|Receive Email for New Articles|
|OA Framework page on web||| Print ||
|Written by Anil Passi|
|Wednesday, 07 February 2007|
We all know that the login screen in Oracle Apps connects using APPLSYSPUB schema to validate the username. Ever wondered to which schema does web facing Oracle iRecruitment registration screen connects to? If you think its the APPS schema, then your answer is correct. In this article I will explain how www facing webpage runs on OA Framework.
The reason for this article is that, in case you wish to build a web facing screen using OA Framework, then you may use this methodology.
How can www facing page ever connect to apps schema?
It does so using GUEST username and password.
Is the GUEST schema password password hardcoded?
Well firstly GUEST is not a schema. It a valid FND_USER record. The password is not hardcoded. The web facing screen reads the GUEST Password value from AppsContext environment store. Effectively, the GUEST password is fetched from profile option "Guest User Password" [try doing select fnd_profile.value('GUEST_USER_PWD') from dual ]
Inside java you can do webappscontext.getEnvStore().getEnv("GUEST_USER_PWD")
Interesting, but how is the object WebAppsContext constructed in the first place for a request from internet?
This is where the secret is revealed. iRecruitment initial page is a jsp page which redirects itself to the OA Framework page.
Below sequence of events take place:-
1. Visitor logs onto jsp page [ in this case $OA_HTML/IrcVisitor.jsp ]
2. The servletsession object from jsp is passed to a java bean named IrcLoginManager. The purpose of this bean is to construct URL of Visitor home page. Main parameters passed to this bean from jsp are [a] DBC File Name [b] HttpServletRequest & Response Objects [b] Default responsibility details
3. The javabean builds a default WebAppsContext object using the HttpServletReuqest/Response object. In reality the default WebAppsContext is built using DBC File name.
4. The javabean builds a URL for the OA Framework page.
5. The user is redirected to OA Framework page, connected as GUEST user.
How does this javabean build the url?
To get the URL, Oracle uses following components:-
Of the "visitor OA Framework homepage"
2. Responsibility ID
To which the above function is attached
3. Resp application Id
Application of responsibility
4. Security group
0 for STANDARD [default]
Isn't this thing hackable
I would say no, because all that it does is to Connect to GUEST UserName. GUEST username is attached to only those responsibilities that are web facing, for example "iRecruitment External Site Visitor".
You can hack this is by hacking into the server and changing/replacing the java class files themselves. But in that case it is your machine which is insecure , not Oracle iRecruitment. Oracle takes care of securing their application, hence clients must concentrate on securing their servers.
written by David Philips , February 08, 2007
written by Tripti Goenka , July 06, 2007
written by Tripti Goenka , July 11, 2007
written by APassi , July 11, 2007
written by Ranjan , October 12, 2007
written by huzefa , February 02, 2008