Background:
In the latest release of Oracle E-Business, there has been a number of modifications to the security that is applied to their default login form.
I captured the initial changes in a blog entry that was posted to on this site here: https://philipnye.com/posts/webseal-forms-sso-into-oracle-ebs-v12/
Disabling the security parameters to make the standard login forms work with WebSEAL is not always possible, so we have found an alternative Forms SSO mechanism to log into an EBS server.
Summary:
This approach differs from the previous approach by creating a new custom login page based on Oracle documented processes. This login page is not required to submit the javascript generated parameters which makes it very simple to use the standard WebSEAL forms based SSO functionality.
Custom Login Pages
System Administrators can create custom login pages. The custom page will need to post to the servlet AuthenticateUser, which requires two attributes: username and password. Once the user is successfully authenticated, the servlet will redirect the user to a destination defined inrequestUrl or the default APPSHOMEPAGE. If the authentication fails, the servlet will redirect the user to the login page with the error message in the parameter errCode.
To deploy a custom login page:
- Place the new servlet in the OA_HTML directory.
- Create a new function (FND_FORM_FUNCTION) – the web_html value of this function should be populated with file name of your new login page. The function code should begin with ‘APPS_LOGIN’.
- Assign this function to the APPS_LOGIN_DEFAULT menu. As this menu is already granted to all users (including guest), the grant flag is not needed.
- Update the profile option APPS_LOGIN_FUNCTION with new function name. The drop-down for this profile will query only function codes starting with APPS_LOGIN.
The above snippet was from the:
Oracle E-Business Suite Security Guide
Release 12.2
Part Number E22952-09
It makes use of a servlet for authentication, available as follows:
http://<host>/OA_HTML/AuthenticateUser
A simple test can be performed to test it’s functionality by using the following:
http://<host>/OA_HTML/AuthenticateUser?username=<username>&password=<password>
Create a Custom Login Page
Create a simple JSP page, that POST’s the parameters to the Servlet above.
<html> <body> Custom Login Form <form method="POST" action="/OA_HTML/AuthenticateUser?requestUrl=http://redirecthere"> Username: <input type="text" name="username"><br/> Password: <input type="text" name="password"> <input type="submit"> </form> </body> </html>
A JSP seems to be necessary (or a Servlet) since this appears to be necessary to be an acceptable redirect for the Default Login Page, and a ‘requestUrl’ seemed to be mandatory, even if it wasn’t used.
Deploy on the Oracle Application Server
Place the JSP in the OA_HTML directory, in my environment it was located here:
/data/oracle/PROD/apps/apps_st/comn/webapps/oacore/html/customLogin.jsp
By default in Oracle EBS R12, jsp pages aren’t compiled at runtime, but are precompiled. As such, a script needs to be run to compile the JSP.
I found instructions for it here: http://knoworacleappsdba.blogspot.com.au/2012/04/custom-jsp-file-in-oracle-ebs-r12.html
On my environment I ran the following command:
[root@oracletam admin]# /data/oracle/PROD/apps/apps_st/appl/fnd/12.0.0/patch/ 115/bin/ojspCompile.pl --compile -s customLogin.jsp -conf ojspCompile.conf WARNING! Could not find perl executable: $ORACLE_HOME/Apache/perl/bin/perl (/data/oracle/PROD/apps/tech_st/10.1.3/Apache/perl/bin/perl) /data/oracle/PROD/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/ojspCompile.pl requires mod_perl from Apache or the default perl on the path must have its libs set up correctly! If you set up the environment variable PERLLIB or PERL5LIB, this warning will not be displayed and exec mod_perl will not be attempted logfile set: /data/oracle/PROD/inst/apps/PROD_oracletam/logs/appl/rgf/ojsp/ ojspc_error.log starting...(compiling delta) using 10i internal ojsp ver: 10 synchronizing dependency file: loading deplist...8095 enumerating jsps...8096 updating dependency...2 parsing jsp...2 writing deplist...8096 initializing compilation: files to compile...1 eliminating children...1 (-0) searching uncompiled...1 translating and compiling: searching untranslated...1 translating jsps...1/1 in 1s compiling jsps...1/1 in 2s Finished!
Now navigating to the login page produced my login page.
Set Login page as the new default
Either follow the steps from the manual above ‘Custom Login Pages’. Or you can modify the login page default by setting the existing login page to be the new one.
Be sure to save the old value before overwriting it.
I found it was necessary to purge the cache before testing.
Testing
Navigating to the URL http://<yourserver>/OA_HTML/AppsLocalLogin.jsp
should now redirect you to your custom login form via RF.jsp:
Test that the login completes correctly.
Forms SSO with WebSEAL
The form should now be a simple form to use the WebSEAL forms SSO capabilities, with no active scripting required.