbpl1ms1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <9455361429c2e897:-165939bd:141df6a556f:-8000-000000000000003e> <1382433201784> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
####<Oct 22, 2013 11:13:21 AM CEST> <Debug> <SecurityAtz> <hqchacme104> <osbpl1ms1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <9455361429c2e897:-165939bd:141df6a556f:-8000-000000000000003e> <1382433201784> <BEA-000000> < Subject: 4
Principal = weblogic.security.principal.WLSUserImpl("weblogic")
Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
Principal = weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")
Principal = weblogic.security.principal.WLSGroupImpl("AdminChannelUsers")

and then it will tell you:
Roles:AdminChannelUser, Anonymous, IntegrationAdmin, Admin

then something about the resource you are trying to access:
Resource: type=<jmx>, operation=get, application=, mbeanType=weblogic.management.runtime.ServerRuntimeMBean, target=PendingRestartSystemResources
then the policy applying to that resource:
urn:bea:xacml:2.0:entitlement:resource:type@E@Fjmx@G@M@Ooperation@Eget, 1.0 evaluates to Permit
the result of checking the policy:
XACML Authorization isAccessAllowed(): returning PERMIT

and again:
com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned PERMIT
In case something goes wrong, you will get the dreaded
XACML Authorization isAccessAllowed(): returning DENY
urn:bea:xacml:2.0:entitlement:resource:type@E@Fjmx@G@M@Ooperation@Einvoke@M@Oapplication@E@M@OmbeanType@Eweblogic.management.mbeanservers.edit.ConfigurationManagerMBean, 1.0 evaluates to Deny
where at the beginning we have the policy name: urn:bea:xacml:2.0:entitlement:resource:type@E@Fjmx@

No comments: