The weblogic server provides a nifty API – weblogic.servlet.security.ServletAuthentication. This class allows you to invoke authentication services from any controller – Servlets, JSF Managed Beans. This is pretty cool as you can do away with the j_security_check authentication and build your custom logic. Or perform programmatic authentication.
I am currently using this for a WebCenter Portal project where, based on a set of database derived parameters, I have to force the user to perform certain actions after login. My login page currently contains a custom login taskflow that implements the necessary logic for me. Of course, there are other ways to do this, but I needed to use ADF components (including BC) and using a bounded task flow seemed the best bet.
1) The ServletAuthentication class is present in the file wlserver_10.3\server\lib\weblogic.jar
2) If the logic requires logging the user out while in the taskflow, use ServletAuthentication.logout() instead of ServletAuthentication.invalidateAll(). If invalidateAll() is used, any navigation after this will result in an error.