My Oracle Support Banner

Does enforce-valid-basic-auth-credentials Create a Security Risk? (Doc ID 2717065.1)

Last updated on OCTOBER 12, 2020

Applies to:

Oracle WebLogic Server - Version 12.2.1.4.0 and later
Information in this document applies to any platform.

Goal

A third-party application is deployed to a WebLogic 12.2.1.4 domain and accessed by the vendor's cloud service. When the property enforce-valid-basic-auth-credentials is set to true, the external vendor client gets a prompt requesting username and password for our default administrator's account ("weblogic"), which is in the Administrators group. To change this behavior (not get the login prompt), the vendor has requested that enforce-valid-basic-auth-credentials be set to false.

If enforce-valid-basic-auth-credentials is set to false, does this mean that the external vendor client can now log in as the default Administrators account ("weblogic") in the Administrators group? If so, would it now be possible for the external client to perform common WebLogic administrative tasks (such as make changes to settings, deploy apps, etc.)?

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.