3 Replies Latest reply: Nov 12, 2012 10:50 AM by GavinWoods RSS

    ADF Login Authentication: Authenticate with POST Data or Display Login Form


      I am looking for some input on an ADF app i'm writing, hopefully this is an easy one for you:

      I implemented ADF security authentication onto an ADF application - works great. However, now I want a different application (Not ADF) to send login credentials to my ADF application behind the scenes via HTTP POST data and use that data to authenticate automatically. However, if i'm not attempting to login behind the scenes from the other app and instead just going straight to my ADF app, i want the login form to display. What would be the best way to go about this from the ADF side? Single Sign-On and OAM is not an option, so i'm trying to think of a viable alternative.

      Would i need to develop a custom authentication servlet? if so, are there any good examples out there i can refer to?

      Thank you,


      Edited by: GavinWoods on Oct 25, 2012 2:59 PM
        • 1. Re: ADF Login Authentication: Authenticate with POST Data or Display Login Form
          Developed a solution for those who are interested. This assumes you have already generated the ADF Security configuration files, etc.

          Step 1: Configure my third party app (Oracle Forms App) to POST login credentials while opening ADF Application:
          -- JavaScript for Forms to use to open the ADF App. This was added to my Form’s baseHTMLjpi file:

          "calUser" variable is for ADF username. For example "JonLucPicard"
          "calPwd" is for ADF password. For example, "EnterpriseR0cks!"
          "toPageURL" is the relative URL path to the ADF page you want to go to after authentication is completed. For example, "/faces/MyPage"
          "formsUserId" is passing the Forms user session id - used for different purpose.
          "loginUrl" is for telling the form to call AutoLogin Servlet (created in later steps) in a full absolute URL: http://host/AppName/AutoLogin

          function loginCalendar(calUser,calPwd,toPageUrl,formsUserId,loginUrl) {
               var wData;
               wData = "<div style='visibility:hidden;'>";
               wData = wData + "<form name='loginForm' id='loginForm' action='" + loginUrl + "' method='post'>";
               wData = wData + "<input type='hidden' name='calUser' id='calUser' value='" + calUser + "'/>";
               wData = wData + "<input type='hidden' name='calPwd' id='calPwd' value='" + calPwd + "'/>";
               wData = wData + "<input type='hidden' name='toPageUrl' id='toPageUrl' value='" + toPageUrl + "'/>";
               wData = wData + "<input type='hidden' name='formsUserId' id='formsUserId' value='" + formsUserId + "'/>";
               wData = wData + "</form>";
               wData = wData + "</div>";
               OpenWindow=window.open("", "calendar");

          -- Added code in Forms Button to do the following:

          WEB.JAVASCRIPT_EVAL_EXPR ('loginCalendar("loginUserName","loginPwd","'||:GLOBAL.l_cal||'","'||user||'", "'||:GLOBAL.l_login||'")');

          Step 2:     Update ADF application to pull in the login credentials (from POST variables) from Forms and then login to the ADF application with those credentials:
          -- Create a new HTTP Servlet called “AutoLogin”.

          -- In Servlet's doPost() method:
          Pull POST variables with: request.getParameter("nameOfVariable");
          Make a call to a method called doLogin - which is created in next step. Pass the existing request and response objects to the doLogin method. Also pass the toPageUrl variable set by the above javascript function.

          -- In servlet, add a method called doLogin. Its important to use exact session variable names called "j_username" "j_password", authentication servlet looks for these

          private void doLogin(String username, String pwd, String toPageUrl,
                                   HttpServletRequest request,
                                   HttpServletResponse response) {
               byte[] pwdByte = pwd.getBytes();
               HttpSession session = request.getSession(true);
               session.setAttribute("j_username", username);
               session.setAttribute("j_password", pwd);
               session.setAttribute("success_url", toPageUrl);
               Subject mySubject;
               try {
                    mySubject = Authentication.login(new URLCallbackHandler(username, pwdByte));
                    ServletAuthentication.runAs(mySubject, request);
                    String loginUrl = "/adfAuthentication?sucess_url=" + toPageUrl;
                    RequestDispatcher dispatcher =
                    dispatcher.forward(request, response);
               } catch (FailedLoginException e) {
                    System.out.println("Failed Login Attempt");
               } catch (Exception e) {

          Step 3: Update web.xml security section so that AutoLogin URL can be accessed without prompting a login.

          Thank you,


          Edited by: GavinWoods on Nov 8, 2012 4:39 PM
          • 2. Re: ADF Login Authentication: Authenticate with POST Data or Display Login Form
            Frank Nimphius-Oracle

            looks like a nice hack. Can you however check in the browser history (ctrl+H) that

            WEB.JAVASCRIPT_EVAL_EXPR ('loginCalendar("loginUserName","loginPwd","'||:GLOBAL.l_cal||'","'||user||'", "'||:GLOBAL.l_login||'")');

            doesn't leave a trace in the browser URL history?

            • 3. Re: ADF Login Authentication: Authenticate with POST Data or Display Login Form
              Hi Frank,

              Hack it is indeed. Implementing Oracle Access Manager would be my first choice.

              Thats a good question, i'll have to check to see what happens.

              Thank you,