Introduction to the Access SDK and API 2-13 5. The OAM Server responds. 6. The application uses a form or some other means to ask for user credentials. In some cases, the user credentials may already have been submitted as part of: ■ A valid session token ■ Input from a web browser ■ Arguments to the command-line script or keyboard input that launched the Access Client application 7. The user responds to the application. 8. The Access Client constructs an UserSession structure, which presents the user credentials to the OAM Server, which maps them to a user profile in the Oracle Access Manager user directory. 9. If the credentials prove valid, the Access Client creates a session token for the user, then it sends a request for authorization to the OAM Server. This request contains the user identity, the name of the target resource, and the requested operation. 10. The Access Client grants the user access to the resource, providing that the user is authorized for the requested operation on the particular resource. 11. Not pictured. A well-behaved Access Client deallocates the memory used by the objects it has created, then shuts down the Access Manager API. The steps detailed in Process Overview: Handling a resource request on page 2-12 represent only the main path of the authorization process. Typically, additional code sections within the servlet or application handle branch situations where: ■ The requested resource is not protected. ■ The authentication challenge method associated with the protected resource is not supported by the application. ■ The user has a valid single sign-on cookie ObSSOCookie, which enables the user to access to the resource without again presenting her credentials for as long as the session token embedded in the cookie remains valid. For details about ObSSOCookies and single sign-on, see the Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service. ■ The user fails to supply valid credentials under the specified conditions. ■ Some other error condition arises. ■ The developer has built additional custom code into the Access Client to handle special situations or functionality.

2.6.2 Structure of an Access Client

The structure of a typical Access Client application roughly mirrors the sequence of events required to set up an Access Client session. Access Client Application Structure Sections 1. Include or import requisite libraries. 2. Get resource. 3. Get authentication scheme. 4. Gather user credentials required by authentication scheme. 5. Create user session. 2-14 Developers Guide for Oracle Access Manager and Oracle Security Token Service 6. Check user authorization for resource. 7. Clean up Java uses automatic garbage collection. 8. Shut down.

2.6.2.1 Typical Access Client Execution Flow

All HTTP FORM-based Access Client applications and plug-ins follow the same basic pattern, as illustrated by the following figure. Figure 2–3 shows a process flow for form-based applications: Figure 2–3 Process Flow for Form-based Applications Process overview: Access Client Execution for Form-based Applications 1. Import libraries.

2. Initialize the SDK.

3. Create ResourceRequest object.

4. Determine if the requested resource is protected.

Resource Not Protected : Grant access, shut down the API, and end program.

5. Requested Resource is Protected

: Create an AuthenticationScheme object

6. Authentication Scheme HTTP FORM-based

: Create a structure for user ID and password, create UserSession object, determine if the user is authenticated

7. Authentication Scheme Not HTTP FORM-based

: Deny access and report reason, shut down the API and end program.

8. User is Authenticated

: Determine if the user is authorized Step 10.

9. User is Not Authenticated

: Deny access and report reason, shut down the API and end program.

10. User is Authorized

: Grant access, shut down the API, and end program.

11. User Not Authorized

: Deny access and report reason, shut down the API and end program.