Wednesday, May 20, 2015

ADF Custom Security

In this post I will explain how to use custom security in ADF application without using ADF security.
When you develop ADF application and want to deploy it in Glassfish or tomcat using adf-essentials you will find a problem with ADF security, in this case you have to find a new way to apply the security in your ADF application. In this post I will explain how to use java filter to apply security in ADF application. User information and user privileges will stored in database and after user enter username and password you have to check if it is correct or not from database and store user information and user privileges in a variables in session scope.

Follow this steps to apply custom security in your ADF application:

1- Make new ADF application (e.g ADFCustomSecurity).
2- Go to ViewController project property and set JavaEE Application and JavaEE web context root to a short name like(welcome)

3- Make new java class implement javax.servlet.Filter, you can name this class (ApplicationFilter)

4- Make 4 pages:
    * index.jsp

    * index.jspx

* login.jspx

This page will use back bean to check username and password this back bean should be like this:

  * welcomePage.jspx

5- Open web.xml and add this:

6- In the face-config.xml add outcome to your welcomePage (e.g welcome)

7- When you deploy this application in tomcat or glassfish you may need jar file for jstl you can add this jar file inside public_html\WEB-INF\lib (you can get this file from the uploaded application)

8- Your application structure should be like this:

9- Deploy the application in weblogic or glassfish or tomcat.

10- To access the application just write "http://serverIp:port/welcome" where welcome is the context root of the application. After you write this short URL the application filter will redirect it automatically to login page.

11- After successfully login you will navigate to the welcomePage.

Note: if you successfully login and you see the welcome page then if you close the browser tab (not close the fully browser window) then open new tab and write the application url  "http://serverIp:port/welcome" it will automatically navigate to the welcome page because the browser still maintain the session

You can download this sample application from here this application developed using JDeveloper


  1. Thank you very much sir... It is wonderful.

    Thanks a lot. Thank you very mcuh.

  2. Thank you. It is very helpful.
    I added this to an existing 12C project.
    Testing in on the integrated WLS
    When I add a new page it redirects to the login screen.
    But the old pages do not redirect.

    1. Before user login the application should redirect to one page which is login page. After user successfully login the application should go to the welcome page.
      In the application filter you can update login page name and session variable name (username), but in the ApplicationFilter if you change the session variable name (e.g to be "userInfo") be sure that after user login you should set session variable "userInfo"

  3. Hello Sameh,
    First this is just a wonderful and helpful post. I did all steps and it worked perfectly.
    Second I have two questions regarding:
    1- Why do you use jsp/jspx in your example instead of jsf?
    2- I am confused regarding which part in your example that redirect the context to login page. as we just put ''

    1. For first point: you can use .jsf as you want if you will use ADF components in that page. In my example you can use "welcomePage.jsf" instead of "welcomePage.jspx" and you can use "login.jsf" instead of "login.jspx" but the index pages keep it as it is. But be sure if you change page from .jspx to jsf you should change it in the index.jsp and index.jspx.
      - For second point: In the ApplicationFilter (starting point to receive the request) it will check the session object, if it is null it will redirect the request to index.jspx and inside index.jspx it redirect it to login.jspx