Post on 07-Mar-2018
Presented by the City of St. PetersburgRob Sipko
Oracle Applications Developer
APEX / EBS Security and
Responsibility Integration
Introduction – Why use APEX with EBS?
- Extending Oracle E-Business Suite Release 12.1 and above using Oracle Application Express [Revision 2]
“Oracle E-Business Suite delivers a wide range of functionality to handle core areas of your
business processing needs. However, there are situations where you want to extend yourinformation systems beyond the range of Oracle E-Business Suite. Many times these
necessary extensions are meant to handle unique industry conventions, specific customerrequirements, or perhaps to offer some other competitive edge. Sometimes these change
requests are simple enough, but other times more extensive customizations are needed.In these scenarios, Oracle Application Express, also known as Oracle APEX, provides an
easy way to create supplemental applications that are easily integrated with your OracleE-Business Suite and its data.”
Prerequisites
� Oracle E-Business Suite
12.1.3 or above
� APEX
� EBS Patch 12316083(For 12.1.X environments)
� FND: APEX URL profile
option set
� Fully integrated applications registered within EBS so they are available within EBS menus.
� Authentication (who can login) uses EBS authentication.
� Authorization (who can see what) is controlled through EBS responsibilities and security groups.
� Automatically authenticate when possible. (No second login required)
� APEX session keeps EBS session active to prevent timeout.
� No Oracle Single Sign On (OSSO)
� Secure!!!
GOALExtend Oracle E-Business Suite (12.1+) using APEX so that it is seamless to the end users.
EBS Menu Integration – 30 second reviewThe System Administrator responsibility is where you create functions. Functions are
then assigned to menus. Finally, menus are associated to a responsibility.
EBS Menu Integration – APEX and Seeded Functionality
You can now create a Form Function to call an APEX page
SSWA jsp function
EBS Menu Integration – APEX and Seeded Functionality
Behind the scenes: Find & Replace
Passing the Responsibility ID, Application ID, and Security Group ID to an APEX application is NOT
enough to meet our requirements of seamless integration.
EBS Menu Integration – Customizing GWY.jsp� This is the only customization
required and doesn’t effect seeded functionality.
� The new (and only)
parameter will be called [EBS_PARAMS]
� Step 1: Retrieve current EBS
session ID
� Step 2: Pass session ID into
custom function that will return key values in an
encrypted format
� Step 3: Replace
[EBS_PARAMS] with the encrypted value and
continue to redirect to APEX
EBS Menu Integration – XXSPGWY.jsp Based Function
XXSPGWY.jsp based function successfully passes our encrypted parameter to APEX.
Authentication – Definition
Authentication: Process by which a system
verifies the identity of a user who wishes to access it
“Who can login?”
Authentication – APEX Authentication Schemes
� An APEX application’s authentication rules
are defined in the “Authentication Scheme”
� The authentication scheme is located in
the Shared Components of an application.
� A custom authentication scheme needs to
be defined to use EBS credentials.
� This scheme is defined in a PL/SQL function
that returns TRUE / FALSE.
Authentication – Authentication Function (Simple)
One way to authenticate using EBS
credentials is to call the validateloginfunction provide by Oracle.
“Why do I have to log in twice?”
Authentication – Oracle EBS Sessions: ICX_SESSIONS
A session is created when a user logs into EBS. A Session ID is generated and stored in a
cookie on the user’s computer. A session entry is inserted into the ICX_SESSIONS table.
Authentication – Automatic Login Flow
Attempt to get session ID from browser cookie.
• ICX_SEC.getsessioncookie(v_session_id);
Check to see if session is valid.
• ICX_SEC.check_session (p_session_id, p_resp_id, p_app_resp_id);
Generate encrypted, self-destructing, password candiate for session.
•Use DBMS_OBFUSCATION_TOOLKIT.MD5 with an encrypted seed value to generate password.
•Seed value dependent upon timestamp.
Authentication – Automatic Login Flow (Cont.)
Generate valid passwords and validate against the candidate password.
•Compare candidate password to valid hashes created by going back in time by 0-5 seconds.
•If any of the valid passwords in the last 5 seconds equal the candidate password then the user is authenticated!
If process fails require manual login from user.
•Process will fail if session cannot be read from cookie.
•Process will fail if session is invalid (expired).
•Process will fail if it takes more than 5 seconds to process request.Only require login if process fails to auto login
Authentication Scheme called by APEX
Authorization– Definition
Authorization: You can use authorization to
identify additional security beyond simple user authentication.
“Who can see what”?
Authentication – APEX Authorization Schemes
� An APEX application’s authorization rules
are defined in the “Authorization Scheme”
� The authorization scheme is located in the
Shared Components of an application.
� This scheme is defined in a PL/SQL function
that returns TRUE / FALSE.
� Run this authorization check on every page
view.
Authorization– Authorization Flow
Perform Security Checks.
• URL manipulation
Set EBS context.
• fnd_global.apps_initialize(user_id, resp_id, resp_appl_id, security_group_id, server_id);
Check to see if session is still valid.
• ICX_SEC.check_session (p_session_id, p_resp_id, p_app_resp_id);
• If INVALID do not return FALSE. Instead re-authenticate.
Check to see if user has access to the function
• Does user have access to the function we defined (XXSPGWY.jsp)
• fnd_function.test(l_function_name); ex. XXAPEX_TEST
Authorization – Additional Authorization
� An Authorization Scheme is called every
time a page is loaded. This is a safe approach.
� But is there any risk if the Authorization
Scheme is called only on page load?
� An Application Process can help us to
prevent a commit on an invalid session.
� After a page is submitted but before the
transaction is committed this process is called. The process is a mini-authorization
that only validates the session state.
EBS Session Management
Perform Security Checks.
•URL manipulation
Set EBS context.
•fnd_global.apps_initialize(user_id, resp_id, resp_appl_id, security_group_id, server_id);
Check to see if session is still valid.
•ICX_SEC.check_session (p_session_id, p_resp_id, p_app_resp_id);
•If INVALID do not return FALSE. Instead re-authenticate.
Check to see if user has access to the function
•Does user have access to the function we defined (XXSPGWY.jsp)
•fnd_function.test(l_function_name); ex. XXAPEX_TEST
� An EBS Session becomes invalid if the last_connect value
for the session is older than the current time minus the timeout offset.
� Everytime you take an action in EBS the last_connectvalue is updated.
� The act of invoking ICX_SEC.check_session
will also update the last_connect if the session is valid.
EBS Session Management – Re-Authentication
� If your EBS session becomes inactive while you’re working
in APEX you will need to re-authenticate.
� APEX checks EBS session in Authorization Scheme and in the Application Process on page submission.
� If the EBS session is invalid it will redirect to the APEX login
page prompting for your EBS username and password.
� Fully integrated applications registered within EBS so they are available within EBS menus.
� Authentication (who can login) uses EBS authentication.
� Authorization (who can see what) is controlled through EBS responsibilities and security groups.
� Automatically authenticate when possible. (No second login required)
� APEX session keeps EBS session active to prevent timeout.
� No Oracle Single Sign On (OSSO)
� Secure!!!
GOAL - Succeeded
Extend Oracle E-Business Suite (12.1+) using APEX so that it is seamless to the end users.
Q & A
Questions?