Using WebLogic 9.2 or a later version, when you enable HTTP Basic Authentication in a service package and try to access the service from the client SOAP UI with valid credentials, WebLogic will display the error message:
The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource.
With WebLogic 9.2 and later versions, HTTP Basic Authentication intercepts the request to the PRPC service if the request to the PRPC service has "Authorization" in its header; the PRPC application never receives the HTTP request.
The reason for this behavior is that HTTP Basic Authentication on WebLogic, starting from version 9.2, automatically performs authentication itself. This is a known issue described in the References cited.
For WebLogic Server versions 9.2 and later, client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource. The setting of the Security Configuration MBean flag enforce-valid-basic-auth-credentials determines this behavior. It specifies whether or not the system should allow requests with invalid HTTP BASIC authentication credentials to access unsecured resources. (The DomainMBean can return the new Security Configuration MBean for the domain. The Security Configuration MBean provides domain-wide security configuration information. The enforce-valid-basic-auth-credentials flag affects the entire domain.)
The enforce-valid-basic-auth-credentials flag is set to true by default, and WebLogic Server authentication is performed. If authentication fails, the request is rejected. The WebLogic Server must therefore have knowledge of the user and password. If you experience this behavior with PRPC service requests, you need to change the default setting of the enforce-valid-basic-auth-credentials flag from true to false.
If you explicitly set the enforce-valid-basic-auth-credentials flag to false, the WebLogic Server does not perform authentication for HTTP BASIC authentication client requests for which access control was not enabled for the target resource.
To prevent the error message from appearing when you enable HTTP Basic Authentication in a service package to PRPC, perform these steps to change the default setting of the enforce-valid-basic-auth-credentials element of the WebLogic Server config.xml:
- Open the config.xml file for editing.
- Find the <security-configuration> element and change the <enforce-valid-basic-auth-credentials> from true to false, as shown here:
- Save the config.xml file.
- Restart the WebLogic Server.