I have the following security constraint in my web.xml file to make the help.jspx page available only for some specific users.
<security-constraint>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<url-pattern>/faces/help</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
As you can see, faces/help is the pattern that is protected. But let me explian what happens in ADF.
- If I run the home.jspx I will get this url: http://mydomain.com/something/faces/home
- Then, if I navigate to the page about.jspx, the url will still show the same http://mydomain.com/something/faces/home
- Now if I navigate to help.jspx, the url will show the previous page name "about" http://mydomain.com/something/faces/about, so I will be able to view help.jspx even if I have not logged in yet.
- This is not it, now if I navigate to home.jspx once again, the url will show the previous page "help" http://mydomain.com/something/faces/help, so I will be asked to log in before I am able to access to the "home" page.
I found the way to refresh the URL so the new URL gets the new page name on it. Go to your task flow and add
<redirect/>
inside the view tags that you want their URL's to be refreshed.
<view id="help_id">
<page>/help.jspx</page>
<redirect/>
</view>
This is what the Jdev help says about the redirect tag:
Redirect: Choose true if the ADF controller should issue an HTTP redirect for a view activity request. The redirected request creates a new browser URL for the view activity. The original view URL is no longer used.