Presented by the City of St. PetersburgRob Sipko

Oracle Applications Developer

APEX / EBS Security and

Responsibility Integration

Introduction – Why use APEX with EBS?

- Extending Oracle E-Business Suite Release 12.1 and above using Oracle Application Express [Revision 2]

“Oracle E-Business Suite delivers a wide range of functionality to handle core areas of your

business processing needs. However, there are situations where you want to extend yourinformation systems beyond the range of Oracle E-Business Suite. Many times these

necessary extensions are meant to handle unique industry conventions, specific customerrequirements, or perhaps to offer some other competitive edge. Sometimes these change

requests are simple enough, but other times more extensive customizations are needed.In these scenarios, Oracle Application Express, also known as Oracle APEX, provides an

easy way to create supplemental applications that are easily integrated with your OracleE-Business Suite and its data.”

Prerequisites

� Oracle E-Business Suite

12.1.3 or above

� APEX

� EBS Patch 12316083(For 12.1.X environments)

� FND: APEX URL profile

option set

� Fully integrated applications registered within EBS so they are available within EBS menus.

� Authentication (who can login) uses EBS authentication.

� Authorization (who can see what) is controlled through EBS responsibilities and security groups.

� Automatically authenticate when possible. (No second login required)

� APEX session keeps EBS session active to prevent timeout.

� No Oracle Single Sign On (OSSO)

� Secure!!!

GOALExtend Oracle E-Business Suite (12.1+) using APEX so that it is seamless to the end users.

EBS Menu Integration – 30 second reviewThe System Administrator responsibility is where you create functions. Functions are

then assigned to menus. Finally, menus are associated to a responsibility.

EBS Menu Integration – APEX and Seeded Functionality

You can now create a Form Function to call an APEX page

SSWA jsp function

EBS Menu Integration – APEX and Seeded Functionality

Behind the scenes: Find & Replace

Passing the Responsibility ID, Application ID, and Security Group ID to an APEX application is NOT

enough to meet our requirements of seamless integration.

EBS Menu Integration – Customizing GWY.jsp� This is the only customization

required and doesn’t effect seeded functionality.

� The new (and only)

parameter will be called [EBS_PARAMS]

� Step 1: Retrieve current EBS

session ID

� Step 2: Pass session ID into

custom function that will return key values in an

encrypted format

� Step 3: Replace

[EBS_PARAMS] with the encrypted value and

continue to redirect to APEX

EBS Menu Integration – XXSPGWY.jsp Based Function

XXSPGWY.jsp based function successfully passes our encrypted parameter to APEX.

Authentication – Definition

Authentication: Process by which a system

verifies the identity of a user who wishes to access it

“Who can login?”

Authentication – APEX Authentication Schemes

� An APEX application’s authentication rules

are defined in the “Authentication Scheme”

� The authentication scheme is located in

the Shared Components of an application.

� A custom authentication scheme needs to

be defined to use EBS credentials.

� This scheme is defined in a PL/SQL function

that returns TRUE / FALSE.

Authentication – Authentication Function (Simple)

One way to authenticate using EBS

credentials is to call the validateloginfunction provide by Oracle.

“Why do I have to log in twice?”

Authentication – Oracle EBS Sessions: ICX_SESSIONS

A session is created when a user logs into EBS. A Session ID is generated and stored in a

cookie on the user’s computer. A session entry is inserted into the ICX_SESSIONS table.

Authentication – Automatic Login Flow

Attempt to get session ID from browser cookie.

• ICX_SEC.getsessioncookie(v_session_id);

Check to see if session is valid.

• ICX_SEC.check_session (p_session_id, p_resp_id, p_app_resp_id);

Generate encrypted, self-destructing, password candiate for session.

•Use DBMS_OBFUSCATION_TOOLKIT.MD5 with an encrypted seed value to generate password.

•Seed value dependent upon timestamp.

Authentication – Automatic Login Flow (Cont.)

Generate valid passwords and validate against the candidate password.

•Compare candidate password to valid hashes created by going back in time by 0-5 seconds.

•If any of the valid passwords in the last 5 seconds equal the candidate password then the user is authenticated!

If process fails require manual login from user.

•Process will fail if session cannot be read from cookie.

•Process will fail if session is invalid (expired).

•Process will fail if it takes more than 5 seconds to process request.Only require login if process fails to auto login

Authentication Scheme called by APEX

Authorization– Definition

Authorization: You can use authorization to

identify additional security beyond simple user authentication.

“Who can see what”?

Authentication – APEX Authorization Schemes

� An APEX application’s authorization rules

are defined in the “Authorization Scheme”

� The authorization scheme is located in the

Shared Components of an application.

� This scheme is defined in a PL/SQL function

that returns TRUE / FALSE.

� Run this authorization check on every page

view.

Authorization– Authorization Flow

Perform Security Checks.

• URL manipulation

Set EBS context.

• fnd_global.apps_initialize(user_id, resp_id, resp_appl_id, security_group_id, server_id);

Check to see if session is still valid.

• ICX_SEC.check_session (p_session_id, p_resp_id, p_app_resp_id);

• If INVALID do not return FALSE. Instead re-authenticate.

Check to see if user has access to the function

• Does user have access to the function we defined (XXSPGWY.jsp)

• fnd_function.test(l_function_name); ex. XXAPEX_TEST

Authorization – Additional Authorization

� An Authorization Scheme is called every

time a page is loaded. This is a safe approach.

� But is there any risk if the Authorization

Scheme is called only on page load?

� An Application Process can help us to

prevent a commit on an invalid session.

� After a page is submitted but before the

transaction is committed this process is called. The process is a mini-authorization

that only validates the session state.

EBS Session Management

Perform Security Checks.

•URL manipulation

Set EBS context.

•fnd_global.apps_initialize(user_id, resp_id, resp_appl_id, security_group_id, server_id);

Check to see if session is still valid.

•ICX_SEC.check_session (p_session_id, p_resp_id, p_app_resp_id);

•If INVALID do not return FALSE. Instead re-authenticate.

Check to see if user has access to the function

•Does user have access to the function we defined (XXSPGWY.jsp)

•fnd_function.test(l_function_name); ex. XXAPEX_TEST

� An EBS Session becomes invalid if the last_connect value

for the session is older than the current time minus the timeout offset.

� Everytime you take an action in EBS the last_connectvalue is updated.

� The act of invoking ICX_SEC.check_session

will also update the last_connect if the session is valid.

EBS Session Management – Re-Authentication

� If your EBS session becomes inactive while you’re working

in APEX you will need to re-authenticate.

� APEX checks EBS session in Authorization Scheme and in the Application Process on page submission.

� If the EBS session is invalid it will redirect to the APEX login

page prompting for your EBS username and password.

� Fully integrated applications registered within EBS so they are available within EBS menus.

� Authentication (who can login) uses EBS authentication.

� Authorization (who can see what) is controlled through EBS responsibilities and security groups.

� Automatically authenticate when possible. (No second login required)

� APEX session keeps EBS session active to prevent timeout.

� No Oracle Single Sign On (OSSO)

� Secure!!!

GOAL - Succeeded

Extend Oracle E-Business Suite (12.1+) using APEX so that it is seamless to the end users.

Q & A

Questions?