My Oracle Support Banner

HTTP Request Attribute Value Equals a String Constant is Not Working in WebLogic (Doc ID 2674848.1)

Last updated on SEPTEMBER 18, 2023

Applies to:

Oracle WebLogic Server - Version to [Release 12c]
Information in this document applies to any platform.


 HTTP request attribute value equals a string constant is not working in WebLogic Following exception observed in logs when DebugSecurityAtz is enabled 

Test Case

1. Deploy a sample application to a managed server using

Custom Roles and Policies: Use only roles and policies that are defined in the Administration Console.

2. Navigate to Deployment > App > Security > URL Patterns > Policies.

3. Create a URL pattern policy "/".

4. Click on "/".

5. Add Conditions and select "HTTP request attribute value equals a string constant".

6. Put Header.MyHeader in HTTP request attribute name: and test123 in String value.

7. Access the application as curl -u user:password -H "MyHeader: test123" http://host:port/ShoppingCart/.


user is any user in WebLogic's embedded ldap and password is the password of that user.

/ShoppingCart = context root of the application

8. It fails with Error 403--Forbidden and WebLogic server logs show the above mentioned error when DebugSecurityAtz is enabled.


 Deploy a Web Application using Custom Roles and Policies.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.