Calling Demantra Workflow using HTTP POST method in Oracle Demantra 12.2.5.1 and up An Orac Oracle le Wh Whit ite e Pape Paperr March 2016 Demantra Development
Calling Demantra Workflow using HTTP POST method in Oracle Demantra 12.2.5.1 and up
OVERVIEW ............................................................................................................................................................. 3 UTL_HTTP .............................................................................................................................................................. 4 URL ........................................................................................................................................................................ 5 EBS ........................................................................................................................................................................ 6 SUMMARY ............................................................................................................................................................. 6
Overview All Demantra customers today use workflows by calling workflow in these 4 manners: 1. Directly from the Demantra Workflow Manager 2. Calling a Workflow from a PL/SQL scripts 3. Calling a Workflow via URL 4. Calling a Workflow from EBS This white paper describes some of the new security measures implemented in Oracle Demantra 12.2.5.1 as part of Oracle’s continuous security assertion, and focuses on 3 types of workflow callouts: UTL_HTTP, URL and EBS. GET is one of many request methods supported by the HTTP protocol. If a GET method is used, the form parameters are encoded in the URL in what is called query string. The form parameter can be anything, and in the case of workflow they would be the username and password to authenticate connection. For example: http://myserver.com:8080/Demantra/WorkflowServer?action=run_proc&u ser=dm&password=xyz&schema=RunEngineWF
In the GET method above, all the parameters are visible (user, password, and schema). For this reason, one should consider using a POST method whenever sensitive information is involved. A POST method passes the form parameters in the body of the HTTP request to the web server. The POST method is enforced in Oracle Demantra from version 12.2.5.1 by blocking GET method. Many customers used to call Demantra workflows via one of the above mentioned methods, after upgrading to Oracle Demantra 12.2.5.1 or above, the calls to Workflows will stop working, and the new call process should be implemented.
This is the responsibility of the Customer/ System Integrator, to implement these changes.
UTL_HTTP UTL_HTTP () is a package that makes HTTP callouts from PL/SQL and must adopt POST method to work. Below is an example of wrapper function to enable UTL_HTTP to use POST method that can be used to implement this need:
PROCEDURE POST_URL_HTTP(http_url IN VARCHAR2, http_url_params IN VARCHAR2, http_resp OUT NOCOPY VARCHAR2) AS req UTL_HTTP.req; resp UTL_HTTP.resp; length_in_bytes NUMBER := LENGTHB(http_url_params); begin req := utl_http.begin_request(http_url, 'POST'); utl_http.set_header(req, 'Content-Type', 'application/xwww-form-urlencoded;charset=UTF-8'); utl_http.set_header(req, 'Content-Length', length_in_bytes); utl_http.write_text(req, http_url_params); resp := utl_http.get_response(req); utl_http.read_line(resp, http_resp, true); utl_http.end_response(resp); exception when utl_http.end_of_body then utl_http.end_response(resp);
In case of ACL permission related error after running the procedure, the user must perform the following: 1. If needed, Update 'AppServerURL' parameter: UPDATE SYS_PARAMS SET PVAL =
WHERE PNAME = 'AppServerURL'; COMMIT;
2. Run GRANT_HTTP_TO_DEMANTRA.sql @GRANT_HTTP_TO_DEMANTRA.sql ACL_DEFAULT ACL_DEFAULT ACL.log
3. Restart Application Server Similarly if EBS is involved, the custom procedure can be registered as a concurrent program in EBS which accepts workflow name as a parameter. Using this concurrent program any Demantra workflow can be launched thus no need to log in to workflow manager.
URL When customer executes the URL in a web browser, by default request is called with GET method. As mentioned before GET method is blocked. The solution is to turn on parameter JSPGetAllow in Business Modeler.
It is highly recommended, due to security reasons, not to turn on this parameter and use other alternatives described in this paper.
EBS Prior to 12.2.5.1, when calling Demantra workflow from EBS using Oracle’s provided concurrent program “Launch Demantra Workflow” , EBS has generated URL using GET method: http://myserver.com:8080Demantra/WorkflowServer?action=run_pr oc&user=dm&password=xyz&schema=EBS%20Full%20Download&
EBS calls to Demantra workflows has been changed to use the POST method. The new functionality can be obtained by applying patch: 21520322:R12.SCP_PF.C - VCP PATCH #1 ON TOP OF VCP 12.2.5.1
Summary In this document I summarized the various options customer has when running Demantra workflow. Enhancing security and following best practice delivers secure processes. These security benefits can enable customer to foster safeguard and adopt stronger security policy.
Calling Demantra Workflow using HTTP POST method in Oracle Demantra 12.2.5.1 and up March 2016 Authors: Demantra Development Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A.
Worldwide Inquiries: Phone: +1.650.506.7000, Fax: + 1.650.506.7200 oracle.com
Copyright © 2010, Oracle. All rights rese rved. This document is provided for i nformation purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.