This discussion is archived
7 Replies Latest reply: Jan 29, 2013 11:21 PM by VC RSS

Extending EBS 12+ with Apex

Tomek Newbie
Currently Being Moderated
I follow official Oracle White Paper about how to do it and everything works nicely, however...

Custom EBS function definition follows this syntax to pass the context information to APEX (as per white paper):
*GWY.jsp?targetAppType=APEX&p=109:3:::::EBS_RESP_ID,EBS_APP_ID,EBS_SEC_GROUP:[RESPONSIBILITY_ID],[RESP_APPL_ID], [SECURITY_GROUP_ID]*

The actual URL that gets generated looks like this (I use different names, but it is very similar):
*..../f?p=702:1:697586553684301::::G_FUNCTION_NAME,G_RESP_ID,G_APPL_ID,G_SECURITY_GROUP_ID:ZPAY_ONLINE_SOE,59352,800,0*

As you see the RESP_ID, APPL_ID, and SECURITY_GROUP values are passed in the URL. All is great except those numbers can be easily manipulated since I cannot apply checksum protection to the defined Application Items. The URL string is constructed by the Oracle seeded jsp page and I do not have any control over it.

Does anyone has an idea how to secure those attributes? I use custom authorization to use the values passed to set the context of the APEX environment.
  • 1. Re: Extending EBS 12+ with Apex
    VC Guru
    Currently Being Moderated
    Tomek wrote:
    I follow official Oracle White Paper about how to do it and everything works nicely, however...

    Custom EBS function definition follows this syntax to pass the context information to APEX (as per white paper):
    *GWY.jsp?targetAppType=APEX&p=109:3:::::EBS_RESP_ID,EBS_APP_ID,EBS_SEC_GROUP:[RESPONSIBILITY_ID],[RESP_APPL_ID], [SECURITY_GROUP_ID]*

    The actual URL that gets generated looks like this (I use different names, but it is very similar):
    *..../f?p=702:1:697586553684301::::G_FUNCTION_NAME,G_RESP_ID,G_APPL_ID,G_SECURITY_GROUP_ID:ZPAY_ONLINE_SOE,59352,800,0*

    As you see the RESP_ID, APPL_ID, and SECURITY_GROUP values are passed in the URL. All is great except those numbers can be easily manipulated since I cannot apply checksum protection to the defined Application Items. The URL string is constructed by the Oracle seeded jsp page and I do not have any control over it.
    Why cannot you apply checksum on application items? have you not enabled session state protection in your application?
  • 2. Re: Extending EBS 12+ with Apex
    Tomek Newbie
    Currently Being Moderated
    I can but than the call from EBS fails... as you see in the generated URL there is no "cs=XXX". And again the URL is dynamically created by the GWY.jsp Oarcel seeded jsp. And in reality I do not believe they can generate the cs since the Apex URL is prepared inside of the EBS suite which has no knowledge about the Apex Session (it does not exist yet).
  • 3. Re: Extending EBS 12+ with Apex
    VC Guru
    Currently Being Moderated
    Tomek,

    Check this thread {message:id=9764617}
  • 4. Re: Extending EBS 12+ with Apex
    Tomek Newbie
    Currently Being Moderated
    Thanks VC...

    Well, ironically I do have the custom solution (custom jsp) to open the Apex application from EBS which passes icx_session and all works fine, however, it is not Oracle "supported" solution. My company would like to switch to Oracle blessed way of calling Apex from EBS. But it looks like the Oracle solution implements possible security problem.
  • 5. Re: Extending EBS 12+ with Apex
    RodWest Guru
    Currently Being Moderated
    Hi,

    The thread mentioned above gives a number of options using either a custom jsp or reading the icx cookie or the icx session id.
    But it looks like the Oracle solution implements possible security problem.
    For a fully secure Oracle solution you would need to re-validate the responsibility, resp_app_id and security group within the Apex application using an Apex Authorisation scheme. This would have to be attached to each page (or process) where the responsibility is used. The advantage of this approach is that it is then easy to switch responsibilities in Apex independently of the EBS responsibility.

    Rod West
  • 6. Re: Extending EBS 12+ with Apex
    Tomek Newbie
    Currently Being Moderated
    I do have the authorization scheme that evaluates and sets the context for Apex so it works correctly against context specific data. The authorization scheme executes for every page. But in my first page opened from EBS the URL exposes the values which can be manipulated (see below):
    *....f?p=300:1:418149361995901::::G_FUNCTION_NAME,G_RESP_ID,G_APPL_ID,G_SECURITY_GROUP_ID:ZFND_APEX_EBS_TEST,20419,0,0*
    So if the user changes any of the ID's and presses the "Enter" the page will be evaluated with new criteria. It means the context may change and another set of data may be displayed. This behavior that violates our company policy.

    So I keep looking for a solution... I have it partially solved by adding my own checksum calculation withing my authorization scheme and allow the initialization only if the original checksum is same as currently calculated checksum. If not I return FALSE which throws and error to the page. All is good except it is possible the user clicks the "BACK" button, changes responsibility in EBS, and calls the same Apex app from another responsibility. If so the access will be stopped and it shouldn't.
  • 7. Re: Extending EBS 12+ with Apex
    VC Guru
    Currently Being Moderated
    Tomek wrote:
    I do have the authorization scheme that evaluates and sets the context for Apex so it works correctly against context specific data. The authorization scheme executes for every page. But in my first page opened from EBS the URL exposes the values which can be manipulated (see below):
    So even though user tampers the URL he won't be able to see any unauthorized data. they will see an unauthorized error message. I guess this is similar to checksum because even checksum doesn't stop them changing the url values and press enter, which gives checksum error. As Rod mentioned you will need to create authorization in APEX to validate the responsibility, resp_app_id and security group against the user.

    Cheers,
    Vikram

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points