Two important parts of security are authentication (determining who the user is) and authorization (determining what the user is allowed to do). As an ADF application is a standard Java EE application and runs inside a Java EE application server, it can make use of the security features of Java EE and does not have to implement everything itself.
A Java EE application server offers an approach to handle security for the applications that run inside it—this is called container-managed security. This approach offers several types of authentication—for an enterprise ADF application, you will always choose Form-based authentication. This allows the application to point to a web page (a login form) where the user can enter their username and password. You can design this login page as part of your application so that it looks like the rest of the application.