What are the consequences when setting enforce-valid-basic-auth-credentials to false on weblogic server

java authentication spring-boot weblogic
hudi picture hudi · Nov 3, 2016 · Viewed 7.3k times · Source

In my weblogic server I have application where is enabled basic authentication(web.xml and weblogic.xml). Now I am porting spring-boot application from tomcat to weblogic where was basic authentication too but on application tier. So when I port this it does not work and I need to set enforce-valid-basic-auth-credentials to false. Now I expected that I should refactor my first application which run on same domain(it runs on virtual host) but it seems authentication is still working in this application . So what are the consequences when I set this options on production server ?

Answer

SkyWalker picture SkyWalker · Nov 7, 2016

Where it effects?

The enforce-valid-basic-auth-credentials flag effects the entire domain. So, it will work for both of your project.

The enforce-valid-basic-auth-credentials flag is true by default, and WebLogic Server authentication is performed. If authentication fails, the request is rejected. WebLogic Server must therefore have knowledge of the user and password.

You may want to change the default behavior if you rely on an alternate authentication mechanism. For example, you might use a backend web service to authenticate the client, and WebLogic Server does not need to know about the user. With the default authentication enforcement enabled, the web service can do its own authentication, but only if WebLogic Server authentication first succeeds.

If you explicitly set the enforce-valid-basic-auth-credentials flag to false, WebLogic Server does not perform authentication for HTTP BASIC authentication client requests for which access control was not enabled for the target resource.

Resource Link:

  1. Understanding BASIC Authentication with Unsecured Resources
  2. WebLogic bypass basic authentication

What Oracle Says about enforce-valid-basic-auth-credentials?

Oracle WebLogic Server authentication is enabled by default. However, this configuration prevents Oracle WebLogic Server from using application managed authentication. You must disable Oracle WebLogic Server authentication by setting the enforce-valid-basic-auth-credentials parameter to false.

Procedure

To disable Oracle WebLogic Server authentication:

  1. In a text editor, open the config.xml file for the domain where you deployed IBM CMIS for Content Manager OnDemand. The config.xml file is in the Oracle/Middleware/user_projects/domains/domain_name/config directory.
  2. Locate the <security-configuration> element.

  3. Add the following argument to the end of the element:

    <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth -credentials>

  4. Start or restart all of the servers in the domain.

Resource Link:

  1. Disabling Oracle WebLogic Server authentication for IBM CMIS for Content Manager OnDemand

UPDATE#1:

Why it is made to false?

Whether or not the system should allow requests with invalid Basic Authentication credentials to access unsecure resources. (Interface=weblogic.management.configuration.SecurityConfigurationMBean Attribute=getEnforceValidBasicAuthCredentials)

Actually, you need to do 2 things here.

  1. Sometimes it is not enough to make it false.
  2. So, you need to add the flag via WLST :
connect('weblogicUser','weblogicPassword','t3://localhost:7001')
edit()
startEdit()
cd('SecurityConfiguration/Your_Domain')
set('EnforceValidBasicAuthCredentials','false')
save()
activate()

N.B: (Do not forget to edit with your weblogicUser, weblogicPassword, weblogic url and your domain in the 'cd' command...). If you do this things successfully, then it will effect on your configuration file.

Resolution:

After restarting server, If you looked in the config.xml file, and another tag has been added. Now, config.xml file looks like that :

.........
    <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
    <use-kss-for-demo>true</use-kss-for-demo>
</security-configuration>
............

But this use-kss-for-demo tag may depend on your weblogic configuration. So It is strongly suggested by Val Bonn to use the WSLT way to update this flag.

Resource Link:

https://stackoverflow.com/a/39619242/2293534

UPDATE#2:

So, you want to know that what is the impact?

By default WebLogic Server looks at the Authentication Header, and even if your code and app is set to allow anonymous access, if there’s any HTTP Authentication header, WebLogic fails to handle the requests and throws up a browser login dialog:

enter image description here

The Publisher web service by default uses authentication headers, so the Publisher authentication headers get sent to your portlet code. Fortunately, the fix for this is pretty straight-forward and documented to set enforce-valid-basic-auth-credentials to false.

Resource Link:

  1. http://blog.integryst.com/webcenter-interaction/2010/03/24/setting-config-xml-for-weblogic-in-oracles-jdeveloper/

Related questions

Spring Boot Authentication for Integration Tests

I'm trying to run an integration test for my controller but I am running into issues if I don't authenticate. Here's my controller: @RunWith(SpringRunner.class) @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) @TestPropertySource(properties = {"security.basic.enabled=false", "management.security.…

Read More
Best practice for REST token-based authentication with JAX-RS and Jersey

I'm looking for a way to enable token-based authentication in Jersey. I am trying not to use any particular framework. Is that possible? My plan is: A user signs up for my web service, my web service generates a token, …

Read More
How to manually set an authenticated user in Spring Security / SpringMVC

After a new user submits a 'New account' form, I want to manually log that user in so they don't have to login on the subsequent page. The normal form login page going through the spring security interceptor works just …

Read More