Weblogic & Basic Auth

Weblogic will by default attempt to authenticate any HTTP Basic credentials, even if the URI being accessed does not fall within a statically declared web.xml security constraint. Doesn’t seem like a reasonable default to me, but anyways there is a means to change this behaviour, the enforce-valid-basic-auth-credentials setting:

To set the enforce-valid-basic-auth-credentials flag, perform the following steps:

  1. Add the <enforce-valid-basic-auth-credentials> element to config.xml within the <security-configuration> element.
  2. Start or restart all of the servers in the domain.

It’s a shame there isn’t an equivalent setting in the weblogic.xml deployment descriptor.