Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

Hi,
We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
Thanks,
Annie

Brenden,
Thank you so much for the reply. This is our code in the web.xml:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
regards,
Annie

Similar Messages

ADF Application and Oracle Portal Login Page

We have developed ADF application and deployed it in Oracle AS 10.1.2 along with the custom JAAS module, which is working fine with the application custom login page. As a next page, I want to use Oracle Portal login page for the authentication and authorization.
How can I accomplished it? Any idea?
Thanks,
AP

Shay,
1. I created blank ADF project
2. I copied myreport.jsp file (this one was generated by Oracle Report Builder) under ..ViewController/public_html directory
3. Created directory 'lib' under ViewController/public_html/WEB-INF/lib
4. Copied reports_tld.jar file under the directory created in 3.
5. Created simple jspx page with the af:link (btw af:goLink does not exists in JDev 12c), set 'destination' to myreport.jsp
After the steps above I could not even compile the application, many problems too many to list here, Basically JDev is trying to build the project with .jsp file generated in Report Builder and is unable to.
So to be sure we are on the same page: I am trying to embed JSP report files generated by Report Builder into ADF project, then create EAR file and deploy on standalone WLS. Finally execute JSP web only report.

Turning ADF Security on fails navigation from home page to taskflows

When my applications starts, it shows login page where user enters credentials, and if it is correct, it takes user to home page. My home page contains navigations through commandLinks to different bounded taskflows. When i click one of the commandLink, nothing happens. All these navigations are running perfectly when i disable security. Any though on this. I have also shown only those links which are allowable to logged in user using this:
rendered="#{securityContext.taskflowViewable
['/WEB-INF/taskflows/maintain_stocks_tf.xml#maintain_stocks_tf']}"
So when i gives grants to user, it is shown visible but navigation does not work which perfectly works without security.

just to debug check if it return true or false..
<af:outputText value="#{securityContext.taskflowViewable['/WEB-INF/taskflows/maintain_stocks_tf.xml#maintain_stocks_tf']}"

How can i use my custom login page in a custom partner application ?

Dear All,
I'm trying to customize a login page displayed other than the default sso login page
by submiting my form to the regular pl/sql procedure : "PORTAL.wwptl_login.login_url"
but i tried to type the requested partner application url in the browser i got the sso
login page other than my custom login page. So, How can i use my custom login page in a custom partner application ?
Regards,
Mohammed Amin
[email protected]

I cannot begin to express my level of frustration. I have been trying to use the composition widget light box display for some time now. I drag the widget to my document. The default widget has three small trigger boxes and a large area made up of a forward and backward button, a background, a text box and a frame for your image.
My steps have been …
I click on the little trigger box.
I click on the frame that holds the main image.
I go to the fill menu and browse my computer for my image and then click OK.
IT shows up on my screen. Yay
I attempt to continue using the next two trigger boxes provided in the widget.
After that, I add more by clicking on the little plus sign.
This is where all heck breaks loose.
Every single time I attempt to add thumbnails, something messes up. When I go to preview, either not all of my main images show up, or it starts with the wrong one, or some are missing. I have looked and looked for help on this and the only thing I can find is how easy it is to create a great portfolio lightbox display. But as we know, that only works when your thumbnails are the same image as the images in your lightbox. If you want something different, you have to use the composition wizard. I am finding it extremely difficult and confusing to customize.
Is there an exact sequence you need to use to add images to the slideshow? I am my wits end.

Configuring roles and users (adf security) application context wise.

Dear All,
I referred this tutorial (http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html) which shows how to hook up adf security with database schema but at domain level which will be common to all applications in that domain. I want to make it different to each application. (i.e each application will use differene database schema for storing user credientials i.e enterprise roles,application roles and users.)
Can any one please point me to proper way..
Regards,
Santosh
jdev 11.1.1.2.0

Dear Frank,
<i>
Instead you have a single identity management system and have the application policies being different for the applications.Using ADF Security, users and groups can have different privileges in different applications
</i>
suppose i have 3 applications that use adf security, the users will be common to all applications. right..?Roles and group can be different for applications.
application polices means roles and group..?
So how it(application polices) can be made different for applications? is it inbuilt or some configurations needed ?. Can you point me to some blogs or tutorials for more reference.
Bet: Incase i hook up adf security with database schema.
Regards,
Santosh.

JDEV 10.1.3.1 "ADF security" questions

Hi,
We have a couple of questions about ADF security. Hope someone knows something about it. Any help is deeply appreciated. Jdeveloper version we use is 10.1.3.1.
1. Using the ADF security to develop the application, can we deploy it to the IAS and switch to LDAP (OID) or we are obligated to use system-jazn-data.xml on IAS as well? If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory? Any other configurations we need to do?
2. I read some documents that say it is prefered to use LDAP(OID) and
that's what we really want on the IAS. So if the answer for question 1 is we
have to use system-jazn-data.xml, does oracle have any plan for the future to
change it? I guess my question is will that be possible for us to develope the
app using system-jazn-data.xml on the developer's station (for testing
purpose) and later on we can convert it LDAP (OID) when we deploy it on IAS.
Thanks,
Annie
Message was edited by:
user447669

Hi,
1)
can we deploy it to the IAS and switch to LDAP (OID)
yes.
If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory?
No. Only make suere the users and user goup exist and copy the JAAS Permissions added by ADF security
2) There exist a migration utility to upload ADF Security permissions from syste-jazn-data.xml to OID. It is explained in teh OC4J security guide (chapter 7) whih comes with the Oracle Application Serber 10.1.3.1
Frank

ADF Faces Application without using JDeveloper/TopLink/BC4J

Hi,
I want to make a small database driven application using ADF Faces Components without any hlp of JDeveloper, BC4J or Toplink.
I could not see any document/ sample application which demonstrates creating J2EE application with ADF Faces by avoiding OC4J, JDeveloper IDE & TOPLINK.

Hi, any luck trying to use adf faces in another IDE besides Jdeveloper?? Please let me know ;)
thanx.
T.

ADF basic application without any IDE

Hi,
I want to create a very simple page using ADF but without JDeveloper or any other IDE (not even eclipse).
Later i want to deploy the same to tomcat server. As we can do using servlets or JSF.
Is it possible to create all directory structures and files manually using simple notepad and then run that ADF application from tomcat server?
--Sushant

Hi,
For clarification on what exactly happens behind the scene while using JDeveloper, i just want to create a simple search page but without any IDE.
Simply by creating folder structures and files manually and later deploy the same on my local tomcat server.
I did that while learning JSF as well: http://java2apps2fusion.in/creating-first-jsf-application-without-using-any-ide/
This is exactly what i want but in ADF.
--Sushant

Oracle ADF Security Login page

hi.
I am using oracle ADF 11.1.2.2.0 (oracle Jdevelopr 11g release 2) in my job environment. There are 3000 users working as client level in our company. They have separated user Id and roles. They can change their passwords. There are expiration period for passwords which is handle by in database level. when the employees are going to terminate or retirement , we can control their login status. that mean we change their Active status as a Inactive status. some times we recruit number of emplooyes for cover our business targets. Their User Id also in database table level.
My main problem is how we can handle number of employees using Oracle ADF security configuration.
second one is how user can change their passwords.
Third is how number of employees going to terminate ,handle their Active/Inactive State.
Fourth one is If we use this Oracle Security system ,project managers or project cordinator or Adminstrator level authenticator must need to deploy time to time war file, because of adding removing users in jazn-data.xml.
hoping help from you.Thanking for all.

So, you can define SQLAuthenticator/SQLReadOnlyAuthenticator on Weblogic which will retrieve users from your db table(instead of jazn-data file) to application server.
Then, in your application you can enable ADF Security and this will generate login page.
And, this is it :)
If you need some custom processing before users login to your app, then you can create custom login page and do whatever you want in Java code:
http://docs.oracle.com/cd/E16162_01/web.1112/e16182/adding_security.htm#BABDEICH
>
But 11g has Database connection in Application Resource. Using that connection I need to log to the system using user's User iD and Password
>
This connection is valid only in design time. When you deploy your application to application server, then you can include this connection in .ear file, or you can define Data Source on Weblogic(which is better approach).
To programmatically retreive db connection, you can create utility method in your Application Module.
Dario

Task-flow ADF security on Standalone WLS

Hi,
Jdev 11g
I have into the main adfc-config.xml 3 links one to a jspx and 2 links to 2 different bounded task flows.
I applied ADF security depends on Roles to the three links, one on the jspx itself (on the pagedef) and 2 to the Task-flow.
All is working perfectly on the embedded WLS.
When deploying the application to a standalone WLS and applying the security migration as explained (system-jazn-data.xml verified and security is migrated) I have only the jspx working and for the 2 task-flows I have an Authorization check failed exception.
I always think that it is a migration problem but seems not because the jspx is working depends on the right Role.
Any idea what can cause this and why the ADF security is working only on jspx page and not on the task-flow after deploying to a standalone WLS?
Thanks
Jamil
<May 27, 2009 12:22:20 PM AST> <Error> <HTTP> <BEA-101017> <[weblogic.servlet.in
ternal.WebAppServletContext@197171f - appName: 'TasdeeqEAR', name: 'TasdeeqApp',
context-path: '/TasdeeqApp', spec-version: '2.5', request: weblogic.servlet.int
ernal.ServletRequestImpl@31dbd4[
GET /TasdeeqApp/faces/home?_adf.ctrl-state=1028508221_19 HTTP/1.1
Accept: */*
Accept-Language: en-US,ar-SA;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC
1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.21022; .NET
CLR 3.5.30729; .NET CLR 3.0.30618; Tablet PC 2.0; FDM)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: JSESSIONID=9Z7tKdGCD0BSvt2GnDfLrkhZJ62rhMPpGLmXtGctDT2YGTQcl2VJ!-1394634
041
]] Root cause of ServletException.
oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization
check failed: '/WEB-INF/registrar-task-flow.xml#registrar-task-flow' 'VIEW'.
at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleF
ailure(AuthorizationEnforcer.java:145)
at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPe
rmission(AuthorizationEnforcer.java:80)
at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkRe
ad(AuthorizationEnforcer.java:314)
at oracle.adf.controller.internal.metadata.MetadataService.getTaskFlowDe
finition(MetadataService.java:204)
at oracle.adfinternal.controller.activity.TaskFlowCallActivityLogic.find
TaskFlowDefinition(TaskFlowCallActivityLogic.java:931)
Truncated. see log file for complete stacktrace
>

Hi Frank,
I copied the <jazn-policy> section from the jazn-data.xml to system-jazn-data.xml and it is working
So as expected something wrong with the migration...I will check what
Thanks
Jamil

Implementing authorization using Oralce ADF security

Hi,
We have successfully deployed a Jdev (10.1.3) ADFBC application to IAS with the authentication and part of the authorization.
Now we want to use another level of granularity to allow object instance access control based on Java Permissins using JAAS. Like "binding container", "iterator binding", "attribute binding" and "methodAction binding".
We tried to follow the "Oracle Application Development Framework Developer's Guide", chapter 30. Everything went well until we got to 30.7.2--Setting authorization on ADF binding Containers, list 3. "The Authorization Editor shows the pre-defined permissions for the binding container, along with the principles (roles and users) as defined by your resource provider". The roles and users we defined in our web.xml or jaza-data.xml do not show up in the authorization editor.
The SRDemoADFBC does not use this technique. Anybody has any idea how to do this?
Remember Frank said he was working on an end-to-end ADF security application and it could be ready by the end of this year. Is it ready yet?
Thank you,
Annie

Hi Vinod,
In my post, I present it as a best practice to have a one to one mapping of application roles and enterprise roles though it is not required. If you have 10 application roles you should create 10 enterprise roles, but again this is not required. For testing, you could create only one enterprise role, then make that role as member to all your application roles.
To simplify the case you can do the following STEPS:
In jazn.xml:
1) Let say in jazn.xml you have the following 5 application roles:
<li>ApplicationRole1
<li>ApplicationRole2
<li>ApplicationRole3
<li>ApplicationRole4
<li>ApplicationRole5
2) Still in jazn.xml, create one Enterprise Role "EnterpriseAdmin".
3) Make the"EnterpriseAdmin" as member of the 5 application roles above.
In weblogic console:
4) Go to the User and Groups page of myrealm (Home >Summary of Security Realms >myrealm >Users and Groups).
5) Create a new group named "EnterpriseAdmin" and instead of the Default Authenticator, set the authenticator to the name of SQLAuthenticator that you have created.
6) Create a user in the SQLAuthenticator and make it a member of the "EnterpriseAdmin".
7) Run your secured application in JDeveloper and login with the user credentials that you created in step#6.
Regards,
Pino

Oracle ADF Secured App Gives HTTP 401 Error

I am new to Oracle ADF Framework. I develop on JDeveloper 11g R2 with Weblogic 10.3.5.0. I developed an project like described in a Firebox training video on Youtube link: [http://bit.ly/HT1HZ9] . You can download my project from http://db.tt/Y8J3fj3y
The video was about creating a custome login page. You have to create login,error anad the target pages. When you try to open target page login page comes then you enter your credentials. After success yoou should be directed to the target page. I used a backing bean to process credentials but instead of redirected to target page the response page gives:
Error 401--Unauthorized From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1: 10.4.2 401 Unauthorized
And the weblogic console this error:
Target URL -- http://127.0.0.1:7101/Deneme-ViewController-context-root/faces/protectedPage.jspx
<ViewHandlerImpl> <_checkTimestamp> Apache Trinidad is running with time-stamp checking enabled. This should not be used in a production environment. See the org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION property in WEB-INF/web.xml
<UIXEditableValue> <_isBeanValidationAvailable> A Bean Validation provider is not present, therefore bean validation is disabled
<LifecycleImpl> <_handleException> ADF_FACES-60098:Faces lifecycle receives unhandled exceptions in phase RENDER_RESPONSE 6
java.lang.IllegalStateException: Cannot forward a response that is already committed
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:122)
at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:546)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at oracle.adfinternal.view.faces.config.rich.RecordRequestAttributesDuringDispatch.dispatch(RecordRequestAttributesDuringDispatch.java:44)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at org.apache.myfaces.trinidadinternal.context.FacesContextFactoryImpl$OverrideDispatch.dispatch(FacesContextFactoryImpl.java:167)
at com.sun.faces.application.view.JspViewHandlingStrategy.executePageToBuildView(JspViewHandlingStrategy.java:363)
at com.sun.faces.application.view.JspViewHandlingStrategy.buildView(JspViewHandlingStrategy.java:154)
at org.apache.myfaces.trinidadinternal.application.ViewDeclarationLanguageFactoryImpl$ChangeApplyingVDLWrapper.buildView(ViewDeclarationLanguageFactoryImpl.java:341)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._renderResponse(LifecycleImpl.java:982)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:334)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:232)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:313)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:173)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:122)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
<Apr 18, 2012 3:21:24 PM EEST> <Error> <HTTP> <BEA-101020> <[ServletContext@28001210[app:Deneme module:Deneme-ViewController-context-root path:/Deneme-ViewController-context-root spec-version:2.5]] Servlet failed with Exception
java.lang.IllegalStateException: Cannot forward a response that is already committed
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:122)
at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:546)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at oracle.adfinternal.view.faces.config.rich.RecordRequestAttributesDuringDispatch.dispatch(RecordRequestAttributesDuringDispatch.java:44)
Truncated. see log file for complete stacktrace
>
<Apr 18, 2012 3:21:24 PM EEST> <Notice> <Diagnostics> <BEA-320068> <Watch 'UncheckedException' with severity 'Notice' on server 'DefaultServer' has triggered at Apr 18, 2012 3:21:24 PM EEST. Notification details:
WatchRuleType: Log
WatchRule: (SEVERITY = 'Error') AND ((MSGID = 'WL-101020') OR (MSGID = 'WL-101017') OR (MSGID = 'WL-000802') OR (MSGID = 'BEA-101020') OR (MSGID = 'BEA-101017') OR (MSGID = 'BEA-000802'))
WatchData: DATE = Apr 18, 2012 3:21:24 PM EEST SERVER = DefaultServer MESSAGE = [ServletContext@28001210[app:Deneme module:Deneme-ViewController-context-root path:/Deneme-ViewController-context-root spec-version:2.5]] Servlet failed with Exception
java.lang.IllegalStateException: Cannot forward a response that is already committed
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:122)
at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:546)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at oracle.adfinternal.view.faces.config.rich.RecordRequestAttributesDuringDispatch.dispatch(RecordRequestAttributesDuringDispatch.java:44)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)
at org.apache.myfaces.trinidadinternal.context.FacesContextFactoryImpl$OverrideDispatch.dispatch(FacesContextFactoryImpl.java:167)
at com.sun.faces.application.view.JspViewHandlingStrategy.executePageToBuildView(JspViewHandlingStrategy.java:363)
at com.sun.faces.application.view.JspViewHandlingStrategy.buildView(JspViewHandlingStrategy.java:154)
at org.apache.myfaces.trinidadinternal.application.ViewDeclarationLanguageFactoryImpl$ChangeApplyingVDLWrapper.buildView(ViewDeclarationLanguageFactoryImpl.java:341)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._renderResponse(LifecycleImpl.java:982)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:334)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:232)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:313)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:173)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:122)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
SUBSYSTEM = HTTP USERID = <WLS Kernel> SEVERITY = Error THREAD = [ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)' MSGID = BEA-101020 MACHINE = Metasis-PC TXID = CONTEXTID = 922cea34c05f1394:4758d71c:136c5648195:-8000-0000000000000074 TIMESTAMP = 1334751684128
WatchAlarmType: AutomaticReset
WatchAlarmResetPeriod: 30000
>
<Apr 18, 2012 3:21:26 PM EEST> <Alert> <Diagnostics> <BEA-320016> <Creating diagnostic image in c:\users\metasis\appdata\roaming\jdeveloper\system11.1.2.1.38.60.81\defaultdomain\servers\defaultserver\adr\diag\ofm\defaultdomain\defaultserver\incident\incdir_39 with a lockout minute period of 1.>
My backing bean java code:
public String doLogin() {
String un = _username;
byte[] pw = _password.getBytes();
FacesContext ctx = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest)ctx.getExternalContext().getRequest();
Subject mySubject;
try {
mySubject = Authentication.login(new URLCallbackHandler(un, pw));
ServletAuthentication.runAs(mySubject, request);
ServletAuthentication.generateNewSessionID(request);
String loginUrl = "/adfAuthentication?success_url=/faces/protectedPage.jspx";
HttpServletResponse response = (HttpServletResponse)ctx.getExternalContext().getResponse();
RequestDispatcher dispatcher = request.getRequestDispatcher(loginUrl);
dispatcher.forward(request, response);
//response.sendRedirect(loginUrl);
} catch (FailedLoginException e) {
FacesMessage msg = new FacesMessage(FacesMessage.SEVERITY_ERROR, "Invalid Username or Password", "Invalid Username or Password");
ctx.addMessage(null, msg);
} catch (Exception e) {
e.printStackTrace();
return null;
And before the application start there is an interesting error code:
[03:20:38 PM] Redeploying Application...
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: oracle.security.jps.JpsException: java.lang.reflect.InvocationTargetException.
<AppPolicyHandler> <migrateAppPolicies> Migration of application policy failed. Reason: oracle.security.jps.JpsException: java.lang.reflect.InvocationTargetException.
[03:20:55 PM] Application Redeployed Successfully.
Thanx for the help!

Hi
i have created a similar adf project from the same site.
i am facing the same issue.
i deleted the anonymous role but i still get the HTTP 404 error
here is my jazn.data.xml file
Please help out on this
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data-11_0.xsd">
<jazn-realm default="jazn.com">
<realm>
<name>jazn.com</name>
<users>
<user>
<name>bob</name>
<credentials>{903}roINL8sMhkkl2tkXbhufyu80sTkEtEBXt79hzI/P3uI=</credentials>
</user>
<user>
<name>julie</name>
<credentials>{903}sS25AaE6ZE1B3sqmsWr0DmNcDbY+id0734qTxK6bam8=</credentials>
</user>
</users>
<roles>
<role>
<name>managerGroup</name>
<members>
<member>
<type>user</type>
<name>bob</name>
</member>
</members>
</role>
</roles>
</realm>
</jazn-realm>
<policy-store>
<applications>
<application>
<name>adf_security</name>
<app-roles>
<app-role>
<name>manager</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<members>
<member>
<name>managerGroup</name>
<class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
</member>
</members>
</app-role>
</app-roles>
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<name>manager</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
</principal>
</principals>
</grantee>
</grant>
</jazn-policy>
</application>
</applications>
</policy-store>
</jazn-data>
Thenx

I accessed the page protected by ADF security using direct url access attac

hi,
I played with my application which is based on SRDemo code (with added ADF security handling protection of resources) using direct url access scenarios. I was able to access a protected page as authenticated but not authorized user. I'll try to explain what I did.
There are two folders/web resources in my application, faces/folderA/* and faces/folderB/*.
roleA only is configured to access first web resource and the roleB is configured to access the second resource.
I used ADF security to authorize only roleA for page in folderA and to authorize only roleB for page in folderB.
I configured error pages in web.xml:
<error-page>
<error-code>400</error-code>
<location>faces/error/error400.jspx</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>faces/error/error401.jspx</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>faces/error/error403.jspx</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>faces/error/error404.jspx</location>
</error-page>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>faces/error/error500.jspx</location>
</error-page>
Other config params are:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>infrastructure/ABLogin.jspx</form-login-page>
<form-error-page>faces/error/error401.jspx</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>AB Prototype</web-resource-name>
<url-pattern>faces/ABAbout.jspx</url-pattern>
<url-pattern>faces/ABHelp.jspx</url-pattern>
<url-pattern>faces/ABLogout.jspx</url-pattern>
<url-pattern>faces/ABWelcome.jspx</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>A</role-name>
<role-name>B</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AZone</web-resource-name>
<url-pattern>faces/folderA/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>A</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>BZone</web-resource-name>
<url-pattern>faces/folderB/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>B</role-name>
</auth-constraint>
</security-constraint>
<filter>
<filter-name>adfBindings</filter-name>
<filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
<init-param>
<param-name>unauthorizedErrorPage</param-name>
<param-value>faces/error/error401.jspx</param-value>
</init-param>
</filter>
<filter>
<filter-name>adfFaces</filter-name>
<filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<url-pattern>*.jspx</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>adfFaces</filter-name>
<url-pattern>*.jsp</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>adfFaces</filter-name>
<url-pattern>*.jspx</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>resources</servlet-name>
<servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
Once I authenticated as user in roleA I was trying to directly access URLs accessible only by users in roleB. In the beginning everything worked OK: I was dispatched to error401.jspx page with message Not authorized... etc.
But I kept trying to access different URLs, like http://localhost:8988/AB/faces, http://localhost:8988/AB/faces/folderB, http://localhost:8988/AB/faces/folderB/pageB.jspx, http://localhost:8988/AB
(not necessarily in that order, I played for a couple of minutes and the system would always dispatch to error401.jspx page if unauthorized attempt. But all of sudden, to my surprise, I got the pageB.jspx page while logged in as user belonging to roleA!)
Not sure how that happened but the connectedUser on pageB (#{userInfo.authenticated}) shows that I am logged in as user whose role is A.
I checked Authorization in ADF security and it is still correct: pageB is only accessible to roleB and pageA is only accessible to roleA.
I hope I made some stupid mistake in my configuration?

Hi,
ADF Security is JAAS permission based and not container managed. Note that unless you explicitly configured ADF Security you don't use ADF Security but container managed security, which is all that I can see in your configurations.
Not sure which version fo JDeveloper you use, but if you could change the following setting
<security-constraint>
<web-resource-collection>
<web-resource-name>AZone</web-resource-name>
<url-pattern>faces/folderA/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>A</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>BZone</web-resource-name>
<url-pattern>faces/folderB/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>B</role-name>
</auth-constraint>
</security-constraint>
to contain jspx file references instead of wildcards like in faces/folderB/* then what you see should no longer be possible. There was a known issue with the security settings in SRDemo that was caused by a defect in OC4J container managed security. I would expect this issue to be fixed in a more recent version of OC4J.
However, the work around until then is to protect all JSPX files in a directory instead of using wild card matches
Frank

ADF Security basics

I've been reading about the adf security and have been trying to implement it in a simple application. The documents I've been referring to are the Oracle Fusion middleware developer guide, Chapter 28 and the online videos from the Core Code center. I've also read some blog entries but there isn't much information about adf security on the web.
This is what I'm trying to do:
I want a welcome page which is accessable to everybody. You can choose to login from the welcome page and then you have a option to go to a task flow which the user has access rights to.
I set up the security context in the web.xml accordingly:
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
Thus securing the / url pattern. I then gave anonymous-role access to the welcome page, thinking that it would make the page public. But I still have to log in to get access to the welcome.jspx. Maybe I'm not supposed to set the url pattern to / in the security-constraint, but it was the only way I could find to secure the task-flow. If the url pattern was only /adfAuthentication then I was not redirected to the login.jspx page when trying to access it as anonymous.
I've read chapter 28 three times but I still find it somewhat confusing. How are the web.xml and the jazn-data.xml files linked? What am I doing wrong here?
I've managed to secure the taskflow and users with view access to that task flow are the only users that can see it. But there also seem to be some bugs conserning jdeveloper and the jazn-data.xml file. For example I made access right changes in the jazn-data.xml file. I granted view access to a specific page to a user. I then ran the applicaion to see if he had access and he didn't. I then shut down jdeveloper and started it up again and re-ran the application and then the user had access. Hopefully the future updates will fix this.
Best regards,
Sturla Thor

Hi,
"/" protects the application root and requires users to login before the application renders the first page. There is no way to grant anonymous access to this. To defer authentication you will have to remove "/" and just stick with the other entry, which is used by the ADF Security authentication servlet.
To login from the welcome page is a it tricky because there exist no standard API for this. There is a WebLogic proprietary API that you can use. But then you will need to make sure that the user is explicitly redirected after providing the login credentials so the container becomes aware of it
The code below is from a sample I wrote
import weblogic.servlet.security.ServletAuthentication;
    public String login() {
            FacesContext fctx = FacesContext.getCurrentInstance();
            HttpServletRequest request = (HttpServletRequest)fctx.getExternalContext().getRequest();
            HttpServletResponse response = (HttpServletResponse)fctx.getExternalContext().getResponse();
            int authSuccess;
            try {
                authSuccess = ServletAuthentication.login(username,password,request,response);
                if (authSuccess == ServletAuthentication.AUTHENTICATED){
                    userAuthenticated = true;
               loginPanel.setRendered(false);
               return "login";
            // the login exception provides information abput the cause of the failure (e.g. account locked,
            // password expired etc. For this, make sure the authentication provider propagates the exception
            catch(FailedLoginException fle){
                  String excmessage = fle.getMessage();
                  boolean authentication_failed = excmessage.indexOf("090304") > -1?true:false;
                  if (authentication_failed){
                      informUser("Authentication failed because of a wrong credentials pair",
                                 "Please make sure a valid username and password pair is provided in correct case",usernamefield);
                  else{
                      informUser("Authentication failed with unknown reason",
                                 "Please call the IT SWAT team at 0123-456-7",usernamefield);
            catch (LoginException le) {
                  informUser("Authentication failed with unknown reason","Please call the IT SWAT team at 0123-456-7",usernamefield);
                  // once you explored the possibilities that raise the exception you can
                  // provide finer grained messages
                  le.printStackTrace();
                  // parse error message for information to give to the user
        return null;
    }Frank

[SOLVED] ADF Security: No success with DBTableOraDataSourceLoginModule

Hi,
because do not have success to implement simple ADF Security to my application for weeks I try it again with this post.
Hopefully someone who was already successful with this issue can give me the hint, missing step or something else.
I have read many forum posts, blogs and documentation (10.x) but because ADF security has been changed from 10g to 11g I'm never sure if a documented step from 10g is necessary for 11g also.
I also posted my problem to posts with similar problems but no response :-(
I use 11g, TP4.
My Requirement:
=============
- user accounts and roles are stored within database tables
- roles are not used (every user has the same rights) but stored in the database table
- Custom Login-Page (jspx)
- At login ADF Security only needs to check if the entered user/password is stored in the database table (no password encryption is used at the moment)
Steps I have done:
ADF Security wizard:
================
Step 1: Enforce Authorization NOT checked (Also tried to CHECK this checkbox)
Redirect upon sucessfull Authentication CHECKED
generate Default CHECKED
Step 2: No identity store CHECKED
Step 3: Enable Credital Store CHECKED
Step 4: No Policy Store CHECKED
Step 5: Enable Anonymous Provider
Step 6: Manage Login Modules --> Add "oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
Name = oracledb.loginmodule
Login Control Flag = Required
Log Level = fine
--> Add "oracledb.loginmodule" as the only "Selected login module"
Step 7: Form-Based Authentication
Generate default is CHECKED
Step 8: WebResources: allPages
Selected Roles: valid-users
Step 9: FINISH Wizard
Then I edit jps-config.xml manually. Here the actual content:
=============================================================
<serviceInstance provider="jaas.login.provider"
name="oracledb.loginmodule">
<property value="true" name="debug"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="true" name="addAllRoles"/>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
name="loginModuleClassName"/>
<property value="FINE" name="log.level"/>
<property value="jdbc/TLS-BOBDS" name="data_source_name"/>
<property value="passwort" name="passwordField"/>
<property value="rol_rolle" name="groupMembershipGroupFieldName"/>
<property value="bediener_rollen" name="groupMembershipTableName"/>
<property value="user_kennung" name="usernameField"/>
<property value="bediener" name="table"/>
<property value="persnr" name="user_pk_column"/>
<property value="bed_persnr" name="roles_fk_column"/>
<property value="toupper" name="casing"/>
</serviceInstance>
====================================
Then I start the application. Re-direction to the login-page works fine.
I enter username/password and press submit --> Following error occures in OC4J log:
===================
WARNUNG: TLS-BOB-ViewController-webapp: error encountered during authentication
java.util.MissingResourceException: Can't find resource for bundle oracle.security.jps.internal.common.resources.common.CommonResources, key JPS-02575
     at java.util.ResourceBundle.getObject(ResourceBundle.java:325)
     at java.util.ResourceBundle.getObject(ResourceBundle.java:322)
     at java.util.ResourceBundle.getString(ResourceBundle.java:285)
     at oracle.security.jps.util.JpsBundle.getString(JpsBundle.java:133)
     at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:424)
     at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:401)
     at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:99)
     at oracle.security.jps.fmw.JpsUserManager.getUserFromIdmStore(JpsUserManager.java:1109)
     at oracle.security.jps.fmw.JpsUserManager.getUser(JpsUserManager.java:1022)
     at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
     at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
     at com.evermind.server.http.EvermindHttpServletRequest.getUserPrincipalInternal(EvermindHttpServletRequest.java:3927)
     at com.evermind.server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6965)
     at com.evermind.server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3350)
     at com.evermind.server.http.HttpRequestHandler.doResolveRequestDispatcher(HttpRequestHandler.java:1005)
     at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:822)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:658)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:626)
     at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:417)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:189)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:163)
     at oracle.oc4j.network.ServerSocketReadHandler$ClientRunnable.run(ServerSocketReadHandler.java:275)
     at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:237)
     at oracle.oc4j.network.ServerSocketAcceptHandler.access$800(ServerSocketAcceptHandler.java:29)
     at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:877)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
     at java.lang.Thread.run(Thread.java:595)
==================================================
My questions:
=============
1) Are there additional steps necessary to implement ADF Security for my requirements ?
2) If yes, which? Which files I have to edit manually after ADF security wizard has been finished?
Any help is warmly welcome !
regards
Peter

Hello
Many thanks to CP and Andre who gave the missing hints in this tread:
OC4J 11g and JAZN
The property custom.provider mentioned by cp was the "missing link" --> now it works.
BUT "Nobody knows the trouble I've seen ..." !
I made dozens of trials with the same application and always similar (strange) results.
When I CHECK "enforce Authorization" in the ADF security wizard then
the redirection to the Login Page does NOT work (reason is unclear for me)
If I UNCHECK "enforce Authorization" in the ADF security wizard then
the redirection to the login page works fine BUT the redirect upon succesful Authentication doesn't work.
--> In this case following code is missing in web.xml
=====================
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>welcome.jsp</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
=================================
I think (but not 100%) that SOMETIMES the propertie "<property value="true" name="custom.provider"/>" has been created by the ADF security wizard.
SOMETIMES I was not able to create the default welcome.jsp with the ADF Security Wizard, ....
Maybe someone can reproduce this behaviour and fills a bug.
regards
Peter

Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

Similar Messages

Maybe you are looking for