Tuesday, December 8, 2009

Solving Error 403--Forbidden in ADF Security

While developing new prototype application, it happened to me to get Error 403--Forbidden, while trying to login into application protected by ADF Security:



Error itself is logical, but in my case I was providing correct username/password, security permissions were defined correctly as well. I did a bit of research and found that weblogic.xml file was generated incorrectly. This file is accessible through JDeveloper 11g Application Navigator:



I saw that weblogic.xml was generated without required entries:



So, I added required security role assignment manually:



Now my application opens correctly:



If you will encounter same problem, make sure your weblogic.xml file is valid. Download working sample application - ADFSecurityValidUsers.zip.

8 comments:

Vikram Kohli said...

Hi Andrejus,

Getting same error when using form based authentication.

In my web.xml I have now following entries after changing the login authentocation method from


adfAuthentication
oracle.adf.share.security.authentication.AuthenticationServlet

success_url
/faces/main.jspx

1



FORM

/login.html
/error.html



And when I login, , I get 403 forbidden error.Can you plz provide help to solve this.

Using Jdev 11.1.1.2.

Vikram Kohli said...

Hi Andrejus,

Might be last comment was not clear, But I am facing this error from long time. When I change my authentication method from HTTP BAISC to FORM based authentication(and provide default login and error pages), I get the same error 403 forbidden.

Vikram

Anonymous said...

Hi Andrejus,

I get the same error but my case is a lot different.

I created a simple(No Security enabled) jspx page in JDeveloper 11g and it works really perfect on pc browsers.I get that error whenever I want to load that page on my mobile emulator browser!!! It doesn't work even on real mobile browsers like iphone Safari.

Any suggestions?

Thanks,
Shahab

HongMing said...

Hi Andrejus

I want to embed JavaScript into ADF Mobile Browser (Trinidad environment) like af:resource method. However, I can't find a proper way doing this. Would you mind to help me on this?

Thanks

Francesco Giovane said...

Hello,

I receive this error - Error 403 The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity....

this happens when i try to refresh the page using F5.... any idea why?

Thank you

mahdi joafshani said...

Hi, Thanks for the post ...

I did download your sample code, deployed on weblogic, but still encountered the same error.

I need to access to the page, directly, using context root url.
(I am trying to provide a worklist for myself)

Andrejus Baranovskis said...

Probably you are using wrong context root.

Andrejus

mahdi joafshani said...

Hi Andrejus,

My problem is solved,

Firstly, I deployed an EAR file instead of WAR. (deploying ear file was not accessible by right clicking on the project, in jedeveloper : application menu > deploy) and the login page appeared correctly.
(/faces/loin.jspx or /login.jsp was necessary after contect-root in the url)

Then I noticed the other page that an unauthenticated user has not privilege to access, is accessible before logging in.
I compared my web.xml with oracle workspace's web.xml. and this problem was solved too by making these changes. it seems that it doesn't need to add added security roles to weblogic.xml.

Add to web.xml:



<login-config>
<auth-method>CLIENT-CERT,FORM</auth-method>
<realm-name>myrealm</realm-name>
&lt;form-login-config&gt;
&lt;form-login-page&gt;/faces/login.jspx&lt;/form-login-page&gt;
&lt;form-error-page&gt;/faces/error.jspx&lt;/form-error-page&gt;
&lt;/form-login-config&gt;
</login-config>
<security-role>
<role-name>Administrators</role-name>
</security-role>
<security-role>
<role-name>authenticated-role</role-name>
</security-role>
<security-role>
<role-name>valid-users</role-name>
</security-role>
<security-role>
<role-name>SSO</role-name>
</security-role>




Thanks for your post again :)