ADF Security: Implicit Authentication
In an implicit authentication scenario, authentication is triggered automatically if the user is not yet authenticated and the user tries to access a page that is not granted to the anonymous-role role. After successfully logging in, another check is done to verify if the authenticated user has view access to the requested page.
When an unauthenticated user tries to access a page, the adfBindings servlet filter intercepts the request and checks to see if the page is defined as viewable by the anonymous-role role. If the requested page is public:
P1: If this is the first access to a page within the application and if there is no subject currently defined.
P2: The security layer creates a subject containing the anonymous user principal and the anonymous-role role principal.
P3: The user is then allowed access to the public page.
For a request to a secured page:
1. The user requests the secured mypage.jspx.
2. The adfBindings servlet filter redirects the request to the Oracle ADF authentication servlet, passing in the URL to the requested page as the success URL.