Covering J2EE Security and WebLogic Topics

Using Audit Logs to Make Scripting Easier

Scripting configuration settings in WebLogic is fairly straight-forward. You’d typically use the WebLogic Scripting Tool (WLST) or weblogic.Admin* to create and delete MBeans in the server. You can also set properties and invoke MBean methods. While the tools are easy to use, finding the MBeans and the properties you want to use can be time-consuming.

Here’s a little trick I discovered that makes the process a little easier. In WebLogic Auditing, I show how you can use auditing to track configuration changes in the server. That can be very handy. What I realized later was that this logging could be leveraged for MBean discovery. How? With Configuration by Example (CBE).

CBE is admittedly a lame attempt at humor, but it does seem to be an apt description. The reason is that CBE works by manually making the change in WebLogic console for what you want to script and then observing how it did it.

For example, let’s say you want to set the server to production mode in a script. It’s easy enough to do in the console but you might not know where to start looking for the MBean and applicable property. With configuration auditing enabled, simply make the change in the console and observe the entry in the audit log. Here’s an example of what it looks like in the log:

#### Audit Record Begin <Jul 20, 2006 10:01:03 PM> <Severity =SUCCESS> <<<Event Type = SetAttribute Configuration Audit Event><Subject = Subject: 3
Principal = class weblogic.security.principal.WLSUserImpl(“weblogic”)
Principal = class weblogic.security.principal.WLSGroupImpl(“Administrators”)
><Object = AppSec:Name=AppSec,Type=Domain><Attribute = ProductionModeEnabled><From = false><To = true>>> Audit Record End ####

From this entry, you can see that the MBean name is AppSec:Name=AppSec,Type=Domain and the property to set is ProductionModeEnabled. Scripting this change is now a breeze since you have the MBean’s name, property, and value to set it to.

Extra Tips

  • Set the auditing severity to SUCCESS to eliminate a lot of chaff
  • In Unix, tail the audit log for streamlined access
  • Use the Help (question mark) link on the console page for MBean types and property value ranges (not all pages have this data)
  • If you want to refer to the JavaDocs for the MBean, simply add "MBean" to the Type. In the example above, the MBean would be DomainMBean.

* The weblogic.Admin approach is deprecated in WebLogic 9.

Security Debugging in WebLogic 9

The technique for getting debug information from the WebLogic security framework changed in WebLogic 9.x. In fact, BEA has made setting debug flags easier across the entire server.

In the console, navigate to

Servers -> AdminServer -> Debug

and note all of the goodies for which you can get debug information.

Getting back to the security framework, continue navigating to

weblogic -> security

and enable debugging for your areas of interest. Debug output is immediate after you activate the changes.

Thanks to Marky Middleton on the BEA forums for the tip!

Read Security Realm Logging in WebLogic 8.1 if you want debug output from an 8.1 server.

 

Bookmark this page on del.icio.us