{"id":17168,"date":"2022-04-28T12:03:55","date_gmt":"2022-04-28T10:03:55","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/"},"modified":"2024-09-10T17:29:17","modified_gmt":"2024-09-10T15:29:17","slug":"how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/","title":{"rendered":"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues."},"content":{"rendered":"

Recently I got the request to provide JMS Queues monitoring access to a group of users with the privileges to view and manage de messages in the queues. This can be done through the WebLogic console but for this customer, all is done via ansible scripts. Thus I had to find a scripting solution. <\/p>\n

I followed the Oracle documentation<\/a> to create the policy.<\/p>\n

Extract of the WLST code:<\/p>\n

\ntry:\n   print \"applying JMS access policy for domain\", domainName\n   xacmlFile = open('XACMLAuthorizer.xml','r')\n   xacmlDoc = xacmlFile.read()\n   print(xacmlDoc)\n   print \"cd('\/SecurityConfiguration\/\" + domainName + \"\/DefaultRealm\/myrealm\/Authorizers\/XACMLAuthorizer')\"\n   cd('\/SecurityConfiguration\/' + domainName + '\/DefaultRealm\/myrealm\/Authorizers\/XACMLAuthorizer')\n   print \"add policy\"\n   cmo.addPolicy(xacmlDoc)\n   print \"done applying policy\"\n   return True\nexcept Exception, inst:\n   print inst\n   print sys.exc_info()[0]\n   dumpStack()\n   sys.stderr.write(\"unable to apply JMS access policy for domain \" + domainName)\n   return False\n<\/pre>\n
The XACMLAuthorizer.xml policy file:<\/p>\n
\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Policy PolicyId=\"urn:bea:xacml:2.0:entitlement:resource:type@E@Fjmx@G@M@Ooperation@Einvoke@M@Oapplication@E@M@OmbeanType@Eweblogic.management.runtime.JMSDestinationRuntimeMBean\" RuleCombiningAlgId=\"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable\">\n  <Description>Rol(Admin,MonitorJMSQueues)type=&lt;jmx&gt;, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean<\/AttributeValue>\n          <ResourceAttributeDesignator AttributeId=\"urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self\" DataType=\"http:\/\/www.w3.org\/2001\/XMLSchema#string\" MustBePresent=\"true\"\/>\n        <\/ResourceMatch>\n      <\/Resource>\n    <\/Resources>\n  <\/Target>\n  <Rule RuleId=\"primary-rule\" Effect=\"Permit\">\n    <Condition>\n      <Apply FunctionId=\"urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of\">\n        <Apply FunctionId=\"urn:oasis:names:tc:xacml:1.0:function:string-bag\">\n          <AttributeValue DataType=\"http:\/\/www.w3.org\/2001\/XMLSchema#string\">Admin<\/AttributeValue>\n          <AttributeValue DataType=\"http:\/\/www.w3.org\/2001\/XMLSchema#string\">MonitorJMSQueues<\/AttributeValue>\n        <\/Apply>\n        <SubjectAttributeDesignator AttributeId=\"urn:oasis:names:tc:xacml:2.0:subject:role\" DataType=\"http:\/\/www.w3.org\/2001\/XMLSchema#string\"\/>\n      <\/Apply>\n    <\/Condition>\n  <\/Rule>\n  <Rule RuleId=\"deny-rule\" Effect=\"Deny\"\/>\n<\/Policy>\n<\/pre>\n
The script works fine but I get the following error when trying to see the messages stored in the JMS Queue. <\/p>\n

\n<Administration Console encountered the following error:
\nweblogic.management.NoAccessRuntimeException: Access not allowed for subject:
\nprincipals=[<LIST-OF-PRINCIPALS],
\non Resource weblogic.management.runtime.JMSDestinationRuntimeMBeanOperation: invoke , Target: getMessages
\nat weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:295)
\nat weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:299)
\nat javax.management.remote.rmi.RMIConnectionImpl_12214_WLStub.invoke(UnknownSource)
\nat javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1020)
\nat sun.reflect.GeneratedMethodAccessor154.invoke(Unknown Source)
\nat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
\nat java.lang.reflect.Method.invoke(Method.java:498)
\nat weblogic.management.remote.wlx.ClientProvider$WLXRMIConnectorWrapper$1$1.call(ClientProvider.java:715)
\nat weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:287)
\nat weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:272)
\nat weblogic.management.remote.wlx.ClientProvider$WLXRMIConnectorWrapper$1.invoke(ClientProvider.java:709)
\nat com.sun.proxy.$Proxy115.invoke(Unknown Source)
\nat sun.reflect.GeneratedMethodAccessor154.invoke(Unknown Source)
\nat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
\nat java.lang.reflect.Method.invoke(Method.java:498)
\nat weblogic.management.remote.wlx.ClientProvider$WLXRMIConnectorWrapper$1$1.call(ClientProvider.java:715)
\nat weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:287)
\n...<\/code><\/p>\n
The policy was not applied until I go to the WebLogic console and save the policy following the steps below:<\/p>\n
  • – Under Security Realms -> “Roles and Policies” -> Realm Policies, in the Policy table, select “JMX Policy Editor.”
    \n– Select “Global Scope” and click Next.
    \n– From MBean Types, open “weblogic.management.runtime”
    \n– Select “JMSDestinationRuntimeMBean” and click next.
    \n– In Attributes and Operations, select the View edit link for the “Operations: Permission to Invoke.”\n<\/li>\n
    There I see the policy created with the WLST script. If I click on the save button, then the policy works.<\/p>\n
    The documentation doesn’t tell it but there a setPolicyExpression call needed after the addPolicy. This to apply the loaded policy.<\/p>\n
    \ntry:\n   print \"applying JMS access policy for domain\", domainName\n   xacmlFile = open('XACMLAuthorizer.xml','r')\n   xacmlDoc = xacmlFile.read()\n   print(xacmlDoc)\n   print \"cd('\/SecurityConfiguration\/\" + domainName + \"\/DefaultRealm\/myrealm\/Authorizers\/XACMLAuthorizer')\"\n   cd('\/SecurityConfiguration\/' + domainName + '\/DefaultRealm\/myrealm\/Authorizers\/XACMLAuthorizer')\n   print \"add policy\"\n   cmo.addPolicy(xacmlDoc)\n   print \"Applying policy done\"\n   cmo.setPolicyExpression('type=<jmx>','{Rol(Admin) | Rol(MonitorJMSQueues)}')\n   print \"Set policy done\"\n   return True\nexcept Exception, inst:\n   print inst\n   print sys.exc_info()[0]\n   dumpStack()\n   sys.stderr.write(\"unable to apply JMS access policy for domain \" + domainName)\n   return False\n<\/pre>\n
    After this, the users or groups of users having the roles MonitorJMSQueues and Monitor assigned are able to monitor the the JMS queues and manage the messages in them.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Recently I got the request to provide JMS Queues monitoring access to a group of users with the privileges to view and manage de messages in the queues. This can be done through the WebLogic console but for this customer, all is done via ansible scripts. Thus I had to find a scripting solution. I […]<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197],"tags":[],"type_dbi":[],"class_list":["post-17168","post","type-post","status-publish","format-standard","hentry","category-application-integration-middleware"],"acf":[],"yoast_head":"\nHow to allow users having monitoring role to view and manage messages in WebLogic JMS queues. - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues.\" \/>\n<meta property=\"og:description\" content=\"Recently I got the request to provide JMS Queues monitoring access to a group of users with the privileges to view and manage de messages in the queues. This can be done through the WebLogic console but for this customer, all is done via ansible scripts. Thus I had to find a scripting solution. I […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-28T10:03:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-10T15:29:17+00:00\" \/>\n<meta name=\"author\" content=\"Middleware Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Middleware Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/\"},\"author\":{\"name\":\"Middleware Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1\"},\"headline\":\"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues.\",\"datePublished\":\"2022-04-28T10:03:55+00:00\",\"dateModified\":\"2024-09-10T15:29:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/\"},\"wordCount\":259,\"commentCount\":0,\"articleSection\":[\"Application integration & Middleware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/\",\"name\":\"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues. - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2022-04-28T10:03:55+00:00\",\"dateModified\":\"2024-09-10T15:29:17+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues.\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1\",\"name\":\"Middleware Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g\",\"caption\":\"Middleware Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/middleware-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues. - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/","og_locale":"en_US","og_type":"article","og_title":"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues.","og_description":"Recently I got the request to provide JMS Queues monitoring access to a group of users with the privileges to view and manage de messages in the queues. This can be done through the WebLogic console but for this customer, all is done via ansible scripts. Thus I had to find a scripting solution. I […]","og_url":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/","og_site_name":"dbi Blog","article_published_time":"2022-04-28T10:03:55+00:00","article_modified_time":"2024-09-10T15:29:17+00:00","author":"Middleware Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Middleware Team","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/"},"author":{"name":"Middleware Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1"},"headline":"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues.","datePublished":"2022-04-28T10:03:55+00:00","dateModified":"2024-09-10T15:29:17+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/"},"wordCount":259,"commentCount":0,"articleSection":["Application integration & Middleware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/","url":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/","name":"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues. - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2022-04-28T10:03:55+00:00","dateModified":"2024-09-10T15:29:17+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/how-to-allow-users-having-monitoring-role-to-view-and-manage-messages-in-weblogic-jms-queues\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How to allow users having monitoring role to view and manage messages in WebLogic JMS queues."}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1","name":"Middleware Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g","caption":"Middleware Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/middleware-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=17168"}],"version-history":[{"count":1,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17168\/revisions"}],"predecessor-version":[{"id":34680,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17168\/revisions\/34680"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=17168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=17168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=17168"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=17168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}