Provide access to WebLogic DMS Spy Servlet for readonly users

Posted by Torsten Kleiber on August 30, 2017 Tags: Linux Oracle WebLogic

For security reasons and to prevent the configuration drift it is recommendable to use read only access of WebLogic configuration for analyzing problems. For read only access of configuration and logs WebLogic provides out of the box the group Monitors. Unfortunately you cannot access DMS Spy Servlet with this group, which is useful for analyse runtime values of the server. Only users which belongs to the Administrators group and therefore have full access can access DMS Spy Servlet and this is not configurable in WebLogic by default.

Here you can see how to add groups on linux to the DMS Spy Servlet deployment:

pushd $ORACLE_HOME/oracle_common/modules/oracle.dms
cp dms.war dms.war.`date +%y.%m.%d.%H:%M`
unzip dms.war WEB-INF/weblogic.xml
sed -i '/Monitors/d' WEB-INF/weblogic.xml
sed -i '/^         <principal-name>Administrators<\/principal-name>$/a\         <principal-name>Monitors<\/principal-name>' WEB-INF/weblogic.xml
zip dms.war WEB-INF/weblogic.xml
rm -r WEB-INF
popd

Following is the responsible snippet in weblogic.xml before:

<security-role-assignment>
  <role-name>Admin</role-name>
  <principal-name>Administrators</principal-name>
</security-role-assignment>

and after modification:

<security-role-assignment>
  <role-name>Admin</role-name>
  <principal-name>Administrators</principal-name>
  <principal-name>Monitors</principal-name>
</security-role-assignment>

After this modification you have to restart the WebLogic Server.

That’s it!