Using Microsoft IE8, forms based authentication in which
the login form is built with ADF Faces doesn't load and instead the browser
The problem that has been reported for JDeveloper 11g R2 using ADF Faces with
Facelets seems to occur only for applications using the ADF Security "ADF
Authentication" configuration option in combination with an ADF Faces
based login form.
Using the ADF Security "ADF Authentication"
option configures the web.xml descriptor to protect the application Java EE context
root from unauthenticated access.
The valid user
role name is mapped in the weblogic.xml file and references the WLS users group that all authenticated
users are an implicit member of.
Protecting the application Java EE root path from
unauthenticated access however also means that web resources like pictures or
user has authenticated. For the same reason customers often report missing
images on their web login pages.
In the case of an ADF Faces login form, deferred resource
by the security constraint defined in the web.xml
file. Surprisingly, this is only a problem in Microsoft IE8 and not with other
browsers, which may indicate differences in the handling of login forms and
their resource loading. To this time I am not able to say whether IE is doing
it right or wrong. Fact however is that the problem only shows on this browser
type and that it needs to be handled without opening a security hole, which you
would do if you changed the security url-pattern to /faces/* in which case only
JSF page requests would require authentication.
Investigating the problem, the following solution has been found
by the ADF Faces team: ADF Faces UIs require additional resources that are
loaded through the Trinidad resource loader servlet configured in web.xml file.
To allow resources to be loaded when using login forms
built with ADF Faces ( in which case the JSF page contains a HTML login form)
you need to add another security constraint definition to the web.xml file:
<web-resource-name>Allowed ADF Resources</web-resource-name>
The above security constraint should do for most of the
login pages you would build with ADF Faces. However, if the login screen is
more complex and e.g contains DVT graphs or maps, you may have to add more url-patterns
for public (anonymous access), like
In my JDeveloper 11g
R2 test-case project, I ended up with three security-constraint definitions
added to the web.xml file: "Allowed ADF Resources", "allPages"
Always place the
"Allowed ADF Resources" security constraint definition first in the
web.xml file so it is looked at before all the others are so it takes precedence.
Note that both,
the web.xml file and the weblogic.xml file open a visual configuration editor
when you double click onto the respective file shown in the JDeveloper
Application Navigator (Web Content à WEB-INF folder in the