ADF Security: Explicit Authentication
Because Fusion applications have the notion of a public page, the following mechanism enables the user to explicitly authenticate from within that public page:
1. The unauthenticated user (with only the anonymous user principal and anonymous-role role) clicks the Login link on the public page. The Login link is a direct request to the adfAuthentication servlet, which is secured through a Java EE security constraint.
2. The current page is passed as a parameter to adfAuthentication servlet. As with the implicit case, the security constraint redirects the user to the container’s login component.
3. After the container authenticates the user, the request is returned to the adfAuthentication servlet, which subsequently returns the user to the original public page, but now with the new user and role principal.