Tuesday, May 12, 2009

How to fix Basic Authentication issue on WebLogic 9.2/10.0/10.3 when using Acegi/Spring Security

HTTP Basic Authentication on WebLogic starting from version 9.2 (previous versions were not tested) works not correctly. The problem is that if there is some request to your application with "Authorization" header the request will be intercepted by WebLogic itself and will not be passed to your application. WebLogic will try to make authentication itself.

Such problem can occur in your application if you are using HTTP Basic Authentication with Acegi/Spring Security.

The only solution I have found to resolve the issue is to add

<enforce-valid-basic-auth-credentials>false
</enforce-valid-basic-auth-credentials>

into the config.xml file (before closing tag
</security-configuration>):

<security-configuration>

...
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
</security-configuration>

This configuration will resolve the issue.

4 comments:

Knurd said...

Works for WebLogic 11 too although the XML element was not present in my config.xml

Александр Трофимов said...

Thanks! Work in WebLogic 12. Unauthorized exception will be fixed!

Trey Harrison said...

I'm having the same issue with a Jersey web service. Any idea if I could include something in my web.xml to fix this?

Kiefer Head said...

You are the man! I can't tell you how many hours we put into trying to find a fix for this.