By Frank Nimphius-Oracle on Mar 01, 2012
Using the ADF Security "ADF Authentication" option configures the web.xml descriptor to protect the application Java EE context root from unauthenticated access.
<security-constraint> <web-resource-collection> <web-resource-name>allPages</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>valid-users</role-name> </auth-constraint> </security-constraint>
The valid user role name is mapped in the weblogic.xml file and references the WLS users group that all authenticated users are an implicit member of.
<security-role-assignment> <role-name>valid-users</role-name> <principal-name>users</principal-name> </security-role-assignment>
Investigating the problem, the following solution has been found by the ADF Faces team: ADF Faces UIs require additional resources that are loaded through the Trinidad resource loader servlet configured in web.xml file.
To allow resources to be loaded when using login forms built with ADF Faces ( in which case the JSF page contains a HTML login form) you need to add another security constraint definition to the web.xml file:
<security-constraint> <web-resource-collection> <web-resource-name>Allowed ADF Resources</web-resource-name> <url-pattern>/adf/*</url-pattern> <url-pattern>/afr/*</url-pattern> <url-pattern>/bi/*</url-pattern> </web-resource-collection> </security-constraint>
The above security constraint should do for most of the login pages you would build with ADF Faces. However, if the login screen is more complex and e.g contains DVT graphs or maps, you may have to add more url-patterns for public (anonymous access), like
<url-pattern>/servlet/GraphServlet/*</url-pattern> <url-pattern>/servlet/GaugeServlet/*</url-pattern> <url-pattern>/mapproxy/*</url-pattern> <url-pattern>/adflib/</url-pattern>
In my JDeveloper 11g R2 test-case project, I ended up with three security-constraint definitions added to the web.xml file: "Allowed ADF Resources", "allPages" and "AdfAuthentication".
Always place the "Allowed ADF Resources" security constraint definition first in the web.xml file so it is looked at before all the others are so it takes precedence.
Note that both, the web.xml file and the weblogic.xml file open a visual configuration editor when you double click onto the respective file shown in the JDeveloper Application Navigator (Web Content à WEB-INF folder in the ViewController project.