CN114143192A - Configuration method and device of Weblogic T3 filter - Google Patents
Configuration method and device of Weblogic T3 filter Download PDFInfo
- Publication number
- CN114143192A CN114143192A CN202111470169.XA CN202111470169A CN114143192A CN 114143192 A CN114143192 A CN 114143192A CN 202111470169 A CN202111470169 A CN 202111470169A CN 114143192 A CN114143192 A CN 114143192A
- Authority
- CN
- China
- Prior art keywords
- address
- configuration
- weblogic
- rule
- script
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 122
- 238000013515 script Methods 0.000 claims abstract description 129
- 230000008569 process Effects 0.000 claims abstract description 77
- 238000004519 manufacturing process Methods 0.000 claims description 51
- 238000013507 mapping Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 5
- 230000000694 effects Effects 0.000 claims description 4
- 238000010606 normalization Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000003860 storage Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 2
- 238000005096 rolling process Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a configuration method and a configuration device of a Weblogic T3 filter, wherein the configuration method comprises the following steps: when any server in the Weblogic domain has the AdminServer process, acquiring Weblogic service information corresponding to the AdminServer process, determining each target IP address based on the Weblogic service information, and executing a preset rule generation script to generate a configuration rule corresponding to each target IP address; setting a filter name in a preset WLST script and adding each configuration rule to obtain the WLST configuration script; WLST configuration scripts are executed on the server where the AdminServer process is located to complete the configuration of the T3 filter in the Weblogic domain. By the method, the T3 filter configuration can be automatically completed, and the normalization and standardization of the T3 filter configuration operation are realized, so that the implementation efficiency is improved.
Description
Technical Field
The invention relates to the technical field of information processing, in particular to a configuration method and device of a Weblogic T3 filter.
Background
Weblogic is an enterprise-level Java EE application server platform (middleware), fully supports the J2EE standard, and is one of the mainstream J2EE servers in the commercial market. T3, also known as rich sockets, is a BEA internal protocol that can be used to transfer information between Weblogic servers and other types of Java programs. Since Weblogic defaults to open the T3 protocol, the risk of the Weblogic deserialization vulnerability is frequently exposed, and an attacker remotely executes deserialization codes by using the T3 protocol to trigger the vulnerability and threaten data security. To prevent this risk, a T3 access filter needs to be configured on Weblogic, and only a specific IP or port is allowed to access the Weblogic domain through the T3 protocol, so that the risk of exploit can be alleviated.
The existing Weblogic T3 filter configuration method needs to manually comb out a server IP address list allowing access through a T3 protocol, then logs in a Weblogic console boundary configuration T3 filter, and adds configuration strategies one by one, so that the operation process is not standard enough, the steps are complex, the implementation efficiency is low, and when the workload is increased, timely completion within a limited time is difficult to guarantee.
Disclosure of Invention
In view of this, the invention provides a configuration method of a Weblogic T3 filter, by which the configuration of a T3 filter can be automatically completed, the normalization and standardization of the configuration operation of the T3 filter can be realized, and the implementation efficiency can be improved.
The invention also provides a configuration device of the Weblogic T3 filter, which is used for ensuring the realization and the application of the method in practice.
A configuration method of a Weblogic T3 filter comprises the following steps:
when any server in a Weblogic domain has an adminServer process, acquiring Weblogic service information corresponding to the adminServer process;
determining each target IP address based on the Weblogic service information, and executing a preset rule generation script to generate a configuration rule corresponding to each target IP address;
setting a filter name in a preset WLST script and adding each configuration rule to obtain a WLST configuration script;
and executing the WLST configuration script on a server where the adminServer process is located to complete the configuration of the T3 filter in the Weblogic domain.
Optionally, in the foregoing method, the acquiring Weblogic service information corresponding to the AdminServer process includes:
determining a Weblogic domain path corresponding to the AdminServer process;
acquiring a configuration file corresponding to the Weblogic domain according to the Weblogic domain path;
and acquiring Weblogic service information corresponding to the AdminServer process based on the configuration file.
The above method, optionally, further includes:
if each configuration rule exists in the connection filter rule items in the configuration file, the T3 filter configured by the Weblogic domain takes effect.
In the foregoing method, optionally, the destination IP address includes: producing an IP address, a managed IP address, a first IP address and a second IP address; the rule generating script comprises a first rule generating script and a second rule generating script; the configuration rules comprise a first configuration rule and a second configuration rule;
the determining, based on the Weblogic service information, each target IP address, and executing a preset rule generation script to generate a configuration rule corresponding to each target IP address includes:
acquiring the IP address of each server in the Weblogic service information, wherein the IP address of each server is the production IP address;
determining a managed IP address corresponding to each production IP address according to a preset mapping rule;
acquiring a preset first IP address and a preset second IP address according to the Weblogic service information;
executing the first rule generation script based on the first IP address, each production IP address and the managed IP address corresponding to the production IP address to generate a first configuration rule, wherein the first configuration rule specifies that the first IP address, each production IP address and a server where the managed IP address corresponding to the production IP address is located can access the Weblogic domain through a T3 protocol;
and executing the second rule generation script based on the second IP address to generate a second configuration rule, wherein the second configuration rule specifies that the server where the second IP address is located cannot access the Weblogic domain through a T3 protocol.
The above method, optionally, further includes:
clearing each configuration rule in the WLST configuration script to obtain a WLST rollback script;
and executing the WLST fallback script on a server where the adminServer process is located to cancel the configuration of the T3 filter in the Weblogic domain.
A configuration device of a Weblogic T3 filter comprises:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring Weblogic service information corresponding to an adminServer process when the adminServer process exists in any server in a Weblogic domain;
the determining unit is used for determining each target IP address based on the Weblogic service information and executing a preset rule generating script to generate a configuration rule corresponding to each target IP address;
the configuration unit is used for setting a filter name in a preset WLST script and adding each configuration rule to obtain the WLST configuration script;
and the execution unit is used for executing the WLST configuration script on a server where the adminServer process is located so as to complete the configuration of the T3 filter in the Weblogic domain.
The above apparatus, optionally, the obtaining unit includes:
the first determining subunit is used for determining a Weblogic domain path corresponding to the AdminServer process;
the first obtaining subunit is configured to obtain, according to the Weblogic domain path, a configuration file corresponding to the Weblogic domain;
and the second acquiring subunit is used for acquiring the Weblogic service information corresponding to the adminServer process based on the configuration file.
The above apparatus, optionally, further comprises:
a checking unit, configured to, if there is each configuration rule in the connection filter rule items in the configuration file, validate the T3 filter configured by the Weblogic domain.
In the foregoing apparatus, optionally, the destination IP address includes: producing an IP address, a managed IP address, a first IP address and a second IP address; the rule generating script comprises a first rule generating script and a second rule generating script; the configuration rules comprise a first configuration rule and a second configuration rule; the determination unit includes:
a third obtaining subunit, configured to obtain an IP address of each server in the Weblogic service information, where the IP address of each server is the production IP address;
the second determining subunit is used for determining the managed IP address corresponding to each production IP address according to a preset mapping rule;
the fourth acquiring subunit is configured to acquire a preset first IP address and a preset second IP address according to the Weblogic service information;
a first generating subunit, configured to execute the first rule generating script based on the first IP address, the each production IP address, and the managed IP address corresponding to the production IP address, and generate a first configuration rule, where the first configuration rule specifies that the server where the first IP address, the each production IP address, and the managed IP address corresponding to the production IP address are located can access the Weblogic domain through a T3 protocol;
and the second generating subunit is configured to execute the second rule generating script based on the second IP address to generate a second configuration rule, where the second configuration rule specifies that the server where the second IP address is located cannot access the Weblogic domain through a T3 protocol.
The above apparatus, optionally, further comprises:
a clearing unit, configured to clear each configuration rule in the WLST configuration script to obtain a WLST fallback script;
and the rollback unit is used for executing the WLST rollback script on a server where the adminServer process is located so as to cancel the configuration of the T3 filter in the Weblogic domain.
A storage medium comprising stored instructions, wherein the instructions, when executed, control a device on which the storage medium resides to perform the above-described Weblogic T3 filter configuration method.
An electronic device comprising a memory, and one or more instructions, wherein the one or more instructions are stored in the memory and configured to be executed by the one or more processors to perform the above-described method of configuring the Weblogic T3 filter.
Compared with the prior art, the invention has the following advantages:
based on the embodiment provided by the invention, in the configuration process of the Weblogic T3 filter, when any server in the Weblogic domain has the adminServer process, the Weblogic service information corresponding to the adminServer process is obtained, each target IP address is determined based on the Weblogic service information, and a preset rule generation script is executed to generate the configuration rule corresponding to each target IP address; setting a filter name in a preset WLST script and adding each configuration rule to obtain the WLST configuration script; WLST configuration scripts are executed on the server where the AdminServer process is located to complete the configuration of the T3 filter in the Weblogic domain.
By applying the configuration method of the Weblogic T3 filter, the complex operation configured by the Weblogic T3 filter can be packaged into a one-key universal script, and the normalization and standardization of the configuration operation of the T3 filter are realized. By executing the script, the configuration of the T3 filter is automatically completed, manual intervention is reduced, the configuration implementation efficiency of the T3 filter is improved, and the timeliness requirement of safety risk rectification can be better met.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flowchart of a configuration method of a Weblogic T3 filter according to an embodiment of the present invention;
FIG. 2 is a flowchart of another method of configuring a Weblogic T3 filter according to an embodiment of the present invention;
FIG. 3 is a flowchart of another method of configuring a Weblogic T3 filter according to an embodiment of the present invention;
FIG. 4 is a flowchart of another method of configuring a Weblogic T3 filter according to an embodiment of the present invention;
FIG. 5 is a device structure diagram of a configuration device of a Weblogic T3 filter according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and the terms "comprises", "comprising", or any other variation thereof are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The invention is operational with numerous general purpose or special purpose computing device environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multi-processor apparatus, distributed computing environments that include any of the above devices or equipment, and the like.
Some of the terms referred to in the present invention are as follows:
AdminServer: namely, an Administration Server, AS for short, is an example of a Server serving AS a management role in the Weblogic domain. The weblogic management system is a central control point of a domain, stores configuration information and logs of the domain, and runs a weblogic management console.
WLST: the Weblogic Scripting Tool (Weblogic Scripting Tool) is a command line script interface, and the Scripting environment is based on a Java script interpreter (Jython), which is used by a system administrator to monitor and manage Weblogic Server instances and domains.
The embodiment of the invention provides a configuration method of a Weblogic T3 filter, which can be applied to a plurality of system platforms, wherein an execution main body of the method can be a computer terminal or a processor of various mobile devices, and a flow chart of the method is shown in FIG. 1 and specifically comprises the following steps:
s101: when any server in the Weblogic domain has the adminServer process, acquiring Weblogic service information corresponding to the adminServer process.
In the embodiment provided by the invention, the T3 filter configuration is only executed on the server where the adminServer is located, and is not required to be executed on other non-adminServer machines, so that whether a Weblogic adminServer process exists on the server needs to be checked, if not, execution is quitted, and if yes, Weblogic service information corresponding to the Adminserver process is obtained. The Weblogic service information mainly includes IP addresses and the like of servers in the Weblogic domain.
S102: and determining each target IP address based on the Weblogic service information, and executing a preset rule generation script to generate a configuration rule corresponding to each target IP address.
In the embodiment provided by the invention, all servers in the local Domain (Weblogic Domain) are configured with an allow rule, namely the Weblogic Domain rule is allowed to be accessed through a T3 protocol, wherein the Weblogic Domain rule comprises a production IP address and a managed IP address. According to the Weblogic service information, IP addresses of servers which can access the Weblogic domain through a T3 protocol are obtained, the addresses are determined to be target IP addresses, and a preset rule script is used for generating configuration rules corresponding to each target IP address according to each target IP address.
S103: and setting a filter name in a preset WLST script and adding each configuration rule to obtain the WLST configuration script.
In the embodiment provided by the invention, a Weblogic WLST command is required to be connected to a Weblogic domain, a T3 filter name is set in a preset WLST script, and the configuration rule obtained in S102, that is, the configuration rule corresponding to each target IP address, is added to obtain the WLST configuration script.
The details are as follows:
s104: and executing the WLST configuration script on a server where the adminServer process is located to complete the configuration of the T3 filter in the Weblogic domain.
In the embodiment provided by the invention, the WLST configuration script is executed on the server where the adminServe is located, so that the server where each target IP address is located is connected to the Weblogic domain where the adminServe server is located, and the server corresponding to each target IP address can access the Weblogic domain through the T3 protocol, thereby completing the configuration of the T3 filter in the Weblogic domain.
Based on the embodiment provided by the invention, in the configuration process of the Weblogic T3 filter, when any server in the Weblogic domain has the adminServer process, the Weblogic service information corresponding to the adminServer process is obtained, each target IP address is determined based on the Weblogic service information, and a preset rule generation script is executed to generate the configuration rule corresponding to each target IP address; setting a filter name in a preset WLST script and adding each configuration rule to obtain the WLST configuration script; WLST configuration scripts are executed on the server where the AdminServer process is located to complete the configuration of the T3 filter in the Weblogic domain.
By applying the configuration method of the Weblogic T3 filter, the complex operation configured by the Weblogic T3 filter can be packaged into a one-key universal script, and the normalization and standardization of the configuration operation of the T3 filter are realized. By executing the script, the configuration of the T3 filter is automatically completed, manual intervention is reduced, the configuration implementation efficiency of the T3 filter is improved, and the timeliness requirement of safety risk rectification can be better met.
In the embodiment of the present invention, as shown in fig. 2, optionally, the acquiring Weblogic service information corresponding to the AdminServer process includes:
s201: and determining a Weblogic domain path corresponding to the AdminServer process.
S202: and acquiring a configuration file corresponding to the Weblogic domain according to the Weblogic domain path.
S203: and acquiring Weblogic service information corresponding to the AdminServer process based on the configuration file.
And acquiring the Weblogic domain path according to the AdminServer process, acquiring a configuration file corresponding to the Weblogic domain according to the Weblogic domain path, analyzing the configuration file, and obtaining Weblogic service information corresponding to the AdminServer process. The specific process involves the following partial codes:
v_pid=$(ps-fu${USER}|grep-w"java"|grep"AdminServer"|grep-Evw"grep"|awk'{print$2}')
# obtaining Weblogic Domain Path
v_domain=$(ps wwwe${v_pid}|tr"""\n"|awk-F='/^DOMAIN_HOME=/{print$2}'|awk-F"/"'{print$(NF)}')
By applying the embodiment provided by the invention, the Weblogic domain path is automatically discovered through the AdminServer process of the Weblogic, the configuration file corresponding to the Weblogic domain is automatically acquired based on the acquired Weblogic domain path, and the Weblogic service information corresponding to the AdminServer process is acquired based on the configuration file. And the IP addresses of all servers in the Weblogic domain can be automatically acquired according to the Weblogic service information subsequently, and T3 filter configuration rules are generated.
In this embodiment of the present invention, as shown in fig. 3, optionally, the target IP address includes: producing an IP address, a managed IP address, a first IP address and a second IP address; the rule generating script comprises a first rule generating script and a second rule generating script; the configuration rules comprise a first configuration rule and a second configuration rule;
the determining, based on the Weblogic service information, each target IP address, and executing a preset rule generation script to generate a configuration rule corresponding to each target IP address includes:
s301: and acquiring the IP address of each server in the Weblogic service information, wherein the IP address of each server is the production IP address.
In the embodiment of the invention, the Weblogic service information can be obtained by parsing a Weblogic domain configuration file config.xml, and the Weblogic domain configuration file config.xml defines Machine (Machine) information in the domain, including IP address information of all machines. Xml, the production IP addresses of all host servers in the domain can be obtained by resolving the config.
S302: and determining the IP address with the pipe corresponding to each production IP address according to a preset mapping rule.
In the embodiment of the invention, according to an IP address planning strategy preset by a data center, a production IP address and a managed IP address are simultaneously configured on the same server, wherein the first three domains of the production IP address and the 4 domains of the managed IP address are different, but the last domain is the same. For example, the production IP address on a server is: 11.168.97.4, IP address with pipe is: 11.170.97.4.
therefore, the mapping relation between the IP address prefix and the IP address prefix with the pipe can be produced through the IP address of the server, and the corresponding IP address with the pipe can be further found through producing the IP address. Wherein, the production IP address is the IP address of the server where the Adminserver process is located.
S303: and acquiring a preset first IP address and a preset second IP address according to the Weblogic service information.
In the embodiment of the invention, the first IP address and the second IP address in which the T3 filter rule needs to be configured are obtained according to the Weblogic service information of the Weblogic domain. The first IP address may be a local IP (127.0.0.1), and the second IP address may be another address (0.0.0.0/0).
S304: and executing the first rule generation script based on the first IP address, each production IP address and the managed IP address corresponding to the production IP address to generate a first configuration rule, wherein the first configuration rule specifies that the first IP address, each production IP address and a server where the managed IP address corresponding to the production IP address is located can access the Weblogic domain through a T3 protocol.
In the embodiment of the invention, according to each production IP address, a first rule generation script is executed to generate a configuration rule which allows the production IP address to access the Weblogic domain through a T3 protocol; executing a first rule generation script according to each managed IP address, and generating a configuration rule which allows the managed IP address to access the Weblogic domain through a T3 protocol; and executing a first rule generation script according to the first IP address to generate a configuration rule which allows the first IP address to access the Weblogic domain through the T3 protocol.
S305: and executing the second rule generation script based on the second IP address to generate a second configuration rule, wherein the second configuration rule specifies that the server where the second IP address is located cannot access the Weblogic domain through a T3 protocol.
In the embodiment of the invention, according to the second IP address, a second rule generating script is executed, and a configuration rule which does not allow the second IP address to access the Weblogic domain through a T3 protocol is generated.
Wherein, the partial script codes involved in the above process are as follows:
acquiring each production IP address configured in config.xml:
local v_ip_list=$(grep"\<listen-address\>"${v_config}|awk-F"<|>"'{print$3}'|sort|uniq)
local v_ip=""
local v_flag=0
forv_ip in${v_ip_list}
do
based on each production IP address, a configuration rule is generated that allows it to access the Weblogic domain via the T3 protocol:
if[[-z$(grep-w"${v_ip}"${V_IP_LIST}|grep"allow")]]
then
echo"${v_ip}**allow t3 t3s">>${V_IP_LIST}
fi
according to the existing production IP address, replacing the production IP address prefix with a managed IP address prefix to obtain a corresponding managed IP address:
local v_mng_ip=$(echo"${v_ip}"|sed's/”'${v_prd_ip_prefix}”'/”'${v_mng_ip_prefix}”'/g')
based on the managed IP address, a configuration rule is generated which allows the managed IP address to access the Weblogic domain through the T3 protocol:
if[[-z$(grep-w"${v_mng_ip}"${V_IP_LIST}|grep"allow")]]
then
echo"${v_mng_ip}**allow t3 t3s">>${V_IP_LIST}
fi
Done
according to the first IP address, generating a configuration rule allowing the first IP address to access the Weblogic domain through the T3 protocol:
echo"127.0.0.1**allow t3 t3s">>${V_IP_LIST}
and generating a configuration rule which does not allow the second IP address to access the Weblogic domain through the T3 protocol according to the second IP address:
echo"0.0.0.0/0**denyt3 t3s">>${V_IP_LIST}
for example, system AAA has 1 domain, 3 hosts, a production IP address of 192.1.1.1-3 and a tape management IP address of 192.2.2.1-3. The configuration rules that need to be generated to configure the T3 filter on the AAA realm are as follows:
192.1.1.1**allowt3 t3s
192.1.1.2**allowt3 t3s
192.1.1.3**allowt3 t3s
192.2.2.1**allowt3 t3s
192.2.2.2**allowt3 t3s
192.2.2.3 all 3 t3s- -above this domain host
127.0.0.1**allowt3 t3s
0.0.0.0/0**denyt3 t3s
By applying the embodiment provided by the invention, each target IP address can be obtained through the Weblogic service information, and the method comprises the following steps: the first IP address allowing the Weblogic domain to be accessed through the T3 protocol, the second IP address not allowing the Weblogic domain to be accessed through the T3 protocol and all the production IP addresses need to be configured, the managed IP addresses corresponding to all the production IP addresses are obtained through preset mapping rules, and then the configuration rules corresponding to all the target IP addresses are automatically generated through rule generation scripts, so that the services where all the target IP addresses are located are connected to the Weblogic domain according to the configuration rules, the purpose that only specific IP addresses or ports are allowed to access the Weblogic domain through the T3 protocol is achieved, and therefore the risk that the deserialization vulnerability of the Weblogic is utilized is relieved.
In the embodiment provided by the present invention, optionally, after the WLST configuration script is executed on the server where the AdminServer process is located to complete the configuration of the T3 filter in the Weblogic domain, the method further includes:
if each configuration rule exists in the connection filter rule items in the configuration file, the T3 filter configured by the Weblogic domain takes effect.
Specifically, whether a configuration file (config. xml) file corresponding to the Weblogic domain is configured with the T3 filter is checked. The inspection content comprises two aspects: checking whether a T3 filter is configured in the connection-filter; whether a filtering rule is configured in the connection-filter-rule. Reference may be made in particular to the following check command:
by applying the embodiment provided by the invention, whether the configuration rule exists in the rule item of the configuration file connection filter is checked to ensure that the configuration of the Weblogic T3 filter is completed, and the T3 filter is validated. The server which allows the Weblogic domain to be accessed through the T3 protocol is guaranteed to be capable of accessing the Weblogic domain, and other servers are prevented from accessing, so that the safety of the Weblogic domain is guaranteed.
In the embodiment provided by the present invention, optionally, the method further includes:
clearing each configuration rule in the WLST configuration script to obtain a WLST rollback script;
and executing the WLST fallback script on a server where the adminServer process is located to cancel the configuration of the T3 filter in the Weblogic domain.
Specifically, each configuration rule in the WLST configuration script is set to be null, and the obtained WLST fallback script is a WLST fallback script, and a part of the script commands are as follows:
the WLST fallback script is executed on the server where the AdminServer process is located to cancel the configuration of the T3 filter in the Weblogic domain. The WLST fallback script may also be executed by checking whether a configuration file (config. xml) file connection-filter-rule configuration of the Weblogic domain is empty. And if the value is null, the rollback is effective.
The T3 filter is rolled back on the Weblogic domain with the T3 filter set, the main steps of the rolling back are basically the same as the configuration of the T3 filter, the difference is that the T3 filter configuration is validated through WLST in the former, and the T3 filter related configuration is cancelled through WLST in the rolling back operation. Therefore, before executing the rollback script, a context check is further included to obtain the Weblogic Server basic information, which is substantially the same as the context check performed in the configuration of the T3 filter to obtain the Weblogic Server basic information, and is not described herein again.
By applying the one-click rollback T3 filter configuration function provided by the embodiment of the invention, the T3 filter configuration can be quickly rolled back, and accidental service influence caused by the configuration of the T3 filter is prevented, so that the safety of the Weblogic domain is ensured.
As shown in fig. 4, the present invention provides a general and automatic configuration method and apparatus for setting a Weblogic T3 filter. The operation and maintenance personnel can perform the configuration of the Weblogic T3 filter through batch scheduling of the automatic operation and maintenance tool. The specific configuration process of the Weblogic T3 filter is as follows: the method comprises the steps of firstly, carrying out environment check to obtain basic information of a Weblogic Server, automatically obtaining each target IP address of a T3 filter to be configured based on a Weblogic domain configuration file in the basic information of the Weblogic Server, generating configuration rules corresponding to each target IP address according to preset rule configuration scripts, configuring preset WLST scripts based on each configuration rule to obtain WLST configuration scripts, executing the WLST configuration scripts on a Server where an adminServer process is located to connect the Server corresponding to each target IP address to a Weblogic domain, checking whether the configuration rules exist in corresponding connection filter rule items in the Weblogic domain configuration files or not to enable T3 filter configuration to take effect in the Weblogic domain, and realizing standardization and automation processing of T3 filter configuration. Meanwhile, in order to prevent unexpected service influence generated after the T3 filter is configured, one-click rollback T3 filter configuration operation is provided, fast rollback is supported, the specific process is similar to the configuration process of a Weblogic T3 filter, environment check is carried out, basic information of a Weblogic Server is obtained, configuration rules in a WLST script are cleared, the WLST rollback script is obtained, the WLST rollback script is connected with a Weblogic domain through the WLST rollback script to clear T3 filter configuration, finally whether the configuration rules exist in a corresponding connection filter rule item in a Weblogic domain configuration file is checked, and if the configuration rules do not exist, the rollback T3 filter configuration is valid.
The specific implementation procedures and derivatives thereof of the above embodiments are within the scope of the present invention.
Corresponding to the method described in fig. 1, an embodiment of the present invention further provides a configuration apparatus of a Weblogic T3 filter, which is used for implementing the method in fig. 1 specifically, the configuration apparatus of the Weblogic T3 filter provided in the embodiment of the present invention may be applied to a computer terminal or various mobile devices, and a schematic structural diagram of the configuration apparatus is shown in fig. 5, and specifically includes:
the acquiring unit 501 is configured to acquire Weblogic service information corresponding to an AdminServer process when the AdminServer process exists in any server in a Weblogic domain;
a determining unit 502, configured to determine each target IP address based on the Weblogic service information, and execute a preset rule generation script to generate a configuration rule corresponding to each target IP address;
a setting unit 503, configured to set a filter name in a preset WLST script and add each configuration rule to obtain a WLST configuration script;
an executing unit 504, configured to execute the WLST configuration script on a server where the AdminServer process is located, so as to complete configuration of a T3 filter in the Weblogic domain.
Based on the device provided by the embodiment of the invention, in the configuration process of the Weblogic T3 filter, when any server in the Weblogic domain has the adminServer process, the acquisition unit acquires Weblogic service information corresponding to the adminServer process, the determination unit determines each target IP address based on the Weblogic service information, and executes a preset rule generation script to generate a configuration rule corresponding to each target IP address; the setting unit sets a filter name in a preset WLST script and adds each configuration rule to obtain the WLST configuration script; the execution unit executes WLST configuration scripts on a server where an adminServer process is located to complete the configuration of the T3 filter in the Weblogic domain.
By applying the configuration device of the Weblogic T3 filter, the complex operation configured by the Weblogic T3 filter can be packaged into a one-key universal script, and the normalization and standardization of the configuration operation of the T3 filter are realized. By executing the script, the configuration of the T3 filter is automatically completed, manual intervention is reduced, the configuration implementation efficiency of the T3 filter is improved, and the timeliness requirement of safety risk rectification can be better met.
The above apparatus, optionally, the obtaining unit 501 includes:
the first determining subunit is used for determining a Weblogic domain path corresponding to the AdminServer process;
the first obtaining subunit is configured to obtain, according to the Weblogic domain path, a configuration file corresponding to the Weblogic domain;
and the second acquiring subunit is used for acquiring the Weblogic service information corresponding to the adminServer process based on the configuration file.
The above apparatus, optionally, further comprises:
a checking unit, configured to, if there is each configuration rule in the connection filter rule items in the configuration file, validate the T3 filter configured by the Weblogic domain.
In the foregoing apparatus, optionally, the destination IP address includes: producing an IP address, a managed IP address, a first IP address and a second IP address; the rule generating script comprises a first rule generating script and a second rule generating script; the configuration rules comprise a first configuration rule and a second configuration rule; the determining unit 502 includes:
a third obtaining subunit, configured to obtain an IP address of each server in the Weblogic service information, where the IP address of each server is the production IP address;
the second determining subunit is used for determining the managed IP address corresponding to each production IP address according to a preset mapping rule;
the fourth acquiring subunit is configured to acquire a preset first IP address and a preset second IP address according to the Weblogic service information;
a first generating subunit, configured to execute the first rule generating script based on the first IP address, the each production IP address, and the managed IP address corresponding to the production IP address, and generate a first configuration rule, where the first configuration rule specifies that the server where the first IP address, the each production IP address, and the managed IP address corresponding to the production IP address are located can access the Weblogic domain through a T3 protocol;
and the second generating subunit is configured to execute the second rule generating script based on the second IP address to generate a second configuration rule, where the second configuration rule specifies that the server where the second IP address is located cannot access the Weblogic domain through a T3 protocol.
The above apparatus, optionally, further comprises:
a clearing unit, configured to clear each configuration rule in the WLST configuration script to obtain a WLST fallback script;
and the rollback unit is used for executing the WLST rollback script on a server where the adminServer process is located so as to cancel the configuration of the T3 filter in the Weblogic domain.
The specific working processes of each unit and sub-unit in the configuration device of the Weblogic T3 filter disclosed in the above embodiment of the present invention may refer to corresponding contents in the configuration method of the Weblogic T3 filter disclosed in the above embodiment of the present invention, and are not described again here.
The embodiment of the invention also provides a storage medium, which comprises stored instructions, wherein when the instructions are executed, the device where the storage medium is located is controlled to execute the configuration method of the Weblogic T3 filter.
An electronic device is provided in an embodiment of the present invention, and the structural diagram of the electronic device is shown in fig. 6, which specifically includes a memory 601 and one or more instructions 602, where the one or more instructions 602 are stored in the memory 601 and configured to be executed by one or more processors 603 to perform the following operations on the one or more instructions 602:
when any server in a Weblogic domain has an adminServer process, acquiring Weblogic service information corresponding to the adminServer process;
determining each target IP address based on the Weblogic service information, and executing a preset rule generation script to generate a configuration rule corresponding to each target IP address;
setting a filter name in a preset WLST script and adding each configuration rule to obtain a WLST configuration script;
and executing the WLST configuration script on a server where the adminServer process is located to complete the configuration of the T3 filter in the Weblogic domain.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both.
To clearly illustrate this interchangeability of hardware and software, various illustrative components and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A configuration method of a Weblogic T3 filter is characterized by comprising the following steps:
when any server in a Weblogic domain has an adminServer process, acquiring Weblogic service information corresponding to the adminServer process;
determining each target IP address based on the Weblogic service information, and executing a preset rule generation script to generate a configuration rule corresponding to each target IP address;
setting a filter name in a preset WLST script and adding each configuration rule to obtain a WLST configuration script;
and executing the WLST configuration script on a server where the adminServer process is located to complete the configuration of the T3 filter in the Weblogic domain.
2. The method according to claim 1, wherein the acquiring Weblogic service information corresponding to the AdminServer process includes:
determining a Weblogic domain path corresponding to the AdminServer process;
acquiring a configuration file corresponding to the Weblogic domain according to the Weblogic domain path;
and acquiring Weblogic service information corresponding to the AdminServer process based on the configuration file.
3. The method of claim 2, further comprising:
if each configuration rule exists in the connection filter rule items in the configuration file, the T3 filter configured by the Weblogic domain takes effect.
4. The method of claim 1, wherein the destination IP address comprises: producing an IP address, a managed IP address, a first IP address and a second IP address; the rule generating script comprises a first rule generating script and a second rule generating script; the configuration rules comprise a first configuration rule and a second configuration rule;
the determining, based on the Weblogic service information, each target IP address, and executing a preset rule generation script to generate a configuration rule corresponding to each target IP address includes:
acquiring the IP address of each server in the Weblogic service information, wherein the IP address of each server is the production IP address;
determining a managed IP address corresponding to each production IP address according to a preset mapping rule;
acquiring a preset first IP address and a preset second IP address according to the Weblogic service information;
executing the first rule generation script based on the first IP address, each production IP address and the managed IP address corresponding to the production IP address to generate a first configuration rule, wherein the first configuration rule specifies that the first IP address, each production IP address and a server where the managed IP address corresponding to the production IP address is located can access the Weblogic domain through a T3 protocol;
and executing the second rule generation script based on the second IP address to generate a second configuration rule, wherein the second configuration rule specifies that the server where the second IP address is located cannot access the Weblogic domain through a T3 protocol.
5. The method of claim 1, further comprising:
clearing each configuration rule in the WLST configuration script to obtain a WLST rollback script;
and executing the WLST fallback script on a server where the adminServer process is located to cancel the configuration of the T3 filter in the Weblogic domain.
6. A configuration device of a Weblogic T3 filter, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring Weblogic service information corresponding to an adminServer process when the adminServer process exists in any server in a Weblogic domain;
the determining unit is used for determining each target IP address based on the Weblogic service information and executing a preset rule generating script to generate a configuration rule corresponding to each target IP address;
the configuration unit is used for setting a filter name in a preset WLST script and adding each configuration rule to obtain the WLST configuration script;
and the execution unit is used for executing the WLST configuration script on a server where the adminServer process is located so as to complete the configuration of the T3 filter in the Weblogic domain.
7. The apparatus of claim 6, wherein the obtaining unit comprises:
the first determining subunit is used for determining a Weblogic domain path corresponding to the AdminServer process;
the first obtaining subunit is configured to obtain, according to the Weblogic domain path, a configuration file corresponding to the Weblogic domain;
and the second acquiring subunit is used for acquiring the Weblogic service information corresponding to the adminServer process based on the configuration file.
8. The apparatus of claim 7, further comprising:
a checking unit, configured to, if there is each configuration rule in the connection filter rule items in the configuration file, validate the T3 filter configured by the Weblogic domain.
9. The apparatus of claim 6, wherein the destination IP address comprises: producing an IP address, a managed IP address, a first IP address and a second IP address; the rule generating script comprises a first rule generating script and a second rule generating script; the configuration rules comprise a first configuration rule and a second configuration rule; the determination unit includes:
a third obtaining subunit, configured to obtain an IP address of each server in the Weblogic service information, where the IP address of each server is the production IP address;
the second determining subunit is used for determining the managed IP address corresponding to each production IP address according to a preset mapping rule;
the fourth acquiring subunit is configured to acquire a preset first IP address and a preset second IP address according to the Weblogic service information;
a first generating subunit, configured to execute the first rule generating script based on the first IP address, the each production IP address, and the managed IP address corresponding to the production IP address, and generate a first configuration rule, where the first configuration rule specifies that the server where the first IP address, the each production IP address, and the managed IP address corresponding to the production IP address are located can access the Weblogic domain through a T3 protocol;
and the second generating subunit is configured to execute the second rule generating script based on the second IP address to generate a second configuration rule, where the second configuration rule specifies that the server where the second IP address is located cannot access the Weblogic domain through a T3 protocol.
10. The apparatus of claim 6, further comprising:
a clearing unit, configured to clear each configuration rule in the WLST configuration script to obtain a WLST fallback script;
and the rollback unit is used for executing the WLST rollback script on a server where the adminServer process is located so as to cancel the configuration of the T3 filter in the Weblogic domain.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111470169.XA CN114143192A (en) | 2021-12-03 | 2021-12-03 | Configuration method and device of Weblogic T3 filter |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111470169.XA CN114143192A (en) | 2021-12-03 | 2021-12-03 | Configuration method and device of Weblogic T3 filter |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114143192A true CN114143192A (en) | 2022-03-04 |
Family
ID=80387623
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111470169.XA Pending CN114143192A (en) | 2021-12-03 | 2021-12-03 | Configuration method and device of Weblogic T3 filter |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114143192A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106993000A (en) * | 2017-05-26 | 2017-07-28 | 山东浪潮商用系统有限公司 | Solve method, Reverse Proxy and the system of unserializing leak |
US20180316556A1 (en) * | 2017-04-28 | 2018-11-01 | Oracle International Corporation | System and method for federated configuration in an application server environment |
CN108847977A (en) * | 2018-06-14 | 2018-11-20 | 平安科技(深圳)有限公司 | A kind of monitoring method of business datum, storage medium and server |
CN110166459A (en) * | 2019-05-24 | 2019-08-23 | 深圳前海微众银行股份有限公司 | A kind of means of defence and device of unserializing loophole |
CN110276202A (en) * | 2019-06-24 | 2019-09-24 | 深圳前海微众银行股份有限公司 | A kind of detection method and device of unserializing loophole |
-
2021
- 2021-12-03 CN CN202111470169.XA patent/CN114143192A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180316556A1 (en) * | 2017-04-28 | 2018-11-01 | Oracle International Corporation | System and method for federated configuration in an application server environment |
CN106993000A (en) * | 2017-05-26 | 2017-07-28 | 山东浪潮商用系统有限公司 | Solve method, Reverse Proxy and the system of unserializing leak |
CN108847977A (en) * | 2018-06-14 | 2018-11-20 | 平安科技(深圳)有限公司 | A kind of monitoring method of business datum, storage medium and server |
CN110166459A (en) * | 2019-05-24 | 2019-08-23 | 深圳前海微众银行股份有限公司 | A kind of means of defence and device of unserializing loophole |
CN110276202A (en) * | 2019-06-24 | 2019-09-24 | 深圳前海微众银行股份有限公司 | A kind of detection method and device of unserializing loophole |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9965312B2 (en) | Remote debugging as a service | |
US10812566B2 (en) | Distributed steam processing | |
US8290998B2 (en) | Systems and methods for generating cloud computing landscapes | |
CN111263933A (en) | Real-time debug instances in deployed container platforms | |
US11200157B1 (en) | Automated execution reporting for container builds | |
CN112130871B (en) | Method and device for remotely deploying middleware, computer equipment and storage medium | |
CN108243404B (en) | Method, device and equipment for verifying binding state of mobile phone number | |
CN105262608B (en) | Monitoring method and device for network service | |
US20140173565A1 (en) | Dynamically Enabling Debugging over the Internet | |
US20160378637A1 (en) | Multi-tenant aware debugging methods and systems | |
US9363107B2 (en) | Accessing and processing monitoring data resulting from customized monitoring of system activities | |
CN110780930B (en) | Method and device for starting Android system, electronic equipment and storage medium | |
US11968085B2 (en) | Upgrade a version of a service | |
CN112328390A (en) | Method and device for automatically implementing cloud management platform and storage medium | |
US10019344B1 (en) | Computer implemented system and method and computer program product for a test framework for orchestration workflows | |
CN110780918A (en) | Middleware container processing method and device, electronic equipment and storage medium | |
US20240152496A1 (en) | Model ml registry and model serving | |
CN112714166A (en) | Multi-cluster management method and device for distributed storage system | |
CN114143192A (en) | Configuration method and device of Weblogic T3 filter | |
CN112491940A (en) | Request forwarding method and device of proxy server, storage medium and electronic equipment | |
CN111475198B (en) | Mimicry method and device of network server | |
EP4143677A1 (en) | Tiered application pattern | |
CN111200579B (en) | User login method, client and system | |
CN109101253B (en) | Management method and device for host in cloud computing system | |
CN104902472B (en) | A kind of WLAN access authentication method, equipment and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |