3-6 Developers Guide for Oracle Access Manager and Oracle Security Token Service 3. The scheme first checks the IP address to determine if the user has previously made attempts to connect from the computer. It determines the user has. 4. The scheme checks the time. It requires a security question to be answered, which is answered successfully. 5. The scheme requires the user to enter his login credentials, and he authenticates successfully. Each approach has its own advantages and disadvantages. For the decision-engine model, code re-use is the primary advantage, while the hard-coded approach may result in more security. Developers will have to decide with what approach to go with.

3.2 Introduction to Plug-in Interfaces

This section provides the following topics: ■ About the Plug-in Interfaces ■ About Plug-in Hierarchies

3.2.1 About the Plug-in Interfaces

This topic introduces the hierarchy for packages, classes, interfaces, and annotations. Custom plug-in implementation includes writing plug-in implementation class artifacts. The plug-in implementation class must extend the AbstractAuthenticationPlugIn class and implement initialize and process methods. Custom plug-in implementers must implement actual custom authentication processing logic in this method and return the final authentication execution status. A plug-ins configuration requirements must be given in XML format. This configuration data metadata includes plug-in name, author, creation date, version, interface class, implementation class, and configuration data in the form of Attribute Value pairs. Oracle Access Manager 11g provides a generic plug-in interface and a more specific authentication interface as described in: ■ Section 3.2.1.1, GenericPluginService ■ Section 3.2.1.2, AuthnPluginService

3.2.1.1 GenericPluginService

oracle.security.am.plugin Table 3–2 Approach Comparison Approach Description Decision Engine Divides authentication schemes into smaller sequential modules that can orchestrated to work together as needed. Advantages: ■ Code re-use is the primary advantage. ■ Mirroring the approach of Oracle Adaptive Access Manager is a secondary advantage. Hard-coded Leaves nothing to be decided; resembles a complete set of If-Else statements that the user must pass to authenticate. Advantages: Could result in greater security. Creating Custom Authentication Plug-ins 3-7 The public interface, oracle.security.am.plugin, is a generic plug-in interface that provides methods to get plug-in name, plug-in implementation class name, plug-in version, plug-in execution status, plug-in monitoring data, plug-in configuration data, start and stop the plain. AbstractAMPlugin The public abstract class oracle.security.am.plugin.AbstractAMPlugin extends java.lang.Object implements GenericPluginService, org.osgi.framework.BundleActivator. oracle.security.am.plugin.AbstractAMPlugin This is a Abstract plug-in class that needs to be extended by all Access Management plug-ins. This provides base implementations for plug-ins start and stop methods

3.2.1.2 AuthnPluginService

oracle.security.am.plugin.authn.AuthnPluginService The public interface oracle.security.am.plugin.authn.AuthnPluginService extends GenericPluginService. This is a authentication plug-in interface that provides an additional authentication specific method to access and process all the data available in the AuthenticationContext object and return the process execution status. Plug-in can then set response that will be added to SESSION, request and redirect contexts. AbstractAuthenticationPlugIn The public abstract class oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn extends AbstractAMPlugin implements AuthnPluginService. oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn This is an authentication Abstract plug-in class that will be exposed to the plug-in developers. All the custom plug-in implementations should extend this AbstractPlugInService class. Plug-ins that needs to handle the resource cleanup should override shutdownMap String, Object OAMEnvironmentContext method. This will also provide an instance of java.util.Logger to plug-ins.

3.2.2 About Plug-in Hierarchies

This topic provides a look at the hierarchies: ■ Figure 3–3, Plug-in Package Hierarchy ■ Figure 3–4, Plug-in Class Hierarchy ■ Figure 3–5, Plug-in Interface Hierarchy ■ Figure 3–6, Plug-in Annotation Type Hierarchy ■ Figure 3–7, Plug-in Enum Hierarchy See Also: Oracle Fusion Middleware Oracle Access Manager Java API Reference See Also: Oracle Fusion Middleware Oracle Access Manager Java API Reference 3-8 Developers Guide for Oracle Access Manager and Oracle Security Token Service Figure 3–3 Plug-in Package Hierarchy Figure 3–4 Plug-in Class Hierarchy