When trying to deploy the Activiti REST WAR in WebLogic servers, we found that the requests are reaching the server, but are filtered by the WebLogic server. To make sure your requests reach the Application bypassing the WebLogic filters, you must set the enforce-valid-basic-auth-credentials property in config.xml -> security-configuration to false
From WebLogic servers 9.2 and above, client requests that use the HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource.
The setting of the Security Configuration MBean flag enforce-valid-basic-auth-credentials determines this behavior. (The DomainMBean can return the new Security Configuration MBean for the domain.) It specifies whether or not the system should allow requests with invalid HTTP BASIC authentication credentials to access unsecured resources.
More info at “Understanding BASIC Authentication with Unsecured Resources“.