2-14 Developers Guide for Oracle Access Manager and Oracle Security Token Service 6. Check user authorization for resource. 7. Clean up Java uses automatic garbage collection. 8. Shut down.

2.6.2.1 Typical Access Client Execution Flow

All HTTP FORM-based Access Client applications and plug-ins follow the same basic pattern, as illustrated by the following figure. Figure 2–3 shows a process flow for form-based applications: Figure 2–3 Process Flow for Form-based Applications Process overview: Access Client Execution for Form-based Applications 1. Import libraries.

2. Initialize the SDK.

3. Create ResourceRequest object.

4. Determine if the requested resource is protected.

Resource Not Protected : Grant access, shut down the API, and end program.

5. Requested Resource is Protected

: Create an AuthenticationScheme object

6. Authentication Scheme HTTP FORM-based

: Create a structure for user ID and password, create UserSession object, determine if the user is authenticated

7. Authentication Scheme Not HTTP FORM-based

: Deny access and report reason, shut down the API and end program.

8. User is Authenticated

: Determine if the user is authorized Step 10.

9. User is Not Authenticated

: Deny access and report reason, shut down the API and end program.

10. User is Authorized

: Grant access, shut down the API, and end program.

11. User Not Authorized

: Deny access and report reason, shut down the API and end program. Introduction to the Access SDK and API 2-15

2.6.2.2 Example of a Simple Access Client: JAccess Client.java

This example is a simple Access Client program. It illustrates how to implement the bare minimum tasks required for a working Access Client, as described here. Simple Access Client Processing: JAccess Client.java ■ Connect to the OAM Server ■ Log in using an authentication scheme employing the HTTP FORM challenge method ■ Check authorization for a certain resource using an HTTP GET request ■ Catch and report Access SDK API exceptions Typically, this calling sequence is quite similar among Access Clients using the FORM challenge method. FORM-method Access Clients differ principally in the credentials they require for authentication and the type of resources they protect. A complete listing for JAccess Client.java appears in Example 2–1 . You can copy this code verbatim into the text file JAccess Client.java and execute it on the computer where your Access Manager SDK is installed. Section 2.6.2.2.1, Annotated Code: JAccess Client.java provides annotated code line-by-line to help you become familiar with Java Access Manager API calls. Example 2–1 JAccess Client.java import java.util.Hashtable; import oracle.security.am.asdk.; public class JAccessClient { public static final String ms_resource = Example.com:80secrets index.html; public static final String ms_protocol = http; public static final String ms_method = GET; public static final String ms_login = jsmith; public static final String ms_passwd = j5m1th; public String m_configLocation = myfolder; public static void mainString argv[] { AccessClient ac = null; try { ac = AccessClient.createDefaultInstancem_configLocation, AccessClient.CompatibilityMode.OAM_10G; ResourceRequest rrq = new ResourceRequestms_protocol, ms_resource, ms_method; if rrq.isProtected { System.out.printlnResource is protected.; AuthenticationScheme authnScheme = new AuthenticationSchemerrq; Note: To run this test application, or any of the other examples, you must make sure that your Access System is installed and set up correctly. Specifically, check that it has been configured to protect resources that match exactly the URLs and authentication schemes expected by the sample programs. For details on creating application domains and protecting resources with application domains, see Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service.