How to work with OAF page security issues in Oracle 12.2 upgrade

Enhanced Security with Oracle E-Business Suite Technology

In 2022, the Application Security Testing (AST) market is expanding beyond Static and Dynamic AST (SAST/DAST). Across the AST landscape, we are increasingly seeing new tools enter the market. Tools for Infrastructure as Code (IaC), container security, API management, and other features are becoming mainstream requirements.”Gartner report on Critical Capabilities for Application Security Testing.

Security is significant for every application and organization. Every customer needs their application to be more secure and robust. Oracle E-Business Suite Technology Oracle E-Business Suite Technology tries to enhance and strengthen the application security in each release. In Oracle E-Business Suite’s latest version 12.2, the Oracle E-Business Suite upgrade has enabled Security profiles (FND validation) by default, causing issues with the Oracle Application Framework (OAF) pages; notably for bookmarkable pages and programmatically configured URLs in the middle tier.

This blog provides an overview of how to skip the security validations for OAF code from the non-OA Framework page/code in Oracle 12.2’s new features upgrade.

As of Oracle EBS Upgrade Release 12.2, OAF-based pages in Oracle EBS run in accelerated validation mode; accelerated validation provides a set of event points and checks specific designs to prevent tampering with parameters and URLs used by a page. This functionality is enabled by default in Release 12.2 and is the recommended configuration, providing additional security to a page. We could turn off this validation in Oracle Release 12.1.

Enabling Accelerated Validation

Accelerated validation is enabled by three Validation-related profile options:

FND Validation Level/FND_VALIDATION_LEVEL
FND Function Validation Level/FND_FUNCTION_VALIDATION_LEVEL
Framework Validation Level/FRAMEWORK_VALIDATION_LEVEL

Important: The Oracle EBS Applications Technology (TXK) Release 12.2.2 removes the ability to turn these profiles off. Oracle EBS Upgrade Release 12.2.2 always runs as if these profiles are set to ERROR. As a result, calls to OAF pages from the custom applications like ADF, APEX, and other third-party applications will fail in release 12.2.2.

Your OAF-based pages can take advantage of the new accelerated validation as long as they meet existing coding standards. Overall, the validation is a transparent process, except for the

following exception cases where you must follow the corresponding instructions to ensure correct page behaviour:

You have bookmarkable pages (any page accessed across user sessions), where an OAF URL generated in one session, must be accessible in another.
You programmatically configure a URL in the middle tier (using Java code). For example,applications developed in Oracle ADF and Oracle APEX.

Bookmarkable Pages

To ensure valid access to a bookmarkable page, follow these instructions:

Step 1: Identify your "bookmarkable" page candidates. Generally, they fall into the following categories:

(Required) any page accessed from a Workflow Notification or email link. Note that any page that could be accessed in this way before the 12^th version will not work correctly unless you complete the following steps:
- (Required) any logical application entry points like a "Home" page.
- (Required) pages that you link from a non-OAF technology (JTT, Forms, and RF excepted).
- (Required) pages whose URL will be manipulated with JavaScript.
- (Optional) any page you think customers will bookmark.

Step 2: Select the page layout region in the Oracle JDeveloper Structure pane for a bookmarkable page to open the Property Inspector. Set the securityMode attribute to selfSecured (the default value is standard, which means that the URL is prepared for accelerated validation). When you set the value to selfSecured, OAF allows you to bypass the accelerated validation to inspect the parameter values to determine whether page access should be granted.

If you need to access your page outside an OAF runtime context (from a test JSP, for example), but do not wish to or cannot mark the target page as selfSecured, you will need to generate your URL using the below method

URLMgr.processOutgoingUrl(String url, WebAppsContext wctx).

The private oracle.apps.fnd.framework.CreateIcxSession class includes a new convenience method called “getWebAppsContext” to obtain the WebAppsContext instance associated with the page. In case you fail to do this, you will not be able to access your page from this launching context.

Programmatically configured URL in the middle tier (ADF, APEX, and third-party applications)

Generally, if you put a URL reference into a page, it will be treated as a trusted URL. However, if you know that the URL is from an untrusted source, for example, it was input by a user, or if you put a URL reference into a non-OAF page, it will fail in the Oracle Release 12.2, as it has to go through accelerated validation.

To skip this validation, we have the following options:

Option 1:

To disable accelerated validation for a URL, in the processRequest method of the controller for the page that generates the URL, call the createURL API on oracle.apps.fnd.framework.webui.OAUrl with the following signature:

public String createURL(RenderingContext context, boolean trusted)

String redirectURL = new String ("someRedirectURL");

OAUrl url = new OAUrl(redirectURL);

redirectURL = new StringBuffer(url.createURL( pageContext, false)); // false indicates the URL is coming from an untrusted // source.

Option 2:

You can skip the accelerated validation by replacing OA.jsp ? OAFunc= with RF.jsp ? Function_Id =

For example: https:///OA_HTML/OA.jsp?OAFunc=XX_IMC_CON_SUM&ImcPartyId=1404797

The above URL will not work in 12.2, as it must go through accelerated validation. To skip the validation, use the URL provided below.

https:///OA_HTML/RF.jsp?Function_id=XX_IMC_CON_SUM&ImcPartyId=1404797

Conclusion

The Oracle E-Business Suite Applications 12.2 removes the ability to turn the accelerated validation profiles off. Oracle EBS Technology Release 12.2.2 always runs as if these profiles are set to ERROR. Suppose you upgrade your EBS applications from 12.1 to Oracle 12.2 with new features and want your OAF pages from middle-tier ADF, Apex, or other third-party applications to work. In that case, you must skip the accelerated validation mentioned above.

Subscribe to our email Newsletter

About the Author

Kapil Gajre

Senior Technical Analyst (Oracle Applications), Jade Global, Inc.

Kapil Gajre has experience in end-to-end management of Oracle EBS applications, additionally, he is well versed in analysis, design, development, enhancement, testing, and documentation in Oracle EBS applications, Oracle Application Development Framework (Oracle ADF), and Oracle Fusion Cloud Applications in the IT Industry. He has worked on Oracle Fusion Cloud customizations using Oracle ADF, Oracle APEX, and Web Services. He has hands-on experience with technologies like Java Cloud Service and Database Cloud Service. He also has command over Oracle Procure-to-Pay (P2P) and Order-to-Cash (O2C) Process Cycles.