ADF Security: Configuring Application Authentication
Application authentication can be one of two types:
Implicit: The adfBindings servlet filter checks to see if page is viewable based on JAAS permission that you have assigned for the anonymous-role role, which can access any page on which no web.xml security constraint is defined for the anonymous-role role, and the view privilege has been granted.
Explicit: A login link is directed to the adfAuthentication servlet, which is secured through a Java EE security constraint. In an explicit authentication scenario, a public page has a login link, which when clicked, triggers an authentication challenge to log in the user. The login link may optionally specify some other target page that should be displayed (assuming the authenticated user has access) after the successful authentication. On the first access to a page, if there is no Subject defined, then one is created containing the anonymous user principal and the anonymous-role role principal. With this role principal, the user can access any page on which no web.xml security constraint is defined for the anonymous-role role principal and for which the view privilege has been granted.