Oracle Apps secure code review
Is any documentation available (either Oracle or third party based) to guide secure code reviews for Oracle Apps (or more specifically, Oracle Application Framework)?
I'm aware of the usual sql injection bad practices (as related to JDBC and PLSQL). I'm curious about API abuse, as related to:
- cross-site scripting concerns
- client-side trust issues (e.g., hidden field values)
- improper or inconsistent input validation
- improper error handling
- improper session management
- inappropriate access control
Thanks.
Thanks... I looked at that and didn't think it was all in there, but I looked again after I got your reply and it appears to be what we are looking for (at least a starting point).
Similar Messages
-
Testing oracle apps security in reports
Hi,
I have a report which is running fine in Report builder 6i and also in Oracle apps(this is a customized report for oracle apps).
Now I need to test the security in Oracle apps. As per the advice provided in metalink I added
1) added a user parameter P_CONC_REQUEST_ID
2) added "srw.user_exit('FND SRWINIT');" to the BeforeReport trigger
3) added "srw.user_exit('FND SRWEXIT');" to the AfterReport trigger
But now when I try to run in Oracle apps it gives below error
REP-1416: 'beforereport': User exit 'FND'. IAF GET: unknown column 'P_CONC_REQUEST_ID'.
Please help on how to solve this issue. Any help is appreciatedThanks for the reply. The problem still persists.
The same metalink gives another solution as below but when I add the below to the report I couldn't compile. It gives "identifier hr_standard.event must be declared". Anyone used this before, if so how to use the same.
3. If the issue is not resolved try placing the calls mentioned in 2 with
hr_standard.event('BEFORE REPORT');
hr_standard.event('AFTER REPORT');
Metalink is
How To Enable Hr Security on Custom Reports? [ID 369345.1] -
Can VPD Virtual Private DB in 10g replace Oracle Apps security rules?
I read the recent article in Oracle Magazine called 'Testing Database Security', especially the section on Virtual Private Database (VPD), caught my attention. Can this feature of the 10g database be used by the Oracle Apps to restrict access to data through the apps login? We just moved to 10g.
Our current data security is enabled by leveraging security rules attached to responsibilities. Our security rules restrict by operating unit, of which there are 89. It would be great if VPD could be used, as it might replace the need to create 89 separate security rules. We would maintain just one set of policies.
Does anyone know if this can be used on the applications level? If anyone has done this, do you know of a documentation link that would help?
Thanks for your insight.Sebes,
Thanks for the link...it sounds like it may be part of the Oracle future landscape, but for now, we will have to live with security rules.
Sincerely,
Brenda -
Hi
how to prevent the attacks over the web application level for example: developer post the .jsp page through url: http://server.ten.com:(port):/OA_HTML/xxy.jsp. But this jsp page include having many special characters, that mean , &, " etc. I need only values not a special character. so I have to restrict those special character above mentioned jsp page (xxy.jsp). but I don't no how to do that, please give me the solution.
Regards
APl see you other post oracle apps
Srini -
Validate Oracle Apps Username and Password via ADF?
Hello. I'm trying to verify a persons user id and password in ADF 11g. I snagged the FND classes to be able to do this, and am calling it as follows:
AppsContext ac = new AppsContext("/home/workspace/idev.dbc");
boolean loginStatusCode = ac.getSessionManager().validateLogin(userName, password);
if(loginStatusCode == true)
return "success";
else
return "failure";
This works in the Application Module tester, and works as a standalone program. However, when I run it in weblogic I get a class cast exception (this can be fixed by removing the ojdbc5 & 6 files in the lib folder and replacing them with the ojdbc14 jar) Unfortunately, it fixes that problem but then all the ADF stuff breaks.
Has anyone used Oracles apps security for logging in a user? Or, is there a way to have Weblogic use the ojdbc14.jar for a singular deployment? Here's the class cast I get:
oracle.jbo.JboException: JBO-29000: Unexpected exception caught: java.lang.IllegalAccessError, msg=tried to access class oracle.jdbc.driver.OraclePreparedStatement from class oracle.apps.fnd.common.ProfileCache
Thanks in advance.Hi,
you can also validate an FND login using the FND_WEB_SEC.validate_login package if it's easier.
Brenden -
We have installed HCM and CRM modules on Fusion Application 11.1.7 version.
This is 2 node architecture ie IDM components installed in one node and Fusion components installed in another node.
We are able to start the IDM components and Fusion components successfully, but when users are trying to access any task from Fusion application home page, they are getting the below error
A portlet consumer error was received for the task Manage Worker Goal Setting Lookups. Report the error details to the following owning product Goal Management.
An error was received for the task Manage Worker Goal Setting Lookups. This task is identified with the code HRG_MANAGE_WORKER_GOAL_SETTING_LOOKUPS that invokes program /WEB-INF/oracle/apps/fnd/applcore/lookups/publicUi/flow/ManageCommonLookupsTF.xml#ManageCommonLookupsTF of module code fndSetup. Review the consumer and producer logs for more details on this error.This may be related to the other issue regarding "FUSION_APPS_WSM_APPID-KEY" as the logs contains exceptions like:
oracle.wsm.policymanager.PolicyManagerException: WSM-02081 : Failed to login to perform requested action.
Please refer to document Fusion Application Service Account Password Expiration Causes Portlet Producer Errors (1486388.1) for steps on how to verify and set the password. There is also exception:
javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User FUSION_APPS_PROV_PATCH_APPID denied
This is also likely caused by an expired password, please see Fusion Apps Servers Are Not Starting Up - Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your Password has expired (1629927.1).
Jani Rautiainen
Fusion Applications Developer Relations
https://blogs.oracle.com/fadevrel/ -
When I go into download an app in the appstore it is saying my billing security code is invalid,It was working fine before.
Same thing happend here. Yesterday I called and chatted with a lady who told me right away that they are having issues with people validating their credit cards. She told me to contact support by email, which I did twice, they replied with the following:
1. Contact your bank or credit card company and ask to speak with the fraud/security department.
2. Tell the representative that your security code is being rejected. Ask them to review your account to see what might be preventing you from using the card to purchase from the iTunes Store. Ensure that they thoroughly review your account until they locate and resolve what is causing the issue.
3. The bank or credit card company will need to remove any holds on your account. The bank or credit card company could also bypass the authorization process.
I tested my card with another trusted service who asked to verify with the security code and it worked fine.
I guess at this point you could call your bank (just in case) or just wait. -
Security code issue in iTunes review in iPhone 5
Hi
When I'm reviewing my apple and billing information, I used a debit card information. After entering all the correct informations including security code, It's showing an error in security code. I tried so many times but no use. Please help me outNot on that account if you don't have a credit card. There are instructions on this page for how to create a new account without giving credit card details : http://support.apple.com/kb/HT2534 - if you want to use the same email address on the new account then try changing it on the existing one via Settings > iTunes & App Store on your phone, Store > View Account on your computer's iTunes, or http://appleid.apple.com (you can create a new email address via http://gmail.com or http://hotmail.com to replace it with)
-
Creating security similar to Oracle Apps
We have an application that has security similar to Oracle Apps. i.e. maintaining the users and roles (responsibilities) within our application. Discoverer has a special login mechanism for Oracle Apps users. Is there a way to configure Discoverer to work with other application which has similar secuirity mechanism?
Hi Maruthi
I'm afraid I have no documentation to point you at because this was done for a specific client and I have just not had the time to put together some generic documents. I can't use the client's documents because that would be unethical and has pictures of their data.
Nevertheless, here is an overview.
1. Look at all of the Oracle base tables and determine which ones have one of the following: ORG_ID, Set of Books ID (SOB_ID) or Chart of Accounts ID (COA_ID).
2. Look at the same tables and run some scripts such as this: SELECT COUNT(*) FROM TABLE
3. For all such tables that have more than say 200,000 rows add one partition for each ORG_ID, SOB_ID or COD_ID
4. As you know, when a user logs in using an Apps account, the system sets a SYS_CONTEXT variable identifying the ORG_ID that user has access to. This is fine for tables that have an ORG_ID, but for those which only have a SOB_ID or COA_ID you can't use the ORG_ID. Therefore, what you do is create a new table, let's call it ORG_ORGANIZATIONS, that links an ORG_ID with its associated SOB_ID and COA_ID. The table is indexed on the ORG_ID.
5. Create one function per type, thus one for ORG_ID, SOB_ID and COA_ID.
For ORG_ID - function named 'DP_ORG_SECFUNC, the heart of the function is:
select substr(userenv('CLIENT_INFO'),1,5) into x_org_id from dual;
v_statement := 'ORG_ID = '||x_org_id;
return (v_statement);
For SOB_ID - function named 'DP_SOB_SECFUNC, the heart of the function is:
select substr(userenv('CLIENT_INFO'),1,5) into x_org_id from dual;
SELECT SET_OF_BOOKS_ID INTO v_set_of_books_id
FROM ORG_ORGANIZATIONS WHERE ORG_ID = x_org_id;
v_statement := 'SET_OF_BOOKS_ID = '||v_set_of_books_id;
return (v_statement);
For COA_ID - function named 'DP_COA_SECFUNC, the heart of the function is:
select substr(userenv('CLIENT_INFO'),1,5) into x_org_id from dual;
SELECT SET_OF_BOOKS_ID INTO v_chart_of_accounts_id
FROM ORG_ORGANIZATIONS WHERE ORG_ID = x_org_id;
v_statement :='CHART_OF_ACCOUNTS_ID = '||v_chart_of_accounts_id;
return (v_statement);
6. Create a view for each table you want to protect. For example, here is the code that creates a view for AP_INVOICES_ALL
CREATE OR REPLACE VIEW DV_AP_INVOICES_ALL
AS SELECT * FROM AP_INVOICES_ALL ;
SHOW ERRORS
EXEC DBMS_RLS.ADD_POLICY('APPS', 'DV_AP_INVOICES_ALL', 'SecByOrg', 'APPS', 'DP_ORG_SECFUNC', 'SELECT');
Notice how this view is being protected by a policy that when anyone runs a SELECT against this view a VPD policy kicks in and calls the ORG security function.
7. Change all of your code that Discoverer is pointing at to use new views similar to the above.
I hope this helps
Best wishes
Michael Armstrong-Smith
URL: http://learndiscoverer.com
Blog: http://learndiscoverer.blogspot.com -
My phone want let me download any apps when I put the password in it take me to billing option which tell me I have the wrong security code and that's the security code that was on the card on the account
iTunes Store: My credit card's security code or zip code does not match my bank's records
http://support.apple.com/kb/TS1646 -
I tried to buy an app and itunes keeps asking for a security code. What is a security code? I only have a password! And ID
Are you using a credit card?
http://store.apple.com/au/help/payments#creditus
Security codes
The credit card security code is a unique three or four digit number printed on the front (American Express) or back (Visa/MasterCard) of your card. -
For about three weeks I haven't been able to download any apps, not even the free ones. My apple id billing information says that my security code on the back of my credit card is invalid. I called apple support and they told me to go to the express lane website but I still cant find a fix for my problem. If you could help me out that would be superb!!!!
Is the address on your iTunes account exactly the same (format and spacing etc) as on your credit card bill : http://support.apple.com/kb/TS1646 ? If it is then you could try what it says at the bottom of that page :
If the issue persists, contact your credit card company and verify that they and any company they use to process credit card authorisations have the correct information on file.
And/or try contacting iTunes support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page -
I owe money and the billing information is telling me that my security code is invalid. If i get money in my account, will i be able to put in my security code again and purchase apps and music again?
Is the address on your iTunes account exactly the same (format and spacing etc) as on your credit card bill ? If it's not then that might be the reason that you are getting the security code error : http://support.apple.com/kb/TS1646 ? If it is then you could try what it says at the bottom of that page :
If the issue persists, contact your credit card company and verify that they and any company they use to process credit card authorizations have the correct information on file.
And/or try contacting iTunes support : http://www.apple.com/support/itunes/contact/ - click on Express Lane, then iTunes > iTunes Store -
my app store will not let me update or get any apps..they keep asking me for my billing info through my card and i enter my info and it says the security code is wrong when i know its right...how can i fix this? whats the problem?
Select None for payment method > iTunes Store: Changing account information
If None is not available > Why can’t I select None when I edit my payment information?
Yes, you can redeem an iTunes gift card for current purchases.
How to Redeem iTunes Gift Cards and content codes
And you can check the balance of a redeemed card > Account Home - Apple Store -
I just need to be able to download apps and my phone keeps saying the security code is invalid which doesnt make sense because I enter everything correct and it's really fustrating I've been to the apple store I've called support and they can't seem to fix it! Can somebody please help me? I thought apple was suposta be easy to use :\
This can sometimes happen because there is a missmatch between the billing address entered on your iTunes account and the billing address from your bank records. See http://support.apple.com/kb/TS1646.
Maybe you are looking for
-
When a sales order is blocked in EDI evvironment
what status is assigned to a EDI doc when a delivery block is assigned to a sales order in EDI environment. How we can activate display of text messages when a EDI doc is blocked.
-
Line chart with one entry in xml doesn't show up
please refer http://livedocs.adobe.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDo cs_Parts&file=00001233.html If I use only one entry in expenses array even then the line chart is not shown. below is what I'm using: [Bindable] p
-
How do I monitor the actual refresh of materialized view.
Hi See below, I am creating the materialized view. It took a while to see the actual data in the table. Do you any reason. How do I, investigate, if there is any issue, how do I monitor the actual refresh. I am worried since, it look long time to see
-
Array of JPanel ??????
Hy, Can anyone please tell me if the folowing exist (Array of JPanel): JPanel pane[]; pane = new JPanel[5]; for(int i=1;i<5;i++) { pane.setBounds(10,y,100,50); y= y + 20;
-
Hi everyone, I am writing this page for users to register and to login, but the problem i have is knowing who are the most active users. I am trying to do this with a hit counter, as you can see in my last "if", but is not working as it should be. Ca