When A User Account Is Locked Out, The Account Credentials Are Still Validated Against The Backend System
(Doc ID 2029248.1)
Last updated on SEPTEMBER 25, 2020
Applies to:Oracle WebLogic Server - Version 10.3 to 10.3.6
Information in this document applies to any platform.
WebLogic has a concept of user lockouts in its security realm. That is, after a certain number of failed authentication requests, the user is locked out for a specified period of time. The customer would not expect any more traffic to be hitting the backend system (LDAP server, AD and so forth). An Oracle white paper describes this behavior: "Once the account has been soft locked in WebLogic runtime, it does not try to validate the account credentials against the backend system, thus preventing it from being permanently locked" (Diagnosing Intermittent Authentication Failures and User Lock-Outs in Oracle WebLogic). However, even when a user account is soft locked in WebLogic runtime, account credentials are still validated against the back-end system.
Why is a locked account still authenticated against the backend system?
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document