ADF Security: Authorization at Run Time
The security implementation within a Fusion application is based around JAAS policies, which are held in a policy store (independent of the application) and accessed at run time. The policy determines if the user has access to the defined Web resource and what granular permissions (actions) have been granted to the user.
In this case, the user Bob is a member of the enterprise role Staff in the identity management solution.
Assuming that Bob is already logged in and successfully authenticated, when he tries to access mypage.jspx, the Oracle ADF Security enforcement logic intercepts the request and checks the page definition of that page to see if permission is required. In the example in the slide, the View privilege on the requested page has been granted to the Staff role, so for Bob the mypage.jspx appears.
However, when Bob later tries to access SecPage.jspx, permission is required and Bob does not belong to a role that has access to the resource, so a security error appears.