|Oracle® Access Manager Customization Guide
Part Number E12498-01
Oracle Access Manager provides APIs that allow software developers to write custom programs or components that integrate closely with Oracle Access Manager. These modules may represent anything from custom extensions of base Oracle Access Manager functionality to significant applications that are outside of Oracle Access Manager, but need to interact with Oracle Access Manager for identity or access control functions.
This chapter describes several methods of working with Oracle Access Manager programmatically:
Oracle Access Manager provides a standard WebGate component, which is used to control access to a Web server. You want to use Oracle Access Manager's access control system to control access to an application server or a function within a standalone application.
You can use the Access Manager API, as discussed in the Oracle Access Manager Deployment Guide, to create a custom AccessGate.
Oracle Access Manager provides a software developer's kit (SDK) that can be used to create an interface to Oracle Access Manager's authentication and authorization services. This interface can be built into commercially available application servers, such as Oracle WebLogic, IBM WebSphere, iPlanet Application Server, or any other application that can access the Access Server. The application, with the API added, then acts as an AccessGate to the Access Server.
In particular, the Access Manager API enables Java (servlets, JSPs, EJBs, and so on), C++ (COM/ASP), and C applications to:
Support secured single sign-on (SSO) across Web and application servers
Authorize user requests for application resources (URLs, EJBs and their methods, and user-defined resources)
Support protection of non-HTTP resources
Provide both Java Bean level and Enterprise Java Bean level security
The API is designed primarily to support J2EE-compatible application servers, in particular the way they work with servlets, Java Server Pages, and Enterprise Java Beans, and so is designed from a Java perspective. The API also provides bindings for C++ and C.
Creating an AccessGate is a significant programming task, and for that reason is covered in greater detail in the Oracle Access Manager Deployment Guide.
You can create an authentication method, for example for a new certificate type, that is not covered completely by the existing plug-ins provided with Oracle Access Manager. Or, you can add a method to authenticate users against an external data store, such as an RDBMS.
To do this, you use the Authentication Plug-in API, as described in the Oracle Access Manager Deployment Guide, to write the new plug-in and add it to Oracle Access Manager.
When a browser, for example, requests a resource from an Access System-protected Web server, the WebGate plug-in checks to see if the resource is protected and if the user needs to authenticate. If so, WebGate requires a new login for the user and sends an authentication challenge to the browser. The challenge conforms to the challenge method defined in an authentication scheme. The authentication scheme in turn is part of an authentication rule which is part of the access policy protecting the resource. When the scheme is carried out, it invokes a single authentication plug-in, or two or more chained plug-ins which are performed in a specified order. The Oracle Access Manager Access Administration Guide provides an introduction to authentication schemes and describes steps for assigning and ordering plug-ins in an authentication scheme.
All schemes follow the same general flow. In response to the authentication challenge, the browser obtains credentials from the user, such as a user name and password or a client certificate. In some cases, for example client certificate authentication, credentials are generated by the browser on behalf of the user. The browser sends the credentials to the server, in a format determined by the challenge. WebGate re-formats the credentials as a set of name-value pairs for use during its processing and treats them as an authentication request.
Input to the single plug-in, or to each plug-in in the scheme, is the set of credentials. Output is a status, to either accept, deny, continue or abort the authentication, and a set of credentials, possibly different from the originals. A result message is logged in the audit file if authentication is denied. When the authentication scheme finishes, the result must be to have produced one and only one valid user DN, or, if authentication fails, no user DN.
If authentication succeeds, WebGate creates a session cookie containing the user's profile DN, the IP address of the user's browser, the level of authentication successfully performed, and an expiration timestamp for the cookie. WebGate can also set HTTP header variables based on the authentication actions defined for the authentication scheme. The cookie and HTTP information are returned to the browser, and access is granted.
Creating an authentication plug-in is a significant programming task, and for that reason is covered in greater detail in the Oracle Access Manager Developer Guide.
Oracle Access Manager associates collections of resources into domains, and provides a way for users to set policies controlling access to the domains. You want to add coverage for something other than the default resources. For instance, you may want to apply an authorization algorithm that is influenced by rules or other data that reside in an external data store, such as an RDBMS.
You can use the Authorization Plug-in API, as discussed in the Oracle Access Manager Developer Guide, to write the new plug-in and add it to Oracle Access Manager.
The API provides a way for the user to create functional modules, called plug-ins, which are used within an authorization scheme. Schemes are included in authorization rules, and one or more authorization rules, along with one authentication rule and one audit rule, make up a policy that controls access to a resource type within a domain, such as certain URLs within a Web site or a set of methods within an application. The Access System provides two standard resource types, URL and EJB, but others can be easily added and defined by the user. See the Oracle Access Manager Access Administration Guide for methods to create resource types, domains, policies, rules and schemes.
Plug-ins within authorization schemes are used for two purposes:
To confirm or deny access to a resource, or to acquire data to be used by the next authorization rule in the policy. This is called an authorization plug-in.
To perform an action after the access decision is made. This is called a custom action plug-in.
To use a plug-in created by the Authorization Plug-in API, two types of information need to be configured by an administrator:
An authorization scheme to use the plug-in. A given scheme can be used by both authorization plug-ins and custom action plug-ins.
A custom authorization rule to use the scheme.
Creating an authorization plug-in is a significant programming task, and for that reason is covered in greater detail in the Oracle Access Manager Deployment Guide.
You can insert logic that will communicate with an application or perform an action outside of Oracle Access Manager.
To do this, you use the Identity Event Plug-in API, as discussed in the Oracle Access Manager Deployment Guide, to create the necessary logic and tie it to events that occur within the Identity System.
The Identity Event Plug-in API gives systems integrators the ability to extend beyond the base Oracle Access Manager functionality. It does this by providing a channel for Identity System data to flow between Oracle Access Manager applications and a wide range of external software components. The potential applications for this API can be as simple as basic logging of Oracle Access Manager usage, or as sophisticated as data-filtering pipelines or seamless bridges to ERP systems.
The Identity Event Plug-in API is a standard installed component of the Oracle Access Manager product.
Creating an Identity Event plug-in is a significant programming task, and for that reason is covered in greater detail in the Oracle Access Manager Developer Guide.