Granting Permissions on Task Flows
ADF unbounded task flows are not securable on their own, although the individual pages are securable. Bounded task flows are secured by default when ADF Security is enabled. ADF enables you to grant the view permission on bounded task flows; users who belong to a role with the view permission can read and execute a bounded task flow and view its pages.
Objects within a task flow inherit the containing object’s security unless overridden on the local object. Page-level security resides with the page, and is not held in the view activity metadata. This ensures that there is only one place to access security information for that page, regardless of how many task flows reference it.
Securing task flows can provide for simpler security administration by allowing security to be controlled in terms of a unit of application functionality, rather than having to deal with all the individual pages that may arise in the implementation of that application function.
The controller calls the security module on each request to ensure that the required access has been granted. The controller will not attempt to cache or retain any authorization information. Authorization failure results in navigation to the designated exception activity. The exception thrown is ADFSecurityRuntimeException.
You can use Expression Language (EL) to check whether the user is authorized to access a task flow. When a user is required to log in to view a page, you can use EL within the page to check whether a user is authorized to view specific components.