15 Flash Fingerprinting

This chapter focuses on the specifics of Flash Fingerprinting within an Oracle Adaptive Access Manager native integration.

All code examples included in the chapter are outlines of calls needed to perform the tasks. They should not be considered complete implementations.

Note:

This chapter assumes that the reader is familiar with Oracle Adaptive Access Manager native integrations and APIs.

15.1 Device Fingerprinting

Oracle Adaptive Access Manager captures information about the devices that a user utilizes when accessing protected applications. This information consists of many different datapoints gathered through a variety of means. The data collected is encoded into a unique fingerprint for the device.

When a device is used for an access request, Oracle Adaptive Access Manager interrogates the device for the fingerprint and uses it along with many other types of data to determine the risk associated with the specific access request. Some of the technology used to gather fingerprint data include HTTP header, secure cookie, shared flash object and behavior profiling.

15.2 Definitions of Variables and Parameters

Table 15-1 lists the parameter and response variable in the interaction between the flash movie and the application.

Table 15-1 Flash movie Parameters and Response Variables

Parameter/Response Variable Usage

v

Used as an HTTP request parameter sent from the flash movie to the application. It contains the generated "cookie" string that is used a single time by the user. This value is also returned in the HTTP response to the flash movie as "&v=<new value>".

client

Used as an HTTP request parameter sent from the flash movie to the application. This indicates the type of client performing the fingerprinting (in this case, flash). The expected value from the flash movie is "vfc".

fp

Used as an HTTP request parameter sent from the flash movie to the application. It contains information about the client computer accessible to the flash player.


15.3 Option 1

Option 1 is the traditional implementation using a "Jump Page" to include the flash movie that is used for fingerprinting. In Option 1, the flash movie sends the user's current flash cookie value to the server and the server responds with a new value in a single transaction.

15.3.1 Option 1 Flow

Figure 15-1 shows the flow of Option 1.

Figure 15-1 Option 1

Option 1 is shown.
  1. The user is presented with the user name page

  2. The user submits the user name

    1. The application loads the user

    2. The application calls VCryptTracker.updateLog with the User and HTTP Cookie information

  3. The user is taken to the jump page containing the embedded flash movie

    1. The flash movie makes an HTTP request triggering flash fingerprint handling

      i. The server retrieves the HTTP request parameter "v" and stores it in session

      ii. The server retrieves the HTTP request parameter "client"

      iii. The server retrieves the HTTP request parameter "fp"

      iv. Parse fp with VCryptServletUtil.getFlashFingerprint (client, fp)

      v. Calls VCryptTracker.updateLog with the User, HTTP Cookie, and Flash information

      vi. The new flash cookie returned in CookieSet from updateLog is returned to the flash movie in the HTTP response ("&v=" + cookieSet.getFlashCookie())

  4. The user is taken to password page after jump page wait period

    1. Run the Pre-Authentication Rules

  5. The user submits the password

    1. The application verifies the password

    2. Run Post-Authentication Rules

    3. Calls VCryptTracker.updateAuthStatus with authentication result

15.3.2 Option 1 Code Example

This section provides a code example for Option 1.

public String flashFingerPrint(HttpServletRequest request) {
    HttpSession session = request.getSession(true);
    try {
              String digitalCookie = request.getParameter("v");
              String fpStr = request.getParameter("fp");
              String client = request.getParameter("client");
              String flashFingerprint = VCryptServletUtil.getFlashFingerPrint(client, fpStr);
              session.setAttribute("v", digitalCookie);
              session.setAttribute("fp", flashFingerprint);
 
              VCryptAuthUser clientUser = (VCryptAuthUser) session.getAttribute("clientUser");
 
              if (clientUser == null) {
                // User not found in session
                return "";
              }
 
              String loginId = clientUser.getLoginId();
              String customerId = clientUser.getCustomerId();
              String groupId = clientUser.getCustomerGroupId();
              int clientType = UserDefEnum.getElementValue(IBharosaConstants.ENUM_CLIENT_TYPE_ID, FLASH_CLIENT_ENUM);
                
              cookieSet = updateLog(request, loginId, customerId, groupId, clientType, authResult);
 
              session.setAttrubute("cookieSet");          
        return cookieSet.getFlashCookie();
    } catch (Exception e) {
         // Handle fingerprinting error
    }
    return "";
} // flashFingerPrint

15.4 Option 2

Option 2 is a newer, more streamlined user experience that eliminates the "Jump Page" from the user experience. To do this, the flash movie is included in both the user name page and the password page.

15.4.1 Option 2 Flow

Figure 15-2 shows the flow of Option 2.

Figure 15-2 Option 2

Option 2 is shown.
  1. The user is presented with the user name page with the embedded flash movie

    1. The flash movie makes an HTTP request triggering the flash fingerprint handling

      i. The server retrieves the HTTP request parameter "v" and stores it in session

      ii. The server retrieves HTTP request parameter "client"

      iii. The server retrieves HTTP request parameter "fp"

      iv. Parse fp with VCryptServletUtil.getFlashFingerprint(client, fp) and store result in user session.

      v. The value of "v" received is returned to the flash movie in the HTTP response ("&v=" + cookieSet.getFlashCookie())

  2. The user submits the user name

    1. The application loads the user

    2. Run Pre-Authentication Rules

    3. Calls VCryptTracker.updateLog with the User, HTTP Cookie and Flash value

  3. The user is taken to the password page with the embedded flash movie

    1. The flash movie makes an HTTP request triggering the flash fingerprint handling

      i. The server already has the value from the previous flash request

      ii. The new value generated by UpdateLog call is returned to flash movie

  4. The user submits the password

    1. The application verifies the password

    2. Run the Post-Authentication Rules

    3. Calls VCryptTracker.updateAuthStatus with the authentication result

15.4.2 Option 2 Code Example

This section provides a code example for Option 2.

public String flashFingerPrint(HttpServletRequest request) {
            HttpSession session = request.getSession(true);
            try {
               CookieSet cookieSet = (CookieSet)session.getAttribute("cookieSet");
               if (cookieSet == null) {
                 String digitalCookie = request.getParameter("v");
                 String fpStr = request.getParameter("fp");
                 String client = request.getParameter("client");
                 String flashFingerprint = VCryptServletUtil.getFlashFingerPrint(client, fpStr);
                 session.setAttribute("v", digitalCookie);
                 session.setAttribute("fp", flashFingerprint);
                 } else {
                       // finger printing already happened, using previously generated cookie set
                    }
                 return cookieSet.getFlashCookie();
             } catch (Exception e) {
                   // Handle fingerprinting error
             }
             return "";
} // flashFingerPrint

15.5 Option 3

Option 3 is an implementation using a single page for user name and password (not using virtual authentication devices), and uses a "Jump Page" to include the flash movie used for fingerprinting. In this case, the flash movie will send the server the user's current flash cookie value and the server will respond with a new value in a single transaction.

15.5.1 Option 3 Flow

Figure 15-3 shows the flow of Option 3.

Figure 15-3 Option 3 Flow

The Option 3 flow is shown
  1. The user is presented with a single user name and password page

  2. The user submits the user name and password

    1. The application loads user

    2. The application verifies password

    3. Calls VCryptTracker.updateLog with User, authentication result and HTTP Cookie information

  3. The user is taken to the jump page containing the embedded flash movie

    1. The flash movie makes an HTTP request triggering the flash fingerprint handling

      i. The server retrieves the HTTP request parameter "v" and stores it in session

      ii. The server retrieves the HTTP request parameter "client"

      iii. The server retrieves HTTP request parameter "fp"

      iv. Parse fp with VCryptServletUtil.getFlashFingerprint(client, fp).

      v. Calls VCryptTracker.updateLog with User, HTTP Cookie, and Flash information

      vi. The new flash cookie returned in CookieSet from updateLog is returned to the flash movie in the HTTP response ("&v=" + cookieSet.getFlashCookie())

  4. The user continues on to the application after the jump page wait period

    1. Run Post-Authentication Rules

    2. Calls VCryptTracker.updateAuthStatus with authentication result

15.5.2 Option 3 Code Example

This section provides a code example for Option 3.

public String flashFingerPrint(HttpServletRequest request) {
    HttpSession session = request.getSession(true);
    try {
             String digitalCookie = request.getParameter("v");
             String fpStr = request.getParameter("fp");
             String client = request.getParameter("client");
             String flashFingerprint = VCryptServletUtil.getFlashFingerPrint(client, fpStr);
             session.setAttribute("v", digitalCookie);
            session.setAttribute("fp", flashFingerprint);
 
             VCryptAuthUser clientUser = (VCryptAuthUser) session.getAttribute("clientUser");
 
              if (clientUser == null) {
             // User not found in session
                   return "";
             }
 
               String loginId = clientUser.getLoginId();
              String customerId = clientUser.getCustomerId();
              String groupId = clientUser.getCustomerGroupId();
              int clientType = UserDefEnum.getElementValue(IBharosaConstants.ENUM_CLIENT_TYPE_ID, FLASH_CLIENT_ENUM);
                  
              cookieSet = updateLog(request, loginId, customerId, groupId, clientType, authResult);
 
                 session.setAttrubute("cookieSet");       
               return cookieSet.getFlashCookie();
    } catch (Exception e) {
         // Handle fingerprinting error
    }
    return "";
} // flashFingerPrint

15.6 Common Update

The implementations would use a method similar to the following for making updateLog calls:

protected CookieSet updateLog(HttpServletRequest request,
                                             String loginId, String userId, String groupId,
                                            int clientType, int authStatus) throws BharosaProxyException {
              HttpSession session = request.getSession(tru);
 
              String requestId = (String) session.getAttribute("requestId");
              String remoteIPAddr = request.getRemoteAddress();
              String remoteHost = request.getRemoteHost();
 
              String secureCookie = VCryptServletTrackerUtil.getSecureCookie(request);
              String secureClientVersion = "1.0";
 
               Object[] fingerPrintInfo = VCryptServletUtil.getBrowserFingerPrint(request);
               int fingerPrintType = fingerPrintInfo == null ? 0 : ((Integer)fingerPrintInfo[0]).intValue();
              String fingerPrint = fingerPrintInfo == null ? "" : (String)fingerPrintInfo[1];
 
               int fingerPrintType2 = VCryptServletUtil.flashFPType.intValue();
              String fingerPrint2 = (String) session.getAttribute("fp");
              String digitalCookie = (String) session.getAttribute("v");
 
               CookieSet cookieSet = (CookieSet) session.getAttribute("cookieSet");
 
               if (secureCookie == null && cookieSet != null) {
                  secureCookie = cookieSet.getSecureCookie();
                }
 
              if (digitalCookie == null && cookieSet != null) {
                  digitalCookie = cookieSet.getFlashCookie();
               }
 
               boolean isSecure = false;
 
               VCryptTracker vTracker = VCryptTrackerUtil.getVCryptTrackerInstance();
               cookieSet = vTracker.updateLog(requestId, remoteIPAddr, remoteHost, secureCookie,
               digitalCookie, groupId, userId, loginId,
                                 isSecure, authStatus, clientType,
                                 secureClientVersion, fingerPrintType,
                                 fingerPrint, fingerPrintType2,
                                 fingerPrint2);
 
                  return cookieSet;
}