Menu
In my weblogic server I have application where is enabled basic authentication(web.xml and weblogic.xml). Now I am porting spring-boot application from tomcat to weblogic where was basic authentication too but on application tier. So when I port this it does not work and I need to set enforce-valid-basic-auth-credentials to false. Now I expected that I should refactor my first application which run on same domain(it runs on virtual host) but it seems authentication is still working in this application . So what are the consequences when I set this options on production server ?
303
Basic authentication also has some drawbacks: Information is sent over the network as cleartext. The information is encoded with base64 encoding (see RFC 1521 for more information on base64 encoding), but it is sent in an unencrypted format. Any password sent using basic authentication can easily be decoded.
Security of basic authentication As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS/TLS should be used with basic authentication.
The
enforce-valid-basic-auth-credentialsflag effects the entire domain. So, it will work for both of your project.
The enforce-valid-basic-auth-credentials flag is true by default, and WebLogic Server authentication is performed. If authentication fails, the request is rejected. WebLogic Server must therefore have knowledge of the user and password.
You may want to change the default behavior if you rely on an alternate authentication mechanism. For example, you might use a backend web service to authenticate the client, and WebLogic Server does not need to know about the user. With the default authentication enforcement enabled, the web service can do its own authentication, but only if WebLogic Server authentication first succeeds.
If you explicitly set the enforce-valid-basic-auth-credentials flag to false, WebLogic Server does not perform authentication for HTTP BASIC authentication client requests for which access control was not enabled for the target resource.
Oracle WebLogic Server authentication is enabled by default. However, this configuration prevents Oracle WebLogic Server from using application managed authentication. You must disable Oracle WebLogic Server authentication by setting the enforce-valid-basic-auth-credentials parameter to false.
Procedure
To disable Oracle WebLogic Server authentication:
- In a text editor, open the
config.xmlfile for the domain where you deployed IBM CMIS for Content Manager OnDemand. Theconfig.xmlfile is in the Oracle/Middleware/user_projects/domains/domain_name/config directory.- Locate the
<security-configuration>element.Add the following argument to the end of the element:
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth -credentials>Start or restart all of the servers in the domain.
Whether or not the system should allow requests with invalid Basic Authentication credentials to access unsecure resources. (Interface=weblogic.management.configuration.SecurityConfigurationMBean Attribute=getEnforceValidBasicAuthCredentials)
Actually, you need to do 2 things here.
connect('weblogicUser','weblogicPassword','t3://localhost:7001') edit() startEdit() cd('SecurityConfiguration/Your_Domain') set('EnforceValidBasicAuthCredentials','false') save() activate()
N.B: (Do not forget to edit with your weblogicUser, weblogicPassword, weblogic url and your domain in the 'cd' command...). If you do this things successfully, then it will effect on your configuration file.
After restarting server, If you looked in the config.xml file, and another tag has been added. Now, config.xml file looks like that :
.........
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
<use-kss-for-demo>true</use-kss-for-demo>
</security-configuration>
............
But this use-kss-for-demo tag may depend on your weblogic configuration. So It is strongly suggested by Val Bonn to use the WSLT way to update this flag.
https://stackoverflow.com/a/39619242/2293534
So, you want to know that what is the impact?
By default WebLogic Server looks at the Authentication Header, and even if your code and app is set to allow anonymous access, if there’s any HTTP Authentication header, WebLogic fails to handle the requests and throws up a browser login dialog:
The Publisher web service by default uses authentication headers, so the Publisher authentication headers get sent to your portlet code. Fortunately, the fix for this is pretty straight-forward and documented to set enforce-valid-basic-auth-credentials to false.
161
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
