When A User Account Is Locked Out, The Account Credentials Are Still Validated Against The Backend System
Last updated on DECEMBER 11, 2017
Applies to:Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.
WebLogic has a concept of user lockouts in its security realm. That is, after a certain number of failed authentication requests, the user is locked out for a specified period of time. The customer would not expect any more traffic to be hitting the backend system (LDAP server, AD and so forth). An Oracle white paper describes this behavior: "Once the account has been soft locked in WebLogic runtime, it does not try to validate the account credentials against the backend system, thus preventing it from being permanently locked" (Diagnosing Intermittent Authentication Failures and User Lock-Outs in Oracle WebLogic). However, even when a user account is soft locked in WebLogic runtime, account credentials are still validated against the back-end system.
Why is a locked account still authenticated against the backend system?
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms