Provide access to #WebLogic DMS Spy Servlet for readonly users

For security reasons and to prevent the configuration drift it is recommendable to use read only for analyzing problems.

For read only access of configuration and logs WebLogic provides out of the box the group Monitors. Unfortunately you cannot access DMS Spy Servlet with this group, which is useful for analyse runtime values of the server. Only users which belongs to the Administrators group and therefore have full access can access DMS Spy Servlet and this is not configurable in WebLogic by default.

Here you can see how to add groups on linux to the DMS Spy Servlet deployment:

pushd $ORACLE_HOME/oracle_common/modules/oracle.dms
cp dms.war dms.war.`date +%y.%m.%d.%H:%M`
unzip dms.war WEB-INF/weblogic.xml
sed -i '/Monitors/d' WEB-INF/weblogic.xml
sed -i '/^         <principal-name>Administrators<\/principal-name>$/a\         <principal-name>Monitors<\/principal-name>' WEB-INF/weblogic.xml
zip dms.war WEB-INF/weblogic.xml
rm -r WEB-INF
popd

Following is the responsible snippet in weblogic.xml before:

     <security-role-assignment>
         <role-name>Admin</role-name>
         <principal-name>Administrators</principal-name>
     </security-role-assignment>

and after modification:

     <security-role-assignment>
         <role-name>Admin</role-name>
         <principal-name>Administrators</principal-name>
         <principal-name>Monitors</principal-name>
     </security-role-assignment>

After this modification you have to restart the WebLogic Server.

That’s it!

Advertisements

, , , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: