Wednesday, 17 September 2014

WebSphere Application Server Security configuration changes done with wsadmin are not activated immediately.

Saw this rather useful IBM Technote via Twitter: -


Problem(Abstract)

Some administrative actions (like mapping administrative users or groups to security roles) might not get activated immediately and require a restart of the JVM.

For example, you want to map the group called "wasadmins" to the Administrator role:

AdminTask.mapGroupsToAdminRole('[-roleName administrator -accessids [group:defaultWIMFileBasedRealm/cn=wasadmins,cn=groups,dc=mycompany,dc=com ] -groupids [wasadmins@defaultWIMFileBasedRealm ]]') 

AdminConfig.save()

Symptom

Although the configuration change has been saved with AdminConfig.save() you cannot login immediately, although your user is member of the "wasadmins" group.

If you login to the AdminConsole with the primary administrative user and go to the "Administrative group roles" page, the new group mapping will be listed.

If you quit the Console again, you can login with a member of the newly mapped group.

Cause

Some changes of the WAS configuration require a restart of the JVM, or at least a refresh of the configuration for the running instances. 
This refresh is done, when you go to the ISC "Administrative group roles" page.

Resolving the problem

When the configuration changes are completed and saved, you can force a refresh of the security configuration with the AdminControl action "refreshAll":

authGrpMgr = AdminControl.completeObjectName('WebSphere:type=AuthorizationGroupManager,*')
AdminControl.invoke(authGrpMgr, 'refreshAll') 


Now the login with a newly mapped user is possible.


No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...