Creating Custom Authentication Plug-ins 3-5 Figure 3–2 Authentication Model and Plug-ins Before designing and developing custom authentication plug-ins, Oracle recommends that developers analyze the Oracle Access Manager authentication decision process closely to determine how a user should be authenticated. When a certain request comes in, there are two possible ways to deal with it. One is to have specific schemes be run depending on the attributes of the request, using a decision engine to run one or multiple schemes to properly authenticate the user. This requires less code within each scheme and allows for more modularity. The other option is to have every scheme be hard-coded to deal with various attributes of requests for specific purposes, not using a decision engine to piece together which schemes need to be run only one scheme is run. Example: Decision Engine versus Hard-Coded Authentication Suppose a user wants to log in to his online bank account using his home computer, at midnight. Following overviews outline the processing differences between the decision engine approach and the hard-coded approach. Developers must decide with what approach best meets their requirements. Process overview: Decision Engine Approach The differences between the two approaches are simple but important. 1. The request comes from the user with a certain IP address at midnight. 2. The decision engine determines it has previously dealt with this IP address. It also determines that a user trying to authenticate at midnight is suspicious and requires the user to answer a security question, in addition to a username and password. 3. The security question scheme is run for the specified user, and is successful. This is the first of two authentication schemes selected by the decision engine. 4. The user-password scheme is run, and the user authenticates successfully. This is the second authentication scheme selected by the decision engine. Process overview: Hard-Coded Approach 1. The request comes from the user with a certain IP address at midnight. 2. The online bank account access scheme is chosen from among other authentication schemes credit card access scheme, new account creation and verification, and so on. 3-6 Developers Guide for Oracle Access Manager and Oracle Security Token Service 3. The scheme first checks the IP address to determine if the user has previously made attempts to connect from the computer. It determines the user has. 4. The scheme checks the time. It requires a security question to be answered, which is answered successfully. 5. The scheme requires the user to enter his login credentials, and he authenticates successfully. Each approach has its own advantages and disadvantages. For the decision-engine model, code re-use is the primary advantage, while the hard-coded approach may result in more security. Developers will have to decide with what approach to go with.

3.2 Introduction to Plug-in Interfaces

This section provides the following topics: ■ About the Plug-in Interfaces ■ About Plug-in Hierarchies

3.2.1 About the Plug-in Interfaces

This topic introduces the hierarchy for packages, classes, interfaces, and annotations. Custom plug-in implementation includes writing plug-in implementation class artifacts. The plug-in implementation class must extend the AbstractAuthenticationPlugIn class and implement initialize and process methods. Custom plug-in implementers must implement actual custom authentication processing logic in this method and return the final authentication execution status. A plug-ins configuration requirements must be given in XML format. This configuration data metadata includes plug-in name, author, creation date, version, interface class, implementation class, and configuration data in the form of Attribute Value pairs. Oracle Access Manager 11g provides a generic plug-in interface and a more specific authentication interface as described in: ■ Section 3.2.1.1, GenericPluginService ■ Section 3.2.1.2, AuthnPluginService

3.2.1.1 GenericPluginService

oracle.security.am.plugin Table 3–2 Approach Comparison Approach Description Decision Engine Divides authentication schemes into smaller sequential modules that can orchestrated to work together as needed. Advantages: ■ Code re-use is the primary advantage. ■ Mirroring the approach of Oracle Adaptive Access Manager is a secondary advantage. Hard-coded Leaves nothing to be decided; resembles a complete set of If-Else statements that the user must pass to authenticate. Advantages: Could result in greater security.