By default, SAP NetWeaver Application Server (AS) Java enables automatic logon with just the user ID and password as URL parameters. This eases the operation of some scenarios, but exposes potential exploits for logon cross-site request forgery (XSRF). To improve protection against logon XSRF attacks, we recommend that you disable or set to false the authentication property Enable Automatic Logon with User ID and Password( ume.logon.userpwd_automatic_logon ). See also SAP Note 1441999 .
For more information about configuring authentication properties, see Configuring Authentication Properties .