APEX / EBS Security and Responsibility...
Transcript of APEX / EBS Security and Responsibility...
![Page 1: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/1.jpg)
Presented by the City of St. PetersburgRob Sipko
Oracle Applications Developer
APEX / EBS Security and
Responsibility Integration
![Page 2: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/2.jpg)
Introduction – Why use APEX with EBS?
- Extending Oracle E-Business Suite Release 12.1 and above using Oracle Application Express [Revision 2]
“Oracle E-Business Suite delivers a wide range of functionality to handle core areas of your
business processing needs. However, there are situations where you want to extend yourinformation systems beyond the range of Oracle E-Business Suite. Many times these
necessary extensions are meant to handle unique industry conventions, specific customerrequirements, or perhaps to offer some other competitive edge. Sometimes these change
requests are simple enough, but other times more extensive customizations are needed.In these scenarios, Oracle Application Express, also known as Oracle APEX, provides an
easy way to create supplemental applications that are easily integrated with your OracleE-Business Suite and its data.”
![Page 3: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/3.jpg)
Prerequisites
� Oracle E-Business Suite
12.1.3 or above
� APEX
� EBS Patch 12316083(For 12.1.X environments)
� FND: APEX URL profile
option set
![Page 4: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/4.jpg)
� Fully integrated applications registered within EBS so they are available within EBS menus.
� Authentication (who can login) uses EBS authentication.
� Authorization (who can see what) is controlled through EBS responsibilities and security groups.
� Automatically authenticate when possible. (No second login required)
� APEX session keeps EBS session active to prevent timeout.
� No Oracle Single Sign On (OSSO)
� Secure!!!
GOALExtend Oracle E-Business Suite (12.1+) using APEX so that it is seamless to the end users.
![Page 5: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/5.jpg)
EBS Menu Integration – 30 second reviewThe System Administrator responsibility is where you create functions. Functions are
then assigned to menus. Finally, menus are associated to a responsibility.
![Page 6: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/6.jpg)
EBS Menu Integration – APEX and Seeded Functionality
You can now create a Form Function to call an APEX page
SSWA jsp function
![Page 7: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/7.jpg)
EBS Menu Integration – APEX and Seeded Functionality
Behind the scenes: Find & Replace
Passing the Responsibility ID, Application ID, and Security Group ID to an APEX application is NOT
enough to meet our requirements of seamless integration.
![Page 8: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/8.jpg)
EBS Menu Integration – Customizing GWY.jsp� This is the only customization
required and doesn’t effect seeded functionality.
� The new (and only)
parameter will be called [EBS_PARAMS]
� Step 1: Retrieve current EBS
session ID
� Step 2: Pass session ID into
custom function that will return key values in an
encrypted format
� Step 3: Replace
[EBS_PARAMS] with the encrypted value and
continue to redirect to APEX
![Page 9: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/9.jpg)
EBS Menu Integration – XXSPGWY.jsp Based Function
XXSPGWY.jsp based function successfully passes our encrypted parameter to APEX.
![Page 10: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/10.jpg)
Authentication – Definition
Authentication: Process by which a system
verifies the identity of a user who wishes to access it
“Who can login?”
![Page 11: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/11.jpg)
Authentication – APEX Authentication Schemes
� An APEX application’s authentication rules
are defined in the “Authentication Scheme”
� The authentication scheme is located in
the Shared Components of an application.
� A custom authentication scheme needs to
be defined to use EBS credentials.
� This scheme is defined in a PL/SQL function
that returns TRUE / FALSE.
![Page 12: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/12.jpg)
Authentication – Authentication Function (Simple)
One way to authenticate using EBS
credentials is to call the validateloginfunction provide by Oracle.
“Why do I have to log in twice?”
![Page 13: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/13.jpg)
Authentication – Oracle EBS Sessions: ICX_SESSIONS
A session is created when a user logs into EBS. A Session ID is generated and stored in a
cookie on the user’s computer. A session entry is inserted into the ICX_SESSIONS table.
![Page 14: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/14.jpg)
Authentication – Automatic Login Flow
Attempt to get session ID from browser cookie.
• ICX_SEC.getsessioncookie(v_session_id);
Check to see if session is valid.
• ICX_SEC.check_session (p_session_id, p_resp_id, p_app_resp_id);
Generate encrypted, self-destructing, password candiate for session.
•Use DBMS_OBFUSCATION_TOOLKIT.MD5 with an encrypted seed value to generate password.
•Seed value dependent upon timestamp.
![Page 15: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/15.jpg)
Authentication – Automatic Login Flow (Cont.)
Generate valid passwords and validate against the candidate password.
•Compare candidate password to valid hashes created by going back in time by 0-5 seconds.
•If any of the valid passwords in the last 5 seconds equal the candidate password then the user is authenticated!
If process fails require manual login from user.
•Process will fail if session cannot be read from cookie.
•Process will fail if session is invalid (expired).
•Process will fail if it takes more than 5 seconds to process request.Only require login if process fails to auto login
Authentication Scheme called by APEX
![Page 16: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/16.jpg)
Authorization– Definition
Authorization: You can use authorization to
identify additional security beyond simple user authentication.
“Who can see what”?
![Page 17: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/17.jpg)
Authentication – APEX Authorization Schemes
� An APEX application’s authorization rules
are defined in the “Authorization Scheme”
� The authorization scheme is located in the
Shared Components of an application.
� This scheme is defined in a PL/SQL function
that returns TRUE / FALSE.
� Run this authorization check on every page
view.
![Page 18: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/18.jpg)
Authorization– Authorization Flow
Perform Security Checks.
• URL manipulation
Set EBS context.
• fnd_global.apps_initialize(user_id, resp_id, resp_appl_id, security_group_id, server_id);
Check to see if session is still valid.
• ICX_SEC.check_session (p_session_id, p_resp_id, p_app_resp_id);
• If INVALID do not return FALSE. Instead re-authenticate.
Check to see if user has access to the function
• Does user have access to the function we defined (XXSPGWY.jsp)
• fnd_function.test(l_function_name); ex. XXAPEX_TEST
![Page 19: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/19.jpg)
Authorization – Additional Authorization
� An Authorization Scheme is called every
time a page is loaded. This is a safe approach.
� But is there any risk if the Authorization
Scheme is called only on page load?
� An Application Process can help us to
prevent a commit on an invalid session.
� After a page is submitted but before the
transaction is committed this process is called. The process is a mini-authorization
that only validates the session state.
![Page 20: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/20.jpg)
EBS Session Management
Perform Security Checks.
•URL manipulation
Set EBS context.
•fnd_global.apps_initialize(user_id, resp_id, resp_appl_id, security_group_id, server_id);
Check to see if session is still valid.
•ICX_SEC.check_session (p_session_id, p_resp_id, p_app_resp_id);
•If INVALID do not return FALSE. Instead re-authenticate.
Check to see if user has access to the function
•Does user have access to the function we defined (XXSPGWY.jsp)
•fnd_function.test(l_function_name); ex. XXAPEX_TEST
� An EBS Session becomes invalid if the last_connect value
for the session is older than the current time minus the timeout offset.
� Everytime you take an action in EBS the last_connectvalue is updated.
� The act of invoking ICX_SEC.check_session
will also update the last_connect if the session is valid.
![Page 21: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/21.jpg)
EBS Session Management – Re-Authentication
� If your EBS session becomes inactive while you’re working
in APEX you will need to re-authenticate.
� APEX checks EBS session in Authorization Scheme and in the Application Process on page submission.
� If the EBS session is invalid it will redirect to the APEX login
page prompting for your EBS username and password.
![Page 22: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/22.jpg)
![Page 23: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/23.jpg)
� Fully integrated applications registered within EBS so they are available within EBS menus.
� Authentication (who can login) uses EBS authentication.
� Authorization (who can see what) is controlled through EBS responsibilities and security groups.
� Automatically authenticate when possible. (No second login required)
� APEX session keeps EBS session active to prevent timeout.
� No Oracle Single Sign On (OSSO)
� Secure!!!
GOAL - Succeeded
Extend Oracle E-Business Suite (12.1+) using APEX so that it is seamless to the end users.
![Page 24: APEX / EBS Security and Responsibility Integrationapps.polk-county.net/FORCES/docs/APEXEBSSecurityandResponsibili… · Introduction –Why use APEX with EBS? - Extending Oracle E-Business](https://reader031.fdocuments.net/reader031/viewer/2022031522/5a9f56907f8b9a84178cb7a2/html5/thumbnails/24.jpg)
Q & A
Questions?