Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Troubleshooting: WebLogic error when HTTP Basic Authentication is enabled for a SOAP service

Updated on May 7, 2019


Using WebLogic 9.2 or a later version, when you enable HTTP Basic Authentication in a service package and try to access the service from the client SOAP UI with valid credentials, WebLogic will display the error message:

The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource.

With WebLogic 9.2 and later versions, HTTP Basic Authentication intercepts the request to the PRPC service if the request to the PRPC service has "Authorization" in its header; the PRPC application never receives the HTTP request.


The reason for this behavior is that HTTP Basic Authentication on WebLogic, starting from version 9.2, automatically performs authentication itself. This is a known issue described in the References cited.

For WebLogic Server versions 9.2 and later, client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource. The setting of the Security Configuration MBean flag enforce-valid-basic-auth-credentials determines this behavior. It specifies whether or not the system should allow requests with invalid HTTP BASIC authentication credentials to access unsecured resources. (The DomainMBean can return the new Security Configuration MBean for the domain. The Security Configuration MBean provides domain-wide security configuration information. The enforce-valid-basic-auth-credentials flag affects the entire domain.)

The enforce-valid-basic-auth-credentials flag is set to true by default, and WebLogic Server authentication is performed. If authentication fails, the request is rejected. The WebLogic Server must therefore have knowledge of the user and password. If you experience this behavior with PRPC service requests, you need to change the default setting of the enforce-valid-basic-auth-credentials flag from true to false.

If you explicitly set the enforce-valid-basic-auth-credentials flag to false, the WebLogic Server does not perform authentication for HTTP BASIC authentication client requests for which access control was not enabled for the target resource.

Suggested Approach

To prevent the error message from appearing when you enable HTTP Basic Authentication in a service package to PRPC, perform these steps to change the default setting of the enforce-valid-basic-auth-credentials element of the WebLogic Server config.xml:

  1. Open the config.xml file for editing.
  2. Find the <security-configuration> element and change the <enforce-valid-basic-auth-credentials> from true to false, as shown here:


  1. Save the config.xml file.
  2. Restart the WebLogic Server.


How to fix Basic Authentication issue on WebLogic 9.2/10.0/10.3 when using Acegi/Spring Security

Understanding BASIC Authentication with Unsecured Resources

Additional Information

Authentication - definition

Integration Services and Connectors


Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us