Customizing User Flow 9-5

9.6 Struts Configuration File

The Struts framework drives the navigation between the user interface pages.

9.6.1 Action Path

The action definition includes the path, which defines what the URL will be. The login page example is shown. action path=login type=com.bharosa.uio.actions.LoginAction forward name=success path=updateLoginStatus.do redirect=true forward name=loginJump path=loginJumpPage.jsp redirect=true forward name=password path=password forward name=challenge path=challengeUser.do redirect=true action

9.6.2 Action Type

In login page example, the URL is http:server nameoaam_ serverlogin.do. The login.do comes from the path definition of login. The type parameter defines the class that performs the action.The following classes are provided with the sample user pages. Table 9–1 Action Type Classes Class Name Description com.bharosa.uio.actions.LoginAction com.bharosa.uio.actions.LoginFailAction Displays error message in OAAM Server page. For example, the page could display a login blocked message. com.bharosa.uio.actions.ActivityAction com.bharosa.uio.actions.PasswordAction com.bharosa.uio.actions.UpdateAuthStatusAction Updates the user authentication status and, if appropriate, it triggers pattern data processing. com.bharosa.uio.actions.ValidateTrxAction com.bharosa.uio.actions.FlashFingerprintAction com.bharosa.uio.actions.LogoutAction Logs out the user session and redirects to login page com.bharosa.uio.actions.SignOnAction com.bharosa.uio.actions.RegisterQuestionsAction Displays sets of questions which the user can choose and register the correct answer for each. com.bharosa.uio.actions.ChangePasswordAction com.bharosa.uio.actions.ForgotPasswordAction com.bharosa.uio.actions.UserInputAction com.bharosa.uio.actions.UserPreferencesDoneAction com.bharosa.uio.actions.ChallengeUserAction Challenges the user by displaying a question-pad with one of the questions already registered by the user com.bharosa.uio.actions.ChangeUserNameAction 9-6 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager

9.6.3 Struts Configuration File

This section shows a struts-config.xml file. struts-config -- ========== Global Forward Definitions ============================== -- global-forwards forward name=session_expired path=error.do?action=session_expired redirect=true forward name=emptyLoginId path=error.do?action=empty redirect=true forward name=fail path=error.do?action=fail redirect=true forward name=invalid_user path=error.do?action=invalid_user redirect=true forward name=error path=error.do?action=error redirect=true forward name=block path=error.do?action=block redirect=true forward name=challenge_block path=error.do?action=block redirect=true forward name=cookieDisabled path=error.do?action=cookieDisabled redirect=true forward name=accessDenied path=error.do?action=accessDenied redirect=true forward name=invalid_request path=error.do?action=accessDenied redirect=true forward name=user_disabled path=error.do?action=disabled redirect=true forward name=wrong_answer path=error.do?action=wrong_answer redirect=true forward name=login path=error.do redirect=true global-forwards -- ========== Action Mapping Definitions ============================== -- action-mappings -- action mappings for login -- action path=login type=com.bharosa.uio.actions.LoginAction forward name=success path=updateLoginStatus.do redirect=true forward name=loginJump path=loginJumpPage.jsp redirect=true forward name=password path=password forward name=passwordFT path=password forward name=challenge path=challengeUser.do redirect=true action action path=loginFail type=com.bharosa.uio.actions.LoginFailAction forward name=success path=loginFail action action path=activity type=com.bharosa.uio.actions.ActivityAction forward name=success path=loginSuccess redirect=true action com.bharosa.uio.actions.MessageAction com.bharosa.uio.actions.ExitAction com.bharosa.uio.actions.ErrorAction Table 9–1 Cont. Action Type Classes Class Name Description Customizing User Flow 9-7 -- validate password -- action path=password type=com.bharosa.uio.actions.PasswordAction forward name=success path=exit.do forward name=invalid_user path=updateLoginStatus.do forward name=noproxy path=updateLoginStatus.do forward name=resetPassword path=expiredPassword.do redirect=true action action path=updateLoginStatus type=com.bharosa.uio.actions.UpdateAuthStatusAction forward name=success path=exit.do forward name=challenge path=challengeUser.do redirect=true forward name=registerUser path=registerQuestions.do redirect=true forward name=registerAuthenticator path=registerImage.do redirect=true forward name=registerQuestions path=registerQuestions.do redirect=true forward name=registerQuestionsHTML path=registerQuestions.do redirect=true forward name=registerUserInfo path=registerUserInfo.do redirect=true forward name=signon path=signon redirect=true action action path=updateForgotPasswordStatus type=com.bharosa.uio.actions.UpdateAuthStatusAction parameter=ForgotPassword forward name=success path=resetPassword.do redirect=true forward name=challenge path=challengeUserForgotPassword.do redirect=true forward name=registerUser path=registerQuestions.do redirect=true forward name=registerQuestions path=registerQuestions.do redirect=true forward name=registerQuestionsHTML path=registerQuestions.do redirect=true forward name=registerUserInfo path=registerUserInfo.do redirect=true forward name=signon path=signon redirect=true action action path=validateTrx type=com.bharosa.uio.actions.ValidateTrxAction forward name=success path=exit.do forward name=challenge path=challengeUserTrx.do redirect=true action action path=flashFingerprint type=com.bharosa.uio.actions.FlashFingerprintAction forward name=success path=flashFingerprint.jsp action -- action mappings for logout -- action path=logout type=com.bharosa.uio.actions.LogoutAction forward name=success path=loginPage.jsp action -- action mappings for signon -- 9-8 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager action path=signon type=com.bharosa.uio.actions.SignOnAction forward name=securityProfile path=securityProfile.jsp redirect=true forward name=securityDone path=activity.do redirect=true action -- action mappings for security QA -- action path=registerQuestions type=com.bharosa.uio.actions.RegisterQuestionsAction forward name=qaExists path=qaExists redirect=true forward name=registerAuthenticator path=registerAuthenticator forward name=registerQuestions path=registerQuestions forward name=registerQuestionsHTML path=registerQuestionsHTML forward name=registerInfo path=registerInfo forward name=registerUserInfo path=registerUserInfo forward name=skip path=exit.do forward name=success path=exit.do action action path=registerImage type=com.bharosa.uio.actions.RegisterQuestionsAction parameter=RegisterImage forward name=registerAuthenticator path=registerAuthenticator forward name=success path=exit.do action action path=registerUserInfo type=com.bharosa.uio.actions.RegisterQuestionsAction parameter=RegisterUserInfo forward name=registerUserInfo path=registerUserInfo forward name=success path=exit.do action action path=userPreferences type=com.bharosa.uio.actions.RegisterQuestionsAction parameter=UserPreferences forward name=registerAuthenticator path=userPreferences forward name=registerInfo path=userPreferences forward name=registerQuestions path=registerQuestions forward name=registerQuestionsHTML path=registerQuestionsHTML forward name=registerUserInfo path=registerUserInfo forward name=changePassword path=changePassword.do forward name=success path=userPreferences forward name=registrationRequired path=registrationRequired forward name=exit path=exit.do action action path=changePassword type=com.bharosa.uio.actions.ChangePasswordAction forward name=changePassword path=changePassword forward name=success path=userPreferences.do redirect=true forward name=exit path=exit.do action action path=resetPassword type=com.bharosa.uio.actions.ChangePasswordAction parameter=ResetPassword forward name=changePassword path=changePassword forward name=success path=exit.do forward name=updateStatus path=updateLoginStatus.do redirect=true action Customizing User Flow 9-9 action path=expiredPassword type=com.bharosa.uio.actions.ChangePasswordAction parameter=ExpiredPassword forward name=changePassword path=changePassword forward name=success path=exit.do forward name=updateStatus path=updateLoginStatus.do redirect=true action action path=forgotPassword type=com.bharosa.uio.actions.ForgotPasswordAction forward name=forgotPassword path=forgotPassword forward name=challenge path=challengeUserForgotPassword.do forward name=success path=exit.do forward name=noproxy path=updateForgotPasswordStatus.do action action path=getUserInput type=com.bharosa.uio.actions.UserInputAction forward name=showAuthenticator path=userInput forward name=success path=exit.do action action path=userPreferencesDone type=com.bharosa.uio.actions.UserPreferencesDoneAction forward name=success path=exit.do forward name=exit path=exit.do action -- action mappings for challenge user -- action path=challengeUser type=com.bharosa.uio.actions.ChallengeUserAction forward name=success path=exit.do forward name=challenge path=challengeUser forward name=registerUser path=registerQuestions.do redirect=true forward name=registerAuthenticator path=registerImage.do redirect=true forward name=registerQuestions path=registerQuestions.do redirect=true forward name=registerQuestionsHTML path=registerQuestions.do redirect=true forward name=registerUserInfo path=registerUserInfo.do redirect=true forward name=wait path=challengeWait action action path=challengeUserTrx type=com.bharosa.uio.actions.ChallengeUserAction parameter=transaction forward name=success path=exit.do forward name=challenge path=challengeUser forward name=registerUser path=registerQuestions.do redirect=true forward name=registerAuthenticator path=registerImage.do redirect=true forward name=registerQuestions path=registerQuestions.do redirect=true forward name=registerQuestionsHTML path=registerQuestions.do redirect=true forward name=registerUserInfo path=registerUserInfo.do redirect=true forward name=wait path=challengeWait action 9-10 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager action path=challengeUserForgotPassword type=com.bharosa.uio.actions.ChallengeUserAction parameter=ForgotPassword forward name=success path=resetPassword.do redirect=true forward name=forgotPassword path=forgotPassword forward name=challenge path=challengeUserForgotPassword forward name=wait path=challengeWait action action path=changeUserId type=com.bharosa.uio.actions.ChangeUserNameAction forward name=success path=exit.do action -- action mappings for message -- action path=message type=com.bharosa.uio.actions.MessageAction forward name=success path=message action action path=exit type=com.bharosa.uio.actions.ExitAction forward name=success path=empty.jsp action action path=error type=com.bharosa.uio.actions.ErrorAction forward name=login path=loginPage.jsp redirect=true action action-mappings --The Tiles Request Processor for processing all the Tile requests-- controller processorClass=org.apache.struts.tiles.TilesRequestProcessor -- message resources -- message-resources parameter=proxyweb null=false -- tiles plug-in -- plug-in className=org.apache.struts.tiles.TilesPlugin set-property property=definitions-config value=WEB-INFtiles-def.xml,WEB-INFtiles-def-extension.xml set-property property=definitions-debug value=0 set-property property=definitions-parser-details value=0 set-property property=definitions-parser-validate value=true set-property property=moduleAware value=true plug-in struts-config 10 Using Virtual Authentication Devices 10-1 10 Using Virtual Authentication Devices Oracle Adaptive Access Manager includes unique functionality to protect end users while interacting with a protected web application. The virtual authentication devices are used to protect users during the process of entering and transmitting authentication credentials and provide them with verification they are authenticating on the valid application. Each virtual authentication device VAD has its own unique set of security features that make it much more than a mere image on a web page. This chapter contains the following sections: ■ Terminology ■ Virtual Authentication Devices and Set of Background Images ■ Virtual Authentication Types ■ Authenticator Composition ■ Virtual Authentication Device Properties ■ Displaying Virtual Authentication Devices ■ Enabling Accessible Versions of Authenticators ■ Localizing Virtual Authentication Device in OAAM 11g

10.1 Terminology

This section defines terms used in this chapter. Table 10–1 VAD Terminology Term Description Authenticator Authentipad A control for user input included in OAAM that provides a keyboard and enables personalization. Personalization Assigning an image and generated phrase during registration. The phrase and image provide end users with verification they are authenticating on the valid application. Virtual KeypadKeyboard A method for user input where the user clicks screen keys instead of an external keyboard. Jitter The act of moving key location slightly on each time the authenticator is generated. Offset The act of moving a whole key set on screen. Key Randomization The act of randomizing the key order. Timestamp A string generated from the current system time or client side time. Masking Replacing characters in an HTML input field. 10-2 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager

10.2 Virtual Authentication Devices and Set of Background Images

Virtual authentication devices are provided with Oracle Adaptive Access Manager as samples to use if you choose to. These samples are provided in English only. Source art and information in this chapter are provided to allow you to develop your own custom virtual authentication device frames, keys, personalization images and phrases. Alteration of these samples is considered custom development.

10.3 Virtual Authentication Types

The following authentication devices are described in this section: ■ TextPad ■ PinPad ■ QuestionPad ■ Keypad

10.3.1 TextPad

TextPad is a personalized device for entering a password or PIN using a regular keyboard. This method of data entry helps to defend against phishing primarily. TextPad is often deployed as the default for all users in a large deployment. Then, each user individually can upgrade to another device if he wishes. The personal image and phrase a user registers and sees every time he logs in to the valid site serves as a shared secret between the user and server. If this shared secret is not presented or presented incorrectly, the users will notice. An example TextPad is shown in Figure 10–1 . Figure 10–1 TextPad Using Virtual Authentication Devices 10-3

10.3.2 PinPad

PinPad is a lightweight authentication device for entering a numeric PIN. An example PinPad is shown in Figure 10–2 . Figure 10–2 PinPad

10.3.3 QuestionPad

QuestionPad is a personalized device for entering answers to challenge questions using a regular keyboard. The QuestionPad is capable of incorporating the challenge question into the Question image. Like other Adaptive Strong Authentication devices, QuestionPad also helps in solving the phishing problem. An example QuestionPad is shown in Figure 10–3 . 10-4 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager Figure 10–3 QuestionPad

10.3.4 Keypad

KeyPad is a personalized graphics keyboard, which can be used to enter alphanumeric and special character that can be enter using a traditional keyboard. KeyPad is ideal for entering passwords and other sensitive data. For example, credit card numbers can be entered. An example KeyPad is shown in Figure 10–4 . Figure 10–4 KeyPad Using Virtual Authentication Devices 10-5

10.4 Authenticator Composition

An authenticator is comprised of a number of elements. These elements are combined at runtime to produce the Authenticator for display on the client side.

10.5 Virtual Authentication Device Properties

Details on the virtual authentication device properties are provided in this chapter for your reference.

10.5.1 Property Files Used in the Authenticators Configuration

Virtual authentication devices uses the following files: ■ bharosa_server.properties - file where custom properties would be added for virtual authentication devices, KeySet definitions used in the KeyPad and PinPad devices, and configuration properties that are not localized translated. ■ client_resource_locale.properties - files to be created by the administrator customizing the application to contain locale-specific properties such as translated displayed messages. The locale identifier consists of at least a language identifier, and a region identifier if required. For example, the custom properties file for US English is client_resource_en_US.properties.

10.5.2 TextPad Authenticator Properties

Table 10–3 lists the TextPad Authenticator Properties Table 10–2 Elements of an authenticator Element Description Personalized Image An image selected by the user during registration. This is stored in the user repository in OAAM. Authenticator Frame An image that forms the frame of the authenticator. It contains graphics to represent user controls. Timestamp, Phrase and Keyset Image elements that are generated to build the personalization of the authenticator. HTML Controls A set of JavaScript controlled HTML elements for data entry and submission of data. Note: Many of the properties related to the virtual authentication devices are in resource bundles so that they are capable of being localized. If the default value is in a resource file, then the override value should be placed in the client override file for resource bundle values client_resource.properties.