The flow is shown below:

• The application or servlet containing the access gate code receives resource request from the user.
• The access gate code constructs ObResourceRequest structure and access gate contacts Access server to find whether resource is protected or not.
• The access server responds.
• If the resource is not protected, access gate ALLOWS user to access the resource. Otherwise..,
• Access Gate constructs ObAuthenticationScheme structure to ask Access Server what credentials the user needs to supply.
• The access server responds.
• The application uses a FORM or some other means to fetch the credentials.
• The AccessGate constructs ObUserSession structure which presents user details to Acc Server.
• If credentials are proven valid, access gate CREATES a session TOKEN for the user and then sends an authorization request to the access server.
• Access server validates if the user is authz to access that resource.
• Access gate allows user to access the requested resource.

The flow is shown below: