MBean Authorization and Creating JMX Policies

Other than the users with admin role, no other user can access and monitor weblogic resources. But sometimes it is important that even the users with the monitor, operator roles should be able to monitor the resources.

By default this feature is not available, but we can create JMX policies to grant access to monitors, operators and deployers of the resources.

For example : If a user with the role monitor logs into the console and tries to access the messages in the JMS queues, he will not be able to do it because of the permissions. Below error will be thrown on the admin console:

Error weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[divya, Operators, Monitors, Deployers], on ResourceType: JMSDestinationRuntime Action: execute, Target: getMessages

This means the user divya with the roles Operator, Monitor and Deployer does not have privileges to access JMSDentinationRuntime MBean, cannot view the messages in the JMS queue. We need to give privileges to the user divya by creating JMX policies as below:

–    Log into the admin console with the admin credentials.
–    Go to Security Realms
–    Select the name of the realm that you want to control access to MBeans (for example, myrealm)
–    Go to configurations -> General tab.
–    Check the box for Use Authorization Providers to Protect JMX Access. (Enable it)

–    Now go to the tab Roles and Policies -> Realm Policies
–    Click on the link JMX Policy Editor

– The next screen will give you an option of selecting policy.
– If you want a policy that applies to all instances of a WebLogic Server MBean, select the radio button next to Global Scope. Then click the Next button.

– If you want a policy that applies only to the MBean instance that is used to manage a specific deployment or system resource:
1)  In the Scope column, expand the category name that describes the type of deployment or resource you want to secure.
2)  Select the radio button next to the deployment or resource you want to secure. Then click the Next button.

–    Select global scope so that the policy applies to all instances

Click on next.
– If you want a policy that applies to all instances of all MBeans in the scope that you selected on the previous page, select the radio button next to All MBean Types. Then click the Next button.

– If you want a policy that applies only to a specific MBean instance, in the MBean Type column, expand the categories of MBeans until you find the MBean. We can expand weblogic.management.runtime and select JMSDestinationRuntimeMBean for having the privileges to access the JMS queue, or select All MBean Types.

Click next.

–    To control read access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Read category and select the attribute and select it.
–    To control write access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Write category and select the attribute and select it.
–    To control write or read access for encrypted attributes, expand the Encrypted Attributes: Permission to Read or Encrypted Attributes: Permission to Write category and select the attribute and select it.
–    To control access to a specific operation (applicable only if you selected a specific MBean to secure), expand the Operations: Permission to Invoke category and select the operation.
–    To control access to lookup operations (which enable clients to find this MBean’s child MBeans) select the Lookup Operations: Permission to Invoke category or a specific lookup operation in the category.

For all MBean Typees, select Operations: Permission to Invoke

–    Click on Create Policy.
–    Click on “Add Condition” Button under Policy Conditions.
–    Click on Next, leave the Role in Predicate List field.
–    Add the “Admin” & “Monitor” Roles in “Role Argument Name” field.

–    Click on Finish and then on Save.

Now log out of the console and login with the credentials of the user for which you have created the policy. Try to check the messages in the JMS queues, they will now be accessible.

If you face any issues in configuring the policies, or have any doubts or issues, do let us know.

Best Regards.

20 comments

  1. Great article. I have the following question regarding security policy on individual JMS queues. Not sure if this is the right place to post but here goes. I am creating a security policy on a JMS module with WLST using

    atzr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer(“XACMLAuthorizer”)
    atzr.createPolicy(‘type=, application=’+JMSModuleName,’Usr(‘+newUser+’)’)

    This part is working as expected. The problem is when I am trying to create a policy on an individual queue for “BROWSE”/”SEND”/”RECEIVE” methods

    atzr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer(“XACMLAuthorizer”)
    atzr.createPolicy(‘type=, application=’+JMSModuleName+’, destinationType=queue, resource=’+distributedQueueName+’,action=’+queueAction,’Usr(‘+newUser+’)’)

    The script doesn’t return any error but the policy is also not created. What am I missing here? Thanks in advance.

  2. Hi,

    we have a weblogic 9.2mp3 environment with around 40 apps in different clusters owned by different developers.we need to provide access to developers to the apps they own only like( if we add monitor group to developer id he gets read access to all the apps owned by all developers or if we add deployer group to developer id he gets read,write access to all apps owned by all developers which is not the solution i want).can we customize roles like a developer id can read or write the apps which he owns only and he cant read other apps for example in deployments or jdbc or jms modules.Please help me out.Thanks in advance.

    Smitha mirugule.

  3. Hi,

    I am trying to create a policy for deployments.

    I want user1 to Admin access and have complete control of app1.

    I want user2 to access and have complete control of app2.

    User1 cannot access app2 and vice versa…

    I tried a lot but then i am only able to monitor them … please help

  4. Hi All,

    I am facing the terrible problem with this error in weblogic 10.3.
    I am trying to invoke the mbean operation called changePasswords. I created a webservice here is the code to access the mbean operation.
    Code below.
    —————————-
    JMXServiceURL serviceUrl =
    new JMXServiceURL(
    “service:jmx:iiop://196.40.124.97:7001/jndi/weblogic.management.mbeanservers.runtime”);
    Hashtable env = new Hashtable();

    // env.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES,
    // “weblogic.management.remote”);

    env.put(javax.naming.Context.SECURITY_PRINCIPAL, “admin”);
    env.put(javax.naming.Context.SECURITY_CREDENTIALS,”admin”);

    // jmxCon = JMXConnectorFactory.newJMXConnector(serviceUrl,env);
    jmxCon = JMXConnectorFactory.connect(serviceUrl,env);
    jmxCon.connect();
    MBeanServerConnection mbs = jmxCon.getMBeanServerConnection();
    ObjectName securityMBeanName = new ObjectName(“Security:Name=myrealmDefaultAuthenticator”);
    Object[] objuser = new Object[] {(userId), (Oldpassword), (newPassword) };
    String[] objstr = new String[] {(“String”), (“String”), (“String”) };

    try {
    mbs.invoke(securityMBeanName,”changeUserPassword”,objuser,objstr);

    }

    Error details:
    —————–
    [Management:141102]Subject: principals=[] does not have access to perform Admin actions.

    1. It seems that the username / password passed is not having admin privileges.

      You can try using the WebLogic admin user to invoke the admin rights.

      env.put(javax.naming.Context.SECURITY_PRINCIPAL, “admin”);
      env.put(javax.naming.Context.SECURITY_CREDENTIALS,”admin”);

      Also check if there are any typo errors in there.

      Cheers,
      Anandraj

  5. Hi Admin,

    We have followed the same steps as you described by you above.Its working in all the environments but throwing error in one of the environment.

    The user iam trying to browse message on the queue is an Administrator user and added the administrator user to JMX policies.Please share your thoughts on this.
    Here is the error log:

    weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[tvijay, Administrators, IntegrationAdministrators, AdminChannelUsers], on Resource weblogic.management.runtime.JMSDestinationRuntimeMBean Operation: invoke , Target: getItems
    at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:205)
    at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222)
    at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source)
    at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978)
    at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544)
    at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380)
    at $Proxy148.getItems(Unknown Source)
    at com.bea.console.taglib.html.metadata.JMSMessageTableMetaData.getRows(JMSMessageTableMetaData.java:65)
    at com.bea.console.taglib.html.CursoredTableTag.registerDataSet(CursoredTableTag.java:116)
    at com.bea.console.taglib.html.CursoredTableTag.doEndTag(CursoredTableTag.java:70)
    at jsp_servlet._jsp._jms._message.__jmsmessagetable._jsp__tag8(__jmsmessagetable.java:582)
    at jsp_servlet._jsp._jms._message.__jmsmessagetable._jsp__tag7(__jmsmessagetable.java:453)
    at jsp_servlet._jsp._jms._message.__jmsmessagetable._jspService(__jmsmessagetable.java:205)
    at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:505)
    at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:432)
    at org.apache.beehive.netui.pageflow.scoping.internal.ScopedRequestDispatcher.include(ScopedRequestDispatcher.java:119)
    at com.bea.netuix.servlets.controls.content.JspContent.beginRender(JspContent.java:552)
    at com.bea.netuix.servlets.controls.content.NetuiContent.beginRender(NetuiContent.java:365)
    at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:485)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:220)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:352)
    at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:326)
    at com.bea.netuix.nf.UIControl.render(UIControl.java:582)
    at com.bea.netuix.servlets.controls.PresentationContext.render(PresentationContext.java:486)
    at com.bea.netuix.servlets.util.RenderToolkit.renderChild(RenderToolkit.java:146)
    at com.bea.netuix.servlets.jsp.taglib.skeleton.Child.doTag(Child.java:63)
    at jsp_servlet._framework._skeletons._wlsconsole.__nolayout._jspService(__nolayout.java:119)
    at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:505)
    at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:432)
    at com.bea.netuix.servlets.controls.application.laf.JspTools.renderJsp(JspTools.java:130)
    at com.bea.netuix.servlets.controls.application.laf.JspControlRenderer.beginRender(JspControlRenderer.java:72)
    at com.bea.netuix.servlets.controls.application.laf.PresentationControlRenderer.beginRender(PresentationControlRenderer.java:65)
    at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:481)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:220)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:352)
    at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:326)
    at com.bea.netuix.nf.UIControl.render(UIControl.java:582)
    at com.bea.netuix.servlets.controls.PresentationContext.render(PresentationContext.java:486)
    at com.bea.netuix.servlets.util.RenderToolkit.renderChild(RenderToolkit.java:146)
    at com.bea.netuix.servlets.jsp.taglib.skeleton.Child.doTag(Child.java:63)
    at jsp_servlet._framework._skeletons._wlsconsole.__twocollayout._jspService(__twocollayout.java:205)
    at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:505)
    at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:432)
    at com.bea.netuix.servlets.controls.application.laf.JspTools.renderJsp(JspTools.java:130)
    at com.bea.netuix.servlets.controls.application.laf.JspControlRenderer.beginRender(JspControlRenderer.java:72)
    at com.bea.netuix.servlets.controls.application.laf.PresentationControlRenderer.beginRender(PresentationControlRenderer.java:65)
    at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:481)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529)
    at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:220)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
    at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208)
    at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162)
    at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388)
    at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258)
    at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:199)
    at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:54)
    at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
    at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(Unknown Source)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

    1. Kindly enable SecurityATN and SecurityATZ debug on Weblogic and check the log files.

      Server > Debug > expand weblogic > expand security > enable SecurityATN and SecurityATZ

  6. on the same topic, see Oracle Doc “WebLogic Server: Error When Attempting to View JMS Messages in Admin Console: Access not allowed for subject (Doc ID 1327324.1)”

  7. Hello,
    Weblogic creates some Mbeans by itself for some operations. for example, invoking port of webservice from clients. I want to unregister such Mbeans before stopping the application from weblogic console. But it gives “NoAccess” Exception.
    I tried to edit the JMX policies and gave “rights” to everyone for unregister operation. Still I am not able to unregister. Please advise.
    Regards

  8. Hi Admin,

    I am facing a problem wherein we are using Hyperic agent (monitoring tool) to read the values of JMX Beans. Have encountered the below exception :

    <USER service.user INVOKED ON com.bea:Name=ConfigurationManager,Type=weblogic.management.mbeanservers.edit.ConfigurationManagerMBean METHOD haveUnactivatedChanges PARAMS FAILED weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[service.user], on ResourceType: weblogic.management.mbeanservers.edit.ConfigurationManagerMBean Action: execute, Target: haveUnactivatedChanges
    weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[service.user], on ResourceType: weblogic.management.mbeanservers.edit.ConfigurationManagerMBean Action: execute, Target: haveUnactivatedChanges

    Seems like the agent did not had privileges to access the MBean Server.

    My problem is that the agent tries to connect to the JMX Sever very frequently, 3 to 4 times in a second. The Weblogic console itself collapses whenever we start the agent.

    So is the Weblogic console getting affected due to high frequency of tries to connect to the server or because of incorrect credentials ?

    Please Advise.

Leave a Reply