One of the easiest things that can be done in an ADF app is to apply the security.
Now on days almost every enterprise application has to have security configuration.
This process is explained in the oracle web documentation but I heard complains about some people that are starting in the technology and they say that it is not explained in a easy way or that it is hard to find all the pieces of the puzzles at first time it has to be implemented.
It does not matter which product you are integrating the security with (BPM, OIM, OAM, etc), According to best practices apply your security to your application by roles and be aware that they match with the roles of the BPM, OIM, LDAP and OAM depending on which product you are integrating the security.
Here are the steps:
1)Create an ADF Application.
2) Once you create your ADF application create a JSF Page
With a right click in the WebContent Folder and the clicking on "Page" option the JSF Page will be created.
The name of the page will be "WelcomePage.jsf".
3)Now we proceed to apply the security to the app. click on Application Option and the select "Secure" and "Configure ADF Security" as the following image.
Then select the default option and click next:
Then select the "Form-Based Authentication" and click on the check "Generate Default Pages".
Then click on the check "Redirect Upon Successful Authentication" and on "Welcome Page:" select the page that we have already created to be the first pay after successful authentication.
Then click Finish.
Now it is time to secure the resource that we want to secure. So click on "Application" option and the "Test Users & Roles".
Then click on the green cross and then on "Add New Role".
Be sure that the name of the role "TestRole" in this case have to match with the role created in the weblogic, BPMWorkSpace LDAP and so on according with the case.
Now Once you go to the Resource Grants and "Web Page" in the "Resource Type" section you will see that there is no page to secure, this is because to appear the page in the option it has to have a pageDefinition.
So you have to right click on the JSF page you want to apply the security and then select "Go to Page Definition".
Now you see that the page show up so you select the page and then select "Add Enterprise Role".
Then select the specific role that you have already created.
Do not forget to click "Save" to save your changes.
Now you have to log in the weblogic console and proceed to create the specific role.
Go on "Security Roles" section and click "New" button.
Now Go on "Users and Groups" and then select "Groups".
Then click on "New" button to create a new Group that represent the role.
Then verified that the role has the group name "TestRole" exactly the same name as literal as in the ADF App and the BPM process or whatever product you are integrating the security with.
Then verify that the role is created in the list.
Once the role or group is created now you create the user
Go on "User" tab en click on "New" button.
Verify that the user is created in the user list.
The click on the User created to associate the user just created with the role or group.
Now go to the "Group" tab and select the groups you want to associate to the user and click on the blue arrow to pass the groups that are going to be associated to the right.
Now that the app is secured we are going to test the security role.
First its time to try with the weblogic user that is not associated with the authorized application role.
As expected the user was not authotized to enter the app.
Then once with try to enter the app with the right user the app will allow the access to the page.
It is worthy to mentione that as we protect the web page, other resources as BC, Bounded Task Flows among others can be secure.
The Login.html and Error.html can be customize in the style,
there some things that have to be add in the configuration when we are integrating the security with other Oracle products as those previous mentioned in this post, but at the level of the application are always the same steps.