Natively Integrating with Oracle Adaptive Access Manager 2-7 Cookies in Device Identification Oracle Adaptive Access Manager uses two types of cookies to perform device identification. One is the browser cookie also known as secure cookie and the other is the flash cookie also known as digital cookie. The browser cookie value is constructed using the browser user agent string. The flash cookie value is constructed using data from the OAAM flash movie. The following is sample code to fingerprint the device using browser and flash cookies. Refer to code in handleFlash.jsp for details: Get BrowseSecure cookie String secureCookie = getCookierequest, bharosa; Locale locale = request.getLocale; String browserFp = VCryptServletUtil.getBrowserFingerPrintrequest.getHeaderuser-agent, locale.getLanguage, locale.getCountry, locale.getVariant; String client = request.getParameterclient; String fpStr = request.getParameterfp; String flashFp = bharosaHelper.constructFlashFingerPrint client, fpStr ; Get the flash cookie String flashCookie = request.getParameterv; CookieSet cookieSet = bharosaHelper.fingerPrintFlashbharosaSession, bharosaSession.getRemoteIPAddr, request.getRemoteHost, Table 2–1 Device Fingerprinting APIs Module APIs Description Server VCryptTracker::updateLog APIs that construct the fingerprint are: ■ VCryptServletUtil.getBrowser FingerPrintuserAgent, language, country, variant; ■ VCryptServletUtil.getFlashFin gerPrintclient, fpStr; For method details on updateLog, see Section 4.5.6, updateLog. Oracle Adaptive Access Manager Sample handleJump.jsp Sets the clients time zone Sets a secure cookie Sets the browser fingerprint Sets the status to pending Calls the pre-authentication rules; expects allow to allow the user to proceed or block or error to stop the user from continuing Stores bharosaSession Forwards the user to the password.jps page Oracle Adaptive Access Manager Sample handleFlash.jsp Sets the flashCookie if the browser is flash-enabled 2-8 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager BharosaEnumAuthStatus.PENDING, secureCookie, browserFp, flashCookie, flashFp;

2.2.1.3 Run Pre-Authentication Rules R1

Pre-authentication rules are run before the user is authenticated. Common values returned by the pre-authentication checkpoint include: ■ Allow to allow the user to proceed forward. ■ Block to block the user from proceeding forward. The APIs used for pre-authentication are listed in Table 2–2 .

2.2.1.4 Run Virtual Authentication Device Rules R2

This stage determines the virtual authentication device to use. If the user has not registered an image and a phrase, the rule returns the Generic TextPad; otherwise, if the user has registered, the rule returns either the personalized TextPad or KeyPad. Common values returned by virtual authentication devices include: ■ Generic TextPad to use the default generic TextPad. ■ TextPad to use a personalized TextPad. ■ KeyPad to use a personalized KeyPad. The APIs used to run virtual authentication device rules are listed in Table 2–3 .

2.2.1.4.1 Generate a Generic TextPad P2 A generic, non-personalized TextPad is used

for users who have not yet registered with Oracle Adaptive Access Manager. Figure 2–4 illustrates a generic TextPad. Table 2–2 Pre-Authentication Rules Reference APIs Module APIs Description Server VCryptRulesEngine::processRules For method details, see Section 4.6.1, processRules. Oracle Adaptive Access Manager Sample handleJump.jsp Invokes the pre-authentication rules; returns allow to proceed forward to password.jsp or block or error to signal an error Stores bharosaSession BharosaHelper BharosaHelper::runPreAuthRules Table 2–3 Virtual Authentication Device Rules APIs Module APIs Description Server VCryptRulesEngine::processRules For method details, see Section 4.6.1, processRules. Oracle Adaptive Access Manager Sample password.jsp Invokes rules to identify the users virtual authentication device type Creates the virtual authentication device, names it, and sets all initial background frames Invokes kbimage.jsp as configured Forwards to page handlePassword.jsp BharosaHelper BharosaHelper::getAuthentiPad Natively Integrating with Oracle Adaptive Access Manager 2-9 Figure 2–4 Generic, Non-Personalized TextPad Table 2–4 lists the APIs used to generate a generic TextPad.

2.2.1.4.2 Generate a Personalized TextPad or KeyPad P3 A personalized TextPad is used

for users who have registered with Oracle Adaptive Access Manager. Figure 2–5 and Figure 2–6 illustrate personalized text and key virtual authentication devices. Table 2–4 Generation of a Generic TextPad APIs Module APIs Description Server VCryptAuth::getUserByLoginId You can obtain an instance of VCryptAuth by calling VCryptAuthUtil.getVCryptAuthInstance. For method details, see Section 4.5.7, getUserByLoginId. Oracle Adaptive Access Manager Sample Password.jsp Invokes rules to identify the virtual authentication device type to use; the default is KeyPad Creates the virtual authentication device, names it, and sets all initial background frames Invokes kbimage.jsp as configured Forwards to page handlePassword.jsp BharosaHelper BharosaHelper:: createPersonalizedAuthentiPad BharosaHelper::createAuthentiPad Client AuthentiPad::getHTML