Hi,
Faisal Khan
To avoid BRUTE FORCE Attacks on Weblogic Server, WLS provides a feature called UserLockout.
As the name implies, we can use this feature to lock users after a certain number of unsuccesull attempts to hack into Weblogic Server.We can also specify the duration for which we want to lock that user and the maximun number of invalid login records to be kept in memory.There are all configurable option from the console.
Kindly have a look at the screenshot.
If we want to gather more information about the user lockout, we can enable the debug from the console.
Kindly have a look at the screenshot.
We can also check the server logs for any invalid attempts.
We will see the a similar debug message.
<Jul 25, 2010 12:33:56 PM IST> <Notice> <Security> <BEA-090078> <User faisal insecurity realm myrealm has had 5 invalid login attempts, locking account for 30minutes.>
If we want to unlock the user, we can either do it from the console
See screenshot
Or unlock the user from the JMX Code below.
“UnlockWeblogicUser .java”
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.Hashtable;
import javax.management.MBeanServerConnection;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.naming.Context;
import weblogic.management.runtime.*;
public class UnlockWeblogicUser {
private static MBeanServerConnection connection;
private static JMXConnector connector;
private static final ObjectName service;
static
{
try {
service=new ObjectName(“com.bea:Name=DomainRuntimeService,
Type=weblogic.management.mbeanservers.domainruntime.DomainRuntimeServiceMBean”);
}
catch (MalformedObjectNameException e)
{
throw new AssertionError(e.getMessage());
}
}
public void unlockUser(String username)
{
try{
ObjectName[] serverRT = (ObjectName[]) connection.getAttribute(service,”ServerRuntimes”);
ObjectName ssr = (ObjectName) connection.getAttribute(serverRT[0],”ServerSecurityRuntime”);
ObjectName rrm = (ObjectName) connection.getAttribute(ssr,”DefaultRealmRuntime”);
ObjectName ulr = (ObjectName) connection.getAttribute(rrm,”UserLockoutManagerRuntime”);
System.out.println(“Unlocking User”);
connection.invoke(ulr,”clearLockout”,new Object[] {username},new String[] {“java.lang.String”});
System.out.println(“User:::”+username+” Unlocked”);
}catch( Exception e){
e.printStackTrace();
}
}
public static void initConnection(String hostname, String portString,String username, String password) throws IOException,MalformedURLException
{
String protocol=”t3″;
Integer portInteger=Integer.valueOf(portString);
int port=portInteger.intValue();
String jndiroot=”/jndi/”;
String mserver=”weblogic.management.mbeanservers.domainruntime”;
JMXServiceURL serviceURL=new JMXServiceURL(protocol, hostname,port, jndiroot + mserver);
Hashtable h=new Hashtable();
h.put(Context.SECURITY_PRINCIPAL, username);
h.put(Context.SECURITY_CREDENTIALS, password);
h.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES,”weblogic.management.remote”);
connector=JMXConnectorFactory.connect(serviceURL, h);
connection=connector.getMBeanServerConnection();
}
public static void main(String[] args) throws Exception{
UnlockWeblogicUser uu = new UnlockWeblogicUser();
initConnection(“localhost”, “7001″, “weblogic”, “weblogic123″);
uu.unlockUser(“faisal”);
connector.close();
}
}
—————————-
We will observe the following in the server logs after executing the code.
<BEA-090022> <Explicitly unlocked, user faisal.>
<BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.runtimeClearClockout(faisal)>
.
.
Thanks
Faisal Khan
August 2nd, 2010 on 4:19 pm
Hi Jay / Faisal,
One serious doubt ?
Do you write scripts like above , or we have them somewhere pre-defined??
Incase if you write them , then how do i learn ?
Can you help me?
Thanks.
August 2nd, 2010 on 4:45 pm
Hi Arun,
We need to write these kind of scripts on our own by following the WebLogic MBean APIs : http://download.oracle.com/docs/cd/E12840_01/wls/docs103/wlsmbeanref/core/index.html
We need to findout which MBean we ned to achieve what task….
.
.
Keep osting
Thanks
Jay SenSharma
August 2nd, 2010 on 5:40 pm
That’s great!!
I think it takes time(huge time) to pick up and start writing scripts like you
Actually I’m very much interested to know more and more in weblogic and troubleshoot things easily , your docs were helping me alot.
One quick question – I need to improve unix also , but i guess we use very less commands for weblogic , Can you suggest me / or help me with unix commands atleast that would be enough to pick ??
Thanks Much!!!
August 27th, 2010 on 1:04 am
Hi.
I have a problem where need to change the parameter lockoutDuration in a weblogic 9.2.
Message :
The requested attribute is not exposed through JMX: setLockoutDuration
Attribute is readonly. : Security:Name=myrealmUserLockoutManager:LockoutDuration
In a documentation : http://download.oracle.com/docs/cd/E13222_01/wls/docs91/wlsmbeanref/core/index.html
this parameter is only read only.
UserLockoutManager
Returns the User Lockout Manager for this security realm.
Factory Methods No explicit creator method. The child shares the lifecycle of its parent.
Privileges Read only
Type UserLockoutManagerMBean
Relationship type: Containment.
Thanks for the help.
Congratulations.
August 27th, 2010 on 5:55 am
Hi,
my problem is that the parameter lockoutduration is not changed by method setLockoutDuration where i use JMX.
Attribute is readonly. : Security:Name=myrealmUserLockoutManager:LockoutDuration
at weblogic.management.jmx.modelmbean.WLSModelMBean.setAttribute(WLSModelMBean.java:635).
Can you help me?
August 27th, 2010 on 1:32 pm
Hi,
What is you WLS Version?
You can set the lockout duration from UserLockoutManagerMBean
http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e13945/ weblogic/management/security/authentication/UserLockoutManagerMBean.html
Share your code with us, will try to fix it.
Thanks,
Faisal
August 27th, 2010 on 8:49 pm
import javax.naming.Context;
import javax.naming.NamingException;
import br.com.ctbc.util.PropertiesLoaderImpl;
import weblogic.jndi.Environment;
import weblogic.management.MBeanHome;
import weblogic.management.configuration.DomainMBean;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.management.runtime.RealmRuntimeMBean;
import weblogic.management.security.RealmMBean;
import weblogic.management.security.authentication.AuthenticationProviderMBean;
import weblogic.management.security.authentication.UserLockoutManagerMBean;
import weblogic.management.security.authentication.UserPasswordEditorMBean;
import weblogic.security.UserLockoutManagerRuntime;
import weblogic.security.acl.internal.DefaultRealmImpl;
import weblogic.security.providers.authentication.DefaultAuthenticatorMBean;
import weblogic.t3.srvr.ServerRuntime;
@SuppressWarnings(“deprecation”)
public class ConnectionWeblogic {
private static ConnectionWeblogic connectweblogicservice;
private static Environment env = new Environment();
private UserPasswordEditorMBean passwordEditorMBean = null;
private UserLockoutManagerMBean lockoutManagerMBean = null;
protected ConnectionWeblogic(){}
public UserPasswordEditorMBean ConnectUserPasswordEditorService() {
env.setProviderURL(PropertiesLoaderImpl.getValor(“url”));
env.setSecurityPrincipal(PropertiesLoaderImpl.getValor(“username”));
env.setSecurityCredentials(PropertiesLoaderImpl.getValor(“password”));
//First get the MBeanHome
Context ctx = null;
try {
ctx = env.getInitialContext();
} catch (NamingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
MBeanHome mbeanHome = null;
try {
mbeanHome = (MBeanHome) ctx.lookup(MBeanHome.LOCAL_JNDI_NAME);
} catch (NamingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
//MBEAN que representa o grupo de dominio.Neste caso está sendo capturado o domínio estabelecido anteriormente pelo mbeanHome.
DomainMBean domain = mbeanHome.getActiveDomain();
//Prove informacoes de seguranca do dominio especificado
SecurityConfigurationMBean secConf = domain.getSecurityConfiguration();
//
RealmMBean realm = secConf.getDefaultRealm();
//recupera todo o MBEAN responsavel pela seguranca do dominio especificado
AuthenticationProviderMBean authenticators[] = realm.getAuthenticationProviders();
lockoutManagerMBean = realm.getUserLockoutManager();
return lockoutManagerMBean;
}
//Method invoke .
public void setLockoutDuration(long lockoutDuration)
throws InvalidAttributeValueException {
getConnectionLockout();
//if (ulm.isEditable())
//System.out.println(ulm.isEditable());
ulm.setLockoutDuration(lockoutDuration);
}
Thanks a lot.
August 28th, 2010 on 5:00 pm
Excuse me for many posts because I did not know had already been sent.
Thanks a lot
August 28th, 2010 on 6:27 pm
Hi Alecomputacao,
I have developed a Simple JMX Code to change the UserLockoutDuration of Security realm. The code whiah you pasted is actually Old style JMX Code And the classes which you are using is Deprecated like “MBeanHome” from WLS9.x onwards….so please refer to the following code: http://weblogic-wonders.com/weblogic/2010/08/28/changing-userlockoutduration-using-jmx-9-x-and-above/
.
.
Keep Posting
Thanks
Jay SenSharma
August 28th, 2010 on 7:36 pm
Hi, Jay.
Thanks a lot for help.
I am very grateful for the help.