Userlockout feature of Weblogic Server

To avoid BRUTE FORCE Attacks on Weblogic Server, WLS provides a feature called UserLockout.
As the name implies, we can use this feature to lock users after a certain number of unsuccesull attempts to hack into Weblogic Server.We can also specify the duration for which we want to lock that user and the maximun number of invalid login records to be kept in memory.There are all configurable option from the console.

If we want to gather more information about the user lockout, we can enable the debug from the console.

We can also check the server logs for any invalid attempts.
We will see the a similar debug message.

<Jul 25, 2010 12:33:56 PM IST> <Notice> <Security> <BEA-090078> <User faisal in
security realm myrealm has had 5 invalid login attempts, locking account for 30
minutes.>
<Jul 25, 2010 12:33:56 PM IST> <Notice> <Security> <BEA-090078> <User faisal insecurity realm myrealm has had 5 invalid login attempts, locking account for 30minutes.>

If we want to unlock the user, we can either do it from the console

Or unlock the user from the JMX Code below.
“UnlockWeblogicUser .java”
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.Hashtable;
import javax.management.MBeanServerConnection;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.naming.Context;
import weblogic.management.runtime.*;

public class UnlockWeblogicUser {
private static MBeanServerConnection connection;
private static JMXConnector connector;
private static final ObjectName service;
static
{
try {
service=new ObjectName(“com.bea:Name=DomainRuntimeService,
Type=weblogic.management.mbeanservers.domainruntime.DomainRuntimeServiceMBean”);
}
catch (MalformedObjectNameException e)
{
throw new AssertionError(e.getMessage());
}
}

public void unlockUser(String username)
{
try{
ObjectName[] serverRT = (ObjectName[]) connection.getAttribute(service,”ServerRuntimes”);
ObjectName ssr = (ObjectName) connection.getAttribute(serverRT[0],”ServerSecurityRuntime”);
ObjectName rrm = (ObjectName) connection.getAttribute(ssr,”DefaultRealmRuntime”);
ObjectName ulr = (ObjectName) connection.getAttribute(rrm,”UserLockoutManagerRuntime”);
System.out.println(“Unlocking User”);
connection.invoke(ulr,”clearLockout”,new Object[] {username},new String[] {“java.lang.String”});
System.out.println(“User:::”+username+” Unlocked”);
}catch( Exception e){
e.printStackTrace();
}
}

public static void initConnection(String hostname, String portString,String username, String password) throws IOException,MalformedURLException
{
String protocol=”t3?;
Integer portInteger=Integer.valueOf(portString);
int port=portInteger.intValue();
String jndiroot=”/jndi/”;
String mserver=”weblogic.management.mbeanservers.domainruntime”;
JMXServiceURL serviceURL=new JMXServiceURL(protocol, hostname,port, jndiroot + mserver);
Hashtable h=new Hashtable();
h.put(Context.SECURITY_PRINCIPAL, username);
h.put(Context.SECURITY_CREDENTIALS, password);
h.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES,”weblogic.management.remote”);
connector=JMXConnectorFactory.connect(serviceURL, h);
connection=connector.getMBeanServerConnection();
}

public static void main(String[] args) throws Exception{
UnlockWeblogicUser uu = new UnlockWeblogicUser();
initConnection(“localhost”, “7001?, “weblogic”, “weblogic123?);
uu.unlockUser(“faisal”);
connector.close();
}
}
—————————-
We will observe the following in the server logs after executing the code.

<BEA-090022> <Explicitly unlocked, user faisal.>
<BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.runtimeClearClockout(faisal)>

4 comments

  1. User accounts can become locked as a result of an excessive number of failed login attempts.

    To unlock a user account:

    1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
    2. In the left pane click the name of the domain.
    3. Select Security > Unlock User.
    4. Enter the user name of the user whose account you want to unlock.
    5. Click Save.

  2. Here is the stack trace you get when the user is locked :
    javax.security.auth.login.LoginException
    at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:122)
    at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
    at $Proxy34.authenticate(Unknown Source)
    at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
    at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:338)
    at weblogic.servlet.security.CSSServletSecurityServices$CSSApplicationServices.authenticate(CSSServletSecurityServices.java:312)
    at weblogic.servlet.security.internal.AbstractAppSecurity.authenticateAndSaveCredential(AbstractAppSecurity.java:60)
    at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:211)
    at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:166)
    at weblogic.servlet.security.internal.BasicSecurityModule.checkUserPerm(BasicSecurityModule.java:73)
    at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:95)
    at weblogic.servlet.security.internal.SecurityModule.isAuthorized(SecurityModule.java:543)
    at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:499)
    at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:463)
    at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2119)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1513)
    at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

  3. Hello,

    Im getting the below error when I compile the above code..
    Error(15,1): package weblogic.management.runtime does not exist

    Thanks

Comments are closed.