ADF page security - the untold password rule
By Ankuchak-Oracle on Oct 27, 2013
I'm kinda new to Oracle ADF. So, in this blog post I'm going to share something with you that I faced (and recovered from) recently. Initially I thought if I should at all put a blog post on this, because it's totally simple. Still, simplicity is a relative term. So without wasting further time, let's kick off. BTW, it's for JDeveloper 184.108.40.206 .
I was exploring the ADF security aspect to secure a page through html basic authentication. The idea is very simple and the credential store etc. come into picture. But I was not able to run a successful test of this phenomenally simple thing even after trying for over 30 minutes. This is what I did.
I created a simple jsf page and put a panel in it. And I put a simple el to show the current user name.
Next I created a user that I should test with.
I named the password as myuser, just to keep it simple.
Then I created an enterprise role and mapped the user that I just created.
Then I created an application role and mapped the enterprise role to it.
Then I mapped the resource, the simple jsf page in this case, to this application role. This way, only users with the given application role can only access this page (as if you didn't know this duh!). Of course, I had to create the page definition for the page before I could map it to an application role.
What else! done! Then I hit the run menu item and it all went well...
Until... I got this message.
I put the correct credentials repeatedly 2-3 times. Still I got the same error. Why? I didn't get any error message during the deployment. nope.
Then, as I said before, I spent over 30 minutes trying different things out, things like mapping only the user(not the role) to the page, changing the context root etc. Nothing worked!
Then of course, I bothered to look at the logs and found this.
See the first red line. That says it all.
So the problem was with that password. The password must have at least one special character and one digit in it. I think I was misled by the missing password hint/rule and the fact that the deployment didn't fail even if the user was not created properly. Well, yes, I agree that I was fool enough not to look at the logs.
Later I changed the password to something like myuser123# .
And it worked.
I hope it helped.