Security in Oracle ADF and Automatic Page Loading

In enterprise applications, automatic page loading based on user role is used quite often. Automatic page load is done during user login phase. This means that when user with role A enters into system, page X will be opened for him. And in the same way, when user with role B enters into system, page Y will be opened. Information about which page to open is acquired from security container, but how to open dynamically one or another page - here is the question.

Solution I have used is to put some empty intermediate page between login module and application pages. After user is authenticated in login module, he is transfered to intermediate page. However, this intermediate page does not require any input from the user, implemented logic allows to check connected user role and based on it automatically open suitable page in application.

You can download developed sample application - OnPageLoadAuthorization.zip. Sample is based on Employees entity from standard HR schema. Two JSPX pages are implemented, first is opened when connected user have read-only access rights and second is designed for editable case. This means that two roles (clerks and managers) are defined in web.xml - one allows only read-only access and second editable. Clerks role is mapped to access clerks.jspx and managers role to access managers.jspx page. On both pages the same data from Employees entity is available.

It's time to describe how actually automatic redirection is done based on role. All logic is centered in index.jspx, so I will describe it. This page is used for automatic redirect, it is achieved with onPageLoad() function in backing bean. onPageLoad() function is defined as empty function in a class that implements oracle.adf.controller.v2.lifecycle.PagePhaseListener. In this class standard beforePhase(PagePhaseEvent event) function is implemented, provided functionality allows to call onPageLoad() during page loading process. Class code:


So, backing bean of index.jspx page extends this class and provides code for onPageLoad() function by overriding it:


In this function actual logic is implemented - depending on role, redirection is done. One important thing, do not forget to include ControllerClass definition into index.jspx page page-definition file. You should bind it to a name of backing bean for the same page:


How it works? Let's provide in login form a user with read-only access - alex (welcome):


Read-only table with Employees data is opened:


And if we are providing a user - john (welcome) who can edit data, another page is opened:



When running sample application, don't forget to add adf-faces-impl.jar and jsf-impl.jar to application's WEB-INF\lib directory.