Managing User and Groups Using WLST Scripts | Weblogic

Oracle Weblogic Server

Creating a User

To create a user, invoke the UserEditorMBean.createUser method, which is extended by the security realm’s AuthenticationProvider MBean.

The method requires three input parameters:
username password user-description

WLST cannot invoke this command from the edit hierarchy, but it can invoke the command from the serverConfig or domainConfig hierarchy.The following WLST online script invokes createUser on the default authentication provider.

from weblogic.management.security.authentication import UserEditorMBean
print "Creating a user ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
atnr.createUser('my_user','my_password','new_admin')
print "Created user successfully"

Adding a User to a Group

To add a user to a group, invoke the GroupEditorMBean.addMemberToGroup method, which is extended by the security realm’s AuthenticationProvider MBean.

The method requires two input parameters:
groupname username
WLST cannot invoke this command from the edit hierarchy, but it can invoke the command from the serverConfig or domainConfig hierarchy.
The following WLST online script invokes addMemberToGroup on the default Authentication Provider.

from weblogic.management.security.authentication import GroupEditorMBean
print "Adding a user ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
atnr.addMemberToGroup('Administrators','my_user')
print "Done adding a user"

Verifying Whether a User Is a Member of a Group

To verify whether a user is a member of a group, invoke the GroupEditorMBean.isMember method, which is extended by the security realm’s AuthenticationProvider MBean. The method requires three input parameters:

groupname username boolean

where boolean specifies whether the command searches within child groups. If you specify true, the command returns true if the member belongs to the group that you specify or to any of the groups contained within that group.

from weblogic.management.security.authentication import GroupEditorMBean
print "Checking if isMember of a group ... "
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
if atnr.isMember('Administrators','my_user',true) == 0:
print "my_user is not member of Administrators"
else:
print "my_user is a member of Administrators"

Listing Groups to Which a User Belongs

To see a list of groups that contain a user or a group, invoke the MemberGroupListerMBean.listMemberGroups method, which is extended by the security realm’s AuthenticationProvider MBean.

The method requires one input parameter:

memberUserOrGroupName

where memberUserOrGroupName specifies the name of an existing user or a group.

from weblogic.management.security.authentication import MemberGroupListerMBean
print "Listing the member groups ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
x = atnr.listMemberGroups('my_user')
print x

 

Listing Users and Groups in a Security Realm

 

To see a list of user or group names, you invoke a series of methods, all of which are available through the AuthenticationProvider interface:

The GroupReaderMBean.listGroups and UserReaderMBean.listUsers methods take two input parameters: a pattern of user or group names to search for, and the maximum number of names that you want to retrieve.

Because a security realm can contain thousands (or more) of user and group names that match the pattern, the methods return a cursor, which refers to a list of names.

The NameLister.haveCurrent, getCurrentName, and advance operations iterate through the returned list and retrieve the name to which the current cursor position refers.

The NameLister.close operation releases any server-side resources that are held on behalf of the list.

from weblogic.management.security.authentication import UserReaderMBean
from weblogic.management.security.authentication import GroupReaderMBean
realm=cmo.getSecurityConfiguration().getDefaultRealm()
atns = realm.getAuthenticationProviders()
for i in atns:
if isinstance(i,UserReaderMBean):
userReader = i
cursor = i.listUsers("*",0)
print 'Users in realm '+realm.getName()+' are: '
while userReader.haveCurrent(cursor):
print userReader.getCurrentName(cursor)
userReader.advance(cursor)
userReader.close(cursor)
for i in atns:
if isinstance(i,GroupReaderMBean):
groupReader = i
cursor = i.listGroups("*",0)
print 'Groups in realm are: '
while groupReader.haveCurrent(cursor):
print groupReader.getCurrentName(cursor)
groupReader.advance(cursor)
groupReader.close(cursor)

Changing a Password

To change a user’s password, invoke the UserPasswordEditorMBean.changeUserPassword method, which is extended by the security realm’s AuthenticationProvider MBean.

The following WLST online script invokes changeUserPassword on the default Authentication Provider

from weblogic.management.security.authentication import UserPasswordEditorMBean
print "Changing password ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
atnr.changeUserPassword('my_user','my_password','new_password')
print "Changed password successfully"

Protecting User Accounts in a Security Realm

The UserLockoutManagerMBean provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. You can decrease the level of protection for user accounts. For example, you can increase the number of login attempts before a user account is locked, increase the time period in which invalid login attempts are made before locking the user account, or change the amount of time a user account is locked.

The following tasks provide examples for invoking UserLockoutManagerMBean methods:

— “Set Consecutive Invalid Login Attempts”
— “Unlock a User Account”

Note that because these tasks edit MBean attributes, WLST must connect to the Administration Server, navigate to the edit hierarchy, and start an edit session.

Set Consecutive Invalid Login Attempts

The following WLST online script sets the number of consecutive invalid login attempts before a user account is locked out.

from weblogic.management.security.authentication import UserLockoutManagerMBean
edit()
startEdit()
#You have two choices for getting a user lockout manager to configure
# 1 - to configure the default realm's UserLockoutManager:
ulm=cmo.getSecurityConfiguration().getDefaultRealm().getUserLockoutManager()
# 2 - to configure another realm's UserLockoutManager:
#ulm=cmo.getSecurityConfiguration().lookupRealm("anotherRealm").getUserLockoutManager()
ulm.setLockoutThreshold(3)
save()
activate()

Unlock a User Account

The following WLST online script unlocks a user account.

from weblogic.management.security.authentication import UserLockoutManagerMBeanserverRuntime()
ulm=cmo.getServerSecurityRuntime().getDefaultRealmRuntime().getUserLockoutManagerRuntime()
#note1 : You can only manage user lockouts for the default realm starting from when the server was booted (versus other non-active realms).
#note2 : If the default realm's user lockout manager's LockoutEnabled attribute is false, then the user lockout manager’s runtime MBean will be null.
#That is, you can only manage user lockouts in the default realm if its user lockout manager is enabled.
if ulm != None:
ulm.clearLockout("myuser")

 

 

 

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

1 Response

  1. Dharmendra says:

    Hi,

    Can you please provide me complete WLST script for creating user and adding to admin group.

Leave a Reply