Tuesday, December 8, 2009

Solving Error 403--Forbidden in ADF Security

While developing new prototype application, it happened to me to get Error 403--Forbidden, while trying to login into application protected by ADF Security:

Error itself is logical, but in my case I was providing correct username/password, security permissions were defined correctly as well. I did a bit of research and found that weblogic.xml file was generated incorrectly. This file is accessible through JDeveloper 11g Application Navigator:

I saw that weblogic.xml was generated without required entries:

So, I added required security role assignment manually:

Now my application opens correctly:

If you will encounter same problem, make sure your weblogic.xml file is valid. Download working sample application - ADFSecurityValidUsers.zip.


Vikram Kohli said...

Hi Andrejus,

Getting same error when using form based authentication.

In my web.xml I have now following entries after changing the login authentocation method from






And when I login, , I get 403 forbidden error.Can you plz provide help to solve this.

Using Jdev

Vikram Kohli said...

Hi Andrejus,

Might be last comment was not clear, But I am facing this error from long time. When I change my authentication method from HTTP BAISC to FORM based authentication(and provide default login and error pages), I get the same error 403 forbidden.


Anonymous said...

Hi Andrejus,

I get the same error but my case is a lot different.

I created a simple(No Security enabled) jspx page in JDeveloper 11g and it works really perfect on pc browsers.I get that error whenever I want to load that page on my mobile emulator browser!!! It doesn't work even on real mobile browsers like iphone Safari.

Any suggestions?


HongMing said...

Hi Andrejus

I want to embed JavaScript into ADF Mobile Browser (Trinidad environment) like af:resource method. However, I can't find a proper way doing this. Would you mind to help me on this?


Francesco Giovane said...


I receive this error - Error 403 The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity....

this happens when i try to refresh the page using F5.... any idea why?

Thank you

mahdi joafshani said...

Hi, Thanks for the post ...

I did download your sample code, deployed on weblogic, but still encountered the same error.

I need to access to the page, directly, using context root url.
(I am trying to provide a worklist for myself)

Andrejus Baranovskis said...

Probably you are using wrong context root.


mahdi joafshani said...

Hi Andrejus,

My problem is solved,

Firstly, I deployed an EAR file instead of WAR. (deploying ear file was not accessible by right clicking on the project, in jedeveloper : application menu > deploy) and the login page appeared correctly.
(/faces/loin.jspx or /login.jsp was necessary after contect-root in the url)

Then I noticed the other page that an unauthenticated user has not privilege to access, is accessible before logging in.
I compared my web.xml with oracle workspace's web.xml. and this problem was solved too by making these changes. it seems that it doesn't need to add added security roles to weblogic.xml.

Add to web.xml:


Thanks for your post again :)

Sergey Atrokhov said...

Hi Andrejus.

I have this error too...

I have a server with Oracle Linux 6.3.

I wrote this article about install & configure WebLogic Server to run ADF 11g Applications:


Everything is ok.

After that, on my desktop I created very simple ADF application (just some columns from table HR.EMPLOYEES) on JDeveloper


This ADF successfully deployed and started when I using integrated WebLogic server in JDeveloper.

After that I successfully deployed this ADF on standalone WebLogic Server:

[11:04:06 AM] ---- Deployment started. ----
[11:04:06 AM] Target platform is (Weblogic 10.3).
[11:04:11 AM] Retrieving existing application information
[11:04:12 AM] Running dependency analysis...
[11:04:12 AM] Building...
[11:04:14 AM] Deploying 2 profiles...
[11:04:14 AM] Wrote Web Application Module to C:\JDeveloper\mywork\MyFirsADFpp\ViewController\deploy\MyFirsADFpp_ViewController_webapp1.war
[11:04:14 AM] Wrote Enterprise Application Module to C:\JDeveloper\mywork\MyFirsADFpp\deploy\MyFirsADFpp_application1.ear
[11:04:14 AM] Deploying Application...
[11:04:16 AM] [Deployer:149191]Operation 'deploy' on application 'MyFirsADFpp_application1' is initializing on 'ADFServer'
[11:04:21 AM] [Deployer:149192]Operation 'deploy' on application 'MyFirsADFpp_application1' is in progress on 'ADFServer'
[11:04:29 AM] [Deployer:149194]Operation 'deploy' on application 'MyFirsADFpp_application1' has succeeded on 'ADFServer'
[11:04:29 AM] Application Deployed Successfully.
[11:04:29 AM] The following URL context root(s) were defined and can be used as a starting point to test your application:
[11:04:29 AM]
[11:04:29 AM] Elapsed time for deployment: 23 seconds
[11:04:29 AM] ---- Deployment finished. ----

I haven't any security configuration..

So, when I try to link(
) I’ve received an error 403:

Error 403--Forbidden

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

I suppose, this error arise from ADF Securiy. But I really don’t know and understand a reason and how to solve this problem…

You are an expert in ADF and could you please help me? It would be great!