The JavaEE Web applications you want to protect should be configured with deployment descriptors containing required <security-constraint> and associated <auth-constraint> specifying the roles. The descriptors should not contain <login-config> elements that specify the JavaEE supported authentication methods.
Instead, the OAM Security Provider determines the authentication mechanism to used based on the challenge method of the Authentication Scheme you configure for the resource in Oracle Access Manager. For example consider the Authentication Scheme shown in Figure 7-3, which uses the BASIC challenge method.
Figure 7-3 BASIC Authentication Scheme
The authentication mechanisms supported by the OAM Security Provider are BASIC, FORM or Client-Cert. The default is BASIC. The Authentication Schemes supported at Oracle Access Manager include BASIC, FORM and Client-Cert. The use of the SSL transport is optional for BASIC and FORM.