Saturday, June 16, 2012

Troubleshooting ADF Security 11g Login Page Failure

ADF Security 11g login page failure is fairly common problem - I'm getting questions about this time to time and facing it myself from project to project. One of the most common problems - during first page access, ADF Security redirects to login page and it starts infinite redirect loop - login page is not loaded and application is blocked. If you are getting this error, make sure Anonymous application role is granted to login page definition, this means ADF will be able to load it for unauthenticated users. Read more about it here - Things You Must Know About ADF Faces Login Page. But there is something more to this, if you are still getting infinite loop when trying to login into ADF application - I will describe today what else you should check.

ADF 11g login page failure might be happening if page definition files were refactored incorrectly. Specifically, if login page definition property - package, points to the wrong package structure. ADF Security configuration wizard - jazn-data.xml is reading page definition file location by scanning package property, not by real package structure. If this property is set with incorrect value, there are no errors during design time, but there will be runtime errors - login page will not be loaded, protected ADF pages will return unauthorized error. ADF developer may spend quite a lot of time troubleshooting this, reason for such problem is not obvious. I will try to save your time :)

Download sample application where ADF Security works and login page is loading correctly - SecurityFormLogin_v5.zip.

Let's describe it in detail - if you are facing something like this, ADF login page redirect is in infinite loop:


Go to ADF security configuration wizard - jazn-data.xml and first thing make sure Anonymous role is granted to login page:


If Anonymous role is not graned, grant it:


Now double check previous screenshot. Do you see something tricky? Please think 5 minutes and read further if you managed to spot a trick. Just joking - let me describe it.

Take a look into application package structure in the left side. You will see that page definition folder is under folder name - custom. Now take a look and check jazn-data.xml Resources section - you can see there com.redsamurai.view.pageDefs package definition. Same name is available from the source view of jazn-data.xml:


Name - custom is not included and there is no error on design time. But on runtime, login page infinite loop will happen:


In my case, developers were refactoring their project and moving page definitions into different folder - its why package structure was changed. However, not all occurrences of package naming was refactored by JDeveloper automatically - refactoring is always a tough task.

I opened page definition for login page and package property was pointing to the old folder structure without custom folder name:


Fixed it to point to the correct folder structure:


Reopened jazn-data.xml wizard screen - now it shows correct package names for page definition files, because package property was updated:


Before granting permissions, make sure to cleanup previous invalid entries. Open source mode for jazn-data.xml and delete permissions defined based on invalid page definition structure:


Grant required permissions now:


Double check it is granted correctly from the source mode also:


Login page is loaded successfully:


Protected ADF page is loaded for authorized users:


6 comments:

Anonymous said...

When I tried to run this SecurityFormLogin app. in Jdeveloper (Studio Edition Version 11.1.2.2.0) it worked well. Later I deployed it to a standalone weblogic server (Version: 10.3.5.0) and it started to do the well known infinite redirect loop as usual.

What can be the problem?

Fedir Zymarev said...

Another reason for getting infinite redirect loop is to forget to "Apply JRF Template" on managed servers.

Anonymous said...

Thanks so much for writing this! I've been trying to figure out why jazn-data.xml is pointing to the wrong pageDef files. These are great instructions for fixing it.

Karl C said...

Andrejus: You are a wealth of information, and I have used your blog posts many times to help answer questions.

Regarding the above looping issue. We have everything set up correctly (anonymous-role granted to login page, etc.), and the app works fine when we deploy it to a standalone WL server. However, after some period of time (could be hours, could be months), it starts looping on the login page. It also loops on ANY page that "anonymous-role" has been granted to ('public' pages). Nothing has changed from a code perspective - the app has been running fine. And, simply restarting the WL managed server 'fixes' the problem for 'a while' until it happens again.

It almost appears that WL is losing track of the "anonymous" role, and starts requiring all users to authenticate.

Oracle Support is baffled by this. And, of course, we can't reproduce the problem on demand, so it is almost impossible to troubleshoot.

Any ideas? Any pointers would be greatly appreciated.

Thanks again for all your help!

Andrejus Baranovskis said...

Hey,

I have seen such behavior, the issue was web caching filters. May be you have third party caching in front of WebLogic? It may fail to grant proper session id to ADF session because of cached data and then ADF starts looping.

Andrejus

Vlad said...

Thanks for the excellent blog. I have a login issue that I do not know where to start looking for the trouble. The application works fine for a while, login takes only a second or less. After some time, login becomes very slow, and it takes about a minute. Restarting WLS fixies it, until the next time it reocurrs.
Thanks in advance for any pointers.