Date Created: Thu 24-Feb-2011

Get my WebSphere Application Server course here >> http://www.themiddlewareshop.com/products/


    Setting the enforce-valid-basic-auth-credentials Flag to False

    The enforce-valid-basic-auth-credentials is a domain-wide setting and this means that if a client application sends an authorisation header using basic-auth, WebLogic will intercept the call and the application user will be presented with a login prompt. If your application contains spring handlers and you do not want WL to stick it's nose into the auth, then you can set this setting to false as it is set to true by default. You can read on to learn a few tricks...



    Note: For WebLogic Server versions 9.2 and later, client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource, and this is why we want to turn it off.

    ============================================

    Editing config.xml

    To set the e enforce-valid-basic-auth-credentials flag, perform the following steps:

    1. Add the <enforce-valid-basic-auth-credentials> element to config.xml within the <security-configuration> element.

    <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

    </security-configuration>

    2. Start or restart all of the servers in the domain.

    =============================================

    Using WebLogic Scripting Tool (WLST)

    Using WLST to Check the Value of enforce-valid-basic-auth-credentials

    The Administration Console does not display or log the enforce-valid-basic-auth-credentials setting. However, you can use WLST to check the value in a running server. Remember that enforce-valid-basic-auth-credentials is a domain-wide setting.

    The WLST session shown below demonstrates how to check the value of the enforce-valid-basic-auth-credentials flag in a sample running server.

    Example:

    wls:/offline> connect('weblogic','weblogic123','t3://localhost:7002')
    Connecting to t3://localhost:7002 with userid weblogic ...
    Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base_domain'.

    Warning: An insecure protocol was used to connect to the
    server. To ensure on-the-wire security, the SSL port or
    Admin port should be used instead.

    wls:/base_domain/serverConfig> cd('SecurityConfiguration')
    wls:/base_domain/serverConfig/SecurityConfiguration> ls()
    dr-- base_domain

    wls:/base_domain/serverConfig/SecurityConfiguration> cd ('base_domain')
    wls:/base_domain/serverConfig/SecurityConfiguration/base_domain> ls()
    dr-- DefaultRealm
    dr-- Realms

    -r-- AnonymousAdminLookupEnabled false
    -r-- ClearTextCredentialAccessEnabled false
    -r-- CompatibilityConnectionFiltersEnabled false
    -r-- ConnectionFilter null
    -r-- ConnectionFilterRules null
    -r-- ConnectionLoggerEnabled false
    -r-- ConsoleFullDelegationEnabled false
    -r-- Credential ******
    -r-- CredentialEncrypted ******
    -r-- CrossDomainSecurityEnabled false
    -r-- DowngradeUntrustedPrincipals false
    -r-- EnforceStrictURLPattern true
    -r-- EnforceValidBasicAuthCredentials true
    -r-- ExcludedDomainNames null
    -r-- Name base_domain
    -r-- NodeManagerPassword ******
    -r-- NodeManagerPasswordEncrypted ******
    -r-- NodeManagerUsername 2btxdeGF98
    -r-- Notes null
    -r-- PrincipalEqualsCaseInsensitive false
    -r-- PrincipalEqualsCompareDnAndGuid false
    -r-- Type SecurityConfiguration
    -r-- WebAppFilesCaseInsensitive false

    -r-x findDefaultRealm WebLogicMBean :
    -r-x findRealm WebLogicMBean : String(realmDisplayName)
    -r-x findRealms WebLogicMBean[] :
    -r-x freezeCurrentValue Void : String(attributeName)
    -r-x generateCredential [B :
    -r-x isSet Boolean : String(propertyName)
    -r-x unSet Void : String(propertyName)



    here are the command I used to edit the setting using
    edit()
    startEdit()
    cd(‘SecurityConfiguration’)
    cd('YOUR_DOMAIN')
    set(‘EnforceValidBasicAuthCredentials’,'false’)
    save()
    activate()





    Note: This will create an entry in your config.xml of the value false

    Lets list the result in WLST






    Now we have Disabled the Security Intercept!

    WebLogic sometimes intercepts login requests, making it impossible for your app to authenticate correctly. You can now prevent WebLogic from intercepting login requests.

    ==========================

    Here is a script to do this automatically

    """
    This script starts an edit session, and modifies the EnforceValidBasicAuthCredentials setting which
    equates to the <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> in config.xml
    """

    import sys
    from java.lang import System

    # Global Variables
    usr = "weblogic"
    password = "weblogic123"
    domain = "base_domain"
    url = "t3://localhost:7002"

    def setAuth(authSetting):

    connect(usr,password,url)
    edit()
    startEdit()
    cd('SecurityConfiguration')
    cd(domain)
    set('EnforceValidBasicAuthCredentials',authSetting)
    save()
    activate()

    #-----------------------------------------------------------------
    # Auth setting
    #-----------------------------------------------------------------
    def Configure(authSetting):
    if authSetting == "":
    ScriptUsage()
    else:
    setAuth(authSetting)

    #-----------------------------------------------------------------
    # Usage
    #-----------------------------------------------------------------
    def ScriptUsage():
    print "----------------------------------------------------------------------------------------------------------------"
    print ""
    print " ERROR: Invalid usage, correct usage is:"
    print " java weblogic.WLST configureAuth.py {boolean}"
    print ""
    print " e.g.: java weblogic.WLST configureAuth.py false"
    print ""
    print "----------------------------------------------------------------------------------------------------------------"
    print ""


    #-----------------------------------------------------------------
    # Main
    #-----------------------------------------------------------------
    if len(sys.argv) != 2:
    ScriptUsage()
    else:
    Configure(sys.argv[1])

    Get my WebSphere Application Server course here >> http://www.themiddlewareshop.com/products/


Steve Robinson - IBM Champion 2013

About Me

Steve Robinson has been working in IT for over 20 years and has provided solutions for many large-enterprise corporate companies across the world. Steve specialises in Java and Middleware.

In January 2013, I was awarded the prestigous 'IBM Champion' accolade.


Read my books?

IBM WebSphere Application Server 8.0 Administration Guide

IBM WebSphere Application Server 8.0 Administration Guide

WebSphere Application Server 7.0 Administration Guide

WebSphere Application Server 7.0 Administration Guide

WebSphere Categories

Oracle WebLogic Categories

JBoss Categories

Other Categories