Blog dedicated to Oracle Applications (E-Business Suite) Technology; covers Apps Architecture, Administration and third party bolt-ons to Apps

Monday, August 6, 2007

Apps 11i login and logout flow

I have tried to bisect the login flow of Apps 11i here.

First step is URL: http://www.justanexample.com:8080

Once you type or use your browser favorites button to navigate to this URL,

1. The request goes from your browser,

2. The name www.justanexample.com is resolved to an IP, first by referring to c:\windows\system32\drivers\etc\hosts file on your Windows PC, and then by querying the DNS server.

3. Once the IP address is obtained, the request travels over TCP/IP protocol on network and connects to port 8080 on which Apache Server is running.

4. Apache server then displays the Oracle Applications Rapid Install Portal page ($COMMON_TOP/portal/$CONTEXT_NAME/index.html) which has links for Rapid Install Setup home, Apps Logon links(aplogon.html), 11i online help, and machine admin scripts on the left sidebar(appdet.html).

5. When you click on Apps Logon links, it shows links for Oracle E-Business Home Page and OAM on the right pane.

6. Once you click on the Oracle E-Business Home Page link, the request is forwarded by Apache to Jserv. Jserv sends it to Appslogin servlet

7. AppsLogin servlet

The AppsLogin servlet supercedes older Release 11i login mechanisms and certain product-specific login pages. The AppsLogin servlet detects the login mode by reading the "Applications SSO Type" profile option for the current Oracle E-Business Suite Release 11i instance and transparently redirects to the appropriate login page.

  • Scenario 1: AppsLogin running on a Release 11i instance configured for Self-Service Web Applications (SSWA) will authenticate the user via the AppsLocalLogin.jsp page, and then redirect to the configured home page specified in the Self Service Personal Home Page mode profile option.
  • Scenario 2: AppsLogin running on a Release 11i instance configured for Single Sign-On will redirect to the Single Sign-On 10g login page for user authentication, and then redirect to the configured home page specified in the Self Service Personal Home Page mode profile option.
  • Scenario 3: AppsLogin running on a Release 11i instance configured for Single Sign-On and Portal will redirect to Single Sign-On 10g login page for user authentication, and then redirect to the default Portal home page.


/oa_servlets/Appslogin servlet
Gets WebAppsCOntext
Sets requestURL = APPSHOMEPAGE unless passed as a parameter.
Sets cancelUrl = oracle.apps.fnd.sso.SSOManager.getLoginUrl(); unless passed as a parameter.
This finds profile option APPS_SERVLET_AGENT (Apps Servlet Agent) and returns error if it cannot get this profile option.
Sets variable "url" using oracle.apps.fnd.sso.SSOManager.getLoginRedirectUrl
sets Mode using Utils.getSSOMode()
which gets profile option APPS_SSO (Applications SSO Type) SSWA is set by default if not profile option.
Depending on mode, sets url = LOCAL_LOGIN | SSO_LOGIN_REDIRECT | PORTAL
if SSWA = SSOUtil.getLocalLoginUrl()
This gets profile option APPS_LOCAL_LOGIN_URL (Applications Local Login URL) (AppsLocalLogin.jsp for example) and prepends '/OA_HTML/'
if PORTAL = SSOUtil.getPortalUrl()
This gets profile option APPS_PORTAL (Applications Portal) This is full URL normally pointing to /pls/XXX_portal30/portal30.home
Then calls "constructUrl" to determine the URL to return, which builds URL consisting of url, requestURL, cancelURL, errCode, langCode, errText and home_url parameters
If "url" is null, then returns FND-9930 error code, otherwise will redirect to the constructed URL
At this point, we have got as far as rendering the Username/PAssword entry screen... /OA_HTML/AppsLocalLogin.jsp or portal30.home

/OA_HTML/AppsLocalLogin.jsp
Gets Profile options FND_BRANDING_SIZE (FND: Branding Size) and ICX_LANGUAGE (ICX: Language)
Sets up some message text (Message.class) Uses Package FND_MESSAGE.GET_MESSAGE_INTERNAL ()
Once we click "Login" button we follow through as below:-


fndvald.jsp
Utils.getConnection() - this throws FND-9902 if cannot get DB connection.
SessionMgr.createAppsSession which itself calls wctx.getSessionManager().validateLogin followed by createSession if username.password validated OK.
There is some STATEMENT level diagnostics messages from here (for oracle.apps.fnd.sso.SessionMgr)
Gets Cookie name from dbc file ICX_COOKIE_NAME or otherwise calls package FND_SESSION_MANAGEMENT.getsessioncookiename
Creates SSO Cookie for new user session
If requestURL = APPSHOMEPAGE it calls SSOUtil.getHomePage otherwise just passes requestURL through...
This calls computeURL, which looks for profile option APPLICATIONS_HOME_PAGE (Self Service Personal Home Page mode)
Runs getEnvStore90.getEnv(ICX_PV_SESSION_MODE) which I dont understand... but seems to be 115P | 115J ?
If APPLICATIONS_HOME_PAGE = "PHP" or "PHP_FWK" then will set URL = PLSQL_AGENT/OracleNavigate.Responsibility
else (for example "FWK") will set URL = "/OA_HTML/OA.jsp?OAFunc=OAHOMEPAGE&dbc=" + AppsAgent.getDBC()


OA.jsp
oracle.apps.fnd.framework.webui.OAPageBean.class
oracle.apps.fnd.framework.webui.OAJSPHelper
Uses OAJSPHelper to set character encoding for the session, mainly by getting ICX_CLIENT_IANA_ENCODING (ICX: Client IANA Encoding) profile option
Then sets redirectURL = pageBean.preparePage
Sets flag for Portlet or not
Sets functionName from the parameters in the URL (OAHOMEPAGE for example, if URL param is ?OAFunc=OAHOMEPAGE)
Sets redirectURL = preparePage() method... this calls "redirectURL = validateUser()" but I think this should return null if I have logged in (this seems to be to do with bookmarkable URLs)
sets funcURL = createRFURL()
This does some session validation, then calls OAPageContextImpl.createRFURL
Which calls FunctionSecurity.getFunction and Function.getFunction...
This bit runs SQL to find FunctionID "select function_id from fnd_form_functions where function_name = :1"
Then "select function_name, context_dependence, maintenance_mode_support, parameters, type, web_agent_name, web_host_name, web_html_call, web_icon, form_id from fnd_form_functions where function_id = :1"
For OAHOMEPAGE the following will be set
web_html_call = "OA.jsp?page=/oracle/apps/fnd/framework/navigate/webui/HomePG&homePage=Y&OAPB=FWK_HOMEPAGE_BRAND"
type = "JSP"
isOAFCall is set to TRUE (as the URL has OA.jsp in the URL)
funcCall = web_html_call
hasTransactionId = FALSE
so adds "&transactionid=xxx" to the funccall then returns this as the new url
This new URL is returned to OA.jsp as the redirectURL, so we call OA.jsp with some different parameters.....

By now, we should have URL something like:
OA.jsp?page=/oracle/apps/fnd/framework/navigate/webui/HomePG&homePage=Y&OAPB=FWK_HOMEPAGE_BRAND&transactionid=xxxxxxx
Back into "redirectURL = pageBean.preparePage()"
regionCode = OAPageContextImpl.getUrlParameter(request, "page") (page=/oracle/apps/fnd/framework/navigate/webui/HomePG)
//Get the application module java class from AK.
OAApplicationModule staticAppMod = OAJSPApplicationRegistry.getStaticAKApplicationModule(mRequest);
This creates AM called "oracle.apps.fnd.framework.server.OAApplicationModule" with DB connection.
Creates MDS context, seems to have handles to MDS repository.
Gets page region, using WebBeanTypeData, from MDS repository.
Gets transaction_ID
Get profile option "FND_FORCE_PAGE_REFRESH"
Get profile option "FND_CUSTOM_OA_DEFINTION"



portal30 HOME procedure
Does a owa_util.redirect_url to wwpob_page_util.get_page_url (wrapped PLSQL)



Check versions
Java
(adident Header $OA_JAVA/)
oracle/apps/fnd/sso/AppsLogin.class
oracle/apps/fnd/sso/SSOManager.class
oracle/apps/fnd/sso/Utils.class
oracle/apps/fnd/sso/SSOUtil.class
oracle/apps/fnd/common/Message.class
oracle/apps/fnd/sso/SessionMgr.class
oracle/apps/fnd/common/WebAppsContext.class
oracle/apps/fnd/framework/webui/OAPageBean.class
oracle/apps/fnd/framework/webui/OAJSPHelper.class
oracle/apps/fnd/framework/webui/OAWebBeanConstants.class
oracle/apps/fnd/framework/webui/OAPageContextImpl.class
oracle/apps/fnd/framework/OAFwkConstants.class
oracle/apps/fnd/functionSecurity/Function.class

oracle/apps/fnd/framework/mds/OAMDSContextUtils.class


JSP
(adident Header $OA_HTML/)
AppsLocalLogin.jsp
fndvald.jsp
OA.jsp


Logout flow

Logging out from Apps 11i

Logging out starts with the logout link on the framework page. This comes from the function "ICX_LOGOUT" call from the global menu ICX_GLOBAL_MENU
/OA_HTML/OALogout.jsp

This calls SSOManager.java which sets the logoutURL = "/oa_servlets/oracle.apps.fnd.sso.AppsLogout" then OALogout.jsp redirects to this URL
AppsLogout.java

Calls "oracle.apps.fnd.sso.SSOManager.getLogoutRedirectUrl" to determine URL which it then redirects to SSOManager.java

getLogoutRedirectUrl checks the ICX_SESSIONS.MODE_CODE of the session (whether SSWA or PORTAL) 115P = SSWA
This determines whether to use
LOCAL_LOGOUT (AppsLocalLogout.jsp)
or
SSO_LOGOUT_REDIRECT (oracle.apps.fnd.sso.FNDSSOLogoutRedirect)
AppsLocalLogout.jsp

If no "returnURL" is passed in and APPS_SSO_POSTLOGOUT_HOME_URL is not set, then it calls SSOUtil.getLocalLoginUrl (However see bug Bug 6175894 below)
SSOUtil.java

getLocalLoginUrl picks up the profile option APPS_LOCAL_LOGIN_URL (AppsLocalLogin.jsp) and redirects
PHP Logout Flow

1. "GET /OA_HTML/OALogout.jsp?menu=Y HTTP/1.1" 302 271
2. "GET /oa_servlets/oracle.apps.fnd.sso.AppsLogout HTTP/1.1" 302 296
3. "GET /OA_HTML/AppsLocalLogout.jsp?returnUrl=/OA_HTML/AppsLocalLogin.jsp?cancelUrl=/OA_HTML/AppsLocalLogin.jsp HTTP/1.1" 302 331
4. "GET /OA_HTML/AppsLocalLogin.jsp?cancelUrl=/OA_HTML/AppsLocalLogin.jsp&langCode=US&username=SYSADMIN HTTP/1.1" 200 8443

SSO Logout Flow

1. "GET /OA_HTML/OALogout.jsp?menu=Y HTTP/1.1" 302 267
2. "GET /oa_servlets/oracle.apps.fnd.sso.AppsLogout HTTP/1.1" 302 345
3. "GET /oa_servlets/oracle.apps.fnd.sso.FNDSSOLogoutRedirect?returnUrl=http%3A%2F%2FmyHost.uk.oracle.com%3A80%2Fo a_servlets%2Foracle.apps.fnd.sso.AppsLogin%3FlangCode%3DUS HTTP/1.1" 302 385
4. "GET /OA_HTML/SSOAppsLogout.jsp HTTP/1.1" 200 209
5. "GET /oa_servlets/oracle.apps.fnd.sso.AppsLogin?langCode=US HTTP/1.1" 302 444
6. "GET /oa_servlets/oracle.apps.fnd.sso.FNDSSOLoginRedirect?requestUrl=APPSHOMEPAGE&cancelUrl=http%3A%2F%2FmyHost.uk.oracle.com%3A80%2Foa_servlets%2Foracle.apps.fnd.sso.AppsLogin&langCode=US&s=93DE6C66677A82FC0DB9AEC95EDD0A5AF37A949D37 HTTP/1.1" 302 684

Related Profile options

* Applications Login Server Logout (APPS_LS_LOGOUT) Default = null
* Applications Portal Logout (APPS_PORTAL_LOGOUT) Default = null
* Applications SSO Post Logout URL (APPS_SSO_POSTLOGOUT_HOME_URL) Default = null
* Applications Local Login URL (APPS_LOCAL_LOGIN_URL) Default at Site level = AppsLocalLogin.jsp)

28 comments:

Manish said...

Vikram,
I wonder if it would be possible to increase the width of text area in your blog. Reading narrow column style is a painful experience.

Looking forward to full analysis of the logon process. Keep up the good work.

Vikram said...

Hi Manish,

I'll explore the templates given by blogger and see if I can use a broader format.

Thanks for the feedback.

- Vikram

Manish said...

Much better now, thanks.

Navin said...

Hi Vikram

I am trying to get Abbot working with Oracle ERP to do integration testing. Abbot works well with Java swing based applications/applets.

The trouble is I do not know which class gets called as the entry point to the application as well as what parameters I should pass or actions I should take in order to "login" It would be great if I could bypass all the html/javascript/servelet stuff that happens as you have outlined and go directly to the point where the java swing application starts.

--Navin

Atul Kumar said...

Vikram,
Nice post and nicely explained. Keep up good work.

Atul Kumar
http://becomeAppsDBA.blogSpot.com

Vikram said...

Hi Atul,

Thank you for the compliment. Your blog was the first one I found when I was looking for Apps questions for conducting an interview. I knew about your blog even before learning about Steven Chan's blog. I have given it to many people interested in becoming Apps DBAs.

- Vikram

vchauviere said...

Hi,

Is it possible to change OA standard Home Page ?
Can I change for example "web_htm_call" for the OAHOMEPAGE form function, with a html static page ?

Tanks for your help.
Regards,

Vincent.

vchauviere said...

Hi,

Is it possible to change OA standard Home Page ?
Can I change for example "web_htm_call" for the OAHOMEPAGE form function, with a html static page ?

Tanks for your help.
Regards,

Vincent.

Vikram said...

Hi Vincent,

I have never tried it. You could try changing the default value in the table fnd_form_functions:

SQL> select WEB_HTML_CALL from fnd_form_functions
2 where FUNCTION_NAME='OAHOMEPAGE';

WEB_HTML_CALL
--------------------------------------------------------------------------------
OA.jsp?page=/oracle/apps/fnd/framework/navigate/webui/HomePG&homePage=Y&OAPB=FWK
_HOMEPAGE_BRAND

Search for web_html_call in Metalink Note 236618.1, to get some pointers on OA framework personalization.

- Vikram

Yura said...

Thanks for sharing this info. Quite usefull!

I was digging thru fnd login code, trying to implement 3-rd party authentication.
Was wondering the purpose of ICX session cookie. Thought originally it is for portal-sso. But looks like it's just for better security?

Anonymous said...

Hi Vikram,

Wonderful explanation, i was looking for this kind of flow explanation on the net. Luckily i have found it here.

I get this " Servlet agent is not set" when i try to log off from 11i
instance which is recently cloned.
We put it down for some times ago where it was running fine. But after running again it gives this
error when we try to log off.

Best Regards,
ibnhussain

ibnhussain said...

Hi,

Thanks for wonderful explanation.
i get this erro when we log off
from 11i instance.

Servlet agent is not set.

Please help

Vikram Das said...

Hi ibnhussain,

Please check the value of profile option APPS_SERVLET_AGENT. You can check this through the query:

select fnd_profile.value('APPS_SERVLET_AGENT') from dual;

In one of our instances the following solved the problem, so you may try it at your own risk:

Do an FNDLOAD upload of file $FND_TOP/patch/115/import/US/b3664848.ldt like this:

FNDLOAD apps/< apps_pwd> 0 Y UPLOAD $JTF_TOP/patch/115/import/jtfprefabcache.lct $FND_TOP/patch/115/import/US/b3664848.ldt

Run the following sql :

select loader_class_name , compe_name from jtf_prefab_ca_comps_b where
application_id = 0 and comp_name like 'PROFILE_%';

This should result in 2 records:

PROFILE_OPTION_CACHE oracle.apps.fnd.profiles.ProfileOption

PROFILE_OPTION_VALUE_CACHE oracle.apps.fnd.profiles.ProfileOptionValue

Bounce apache and retest

- Vikram

Anonymous said...

Hi Vikram,

You have explained the flows very nicely. its really very good for understanding.
But i would like to just put on one question like
1) when our apache server is up and running first we will get the default rapid install portal page and then we get the login links page....i just wanted to know from where these default pages are fetched by apache server ? and what are the names of these default page files?

Please do reply...
Yogesh Varma

Vikram Das said...

Hi Yogesh,

The default Rapid Install portal page is $COMMON_TOP/portal/$CONTEXT_NAME/index.html. This page has references to aptitle.html, applist.html, apdet.html.

applist.html further refers to aplogon.html.

Hope this answers your question.

- Vikram

Anonymous said...

Hi,

I want to change the profile "Applications Local Login URL" from "AppsLocalLogin.jsp" from
"AppsLocalLogin.jsp?LangCode=US". The idea is it should default to English rather picking the language from the regional settings.

When I set this it takes to the page http://xx.domain:port/oa_servlets/AppsLogin?langcode=US

But when I changed the $COMMON_TOP/portal/TEST_instance/aplogon.html file to point to
http://xx.domain:port/OA_HTML/AppsLogin?langcode=US
It works fine, how do I change the profile option stated above and make it to point to http://xx.domain:port/OA_HTML/AppsLogin?langcode=US
instead of
http://xx.domain:port/oa_servlets/AppsLogin?langcode=US

Vikram Das said...

Hi Anonymous,

You need to change the context file variable s_login_page to http://xx.domain:port/OA_HTML/AppsLogin?langcode=US

and run autoconfig.

- Vikram

Antenado said...

Hi there!

I need custom a new page in Oracle iProc 11.5.8. See, I created a new JSP page and can't access, for sample:

http://serverxxx:18000/OA_HTML/ninecon.jsp

In this page I can't get Profiles, Responsibity, Organizations and more.

Somebody help me, please?

Sorry, my english not is good.
Thank you very much.

Ronald said...

What is the login flow for 11.5.10.cu2?

Anonymous said...

buick lacrosse cxl eletrica car car in sales used auto nav direct firstcoast mini choppers

amitkahlawat said...

Hi Vikram,

Very nice and helpful blog!!

Want to know if temporary , we can change the apps login link.The resion behind this is to avoid all users(except some set of uses) to access the EBSO.

Thank!

vasu kaluri said...

I am trying to convert our 6i forms to 11g forms and reports. I am connecting forms using wallet connection and ldap connection validates user validation.It looks like run_report_object works only when we actualy pass username password and connect string.
If I define username, password and connect string in formsweb.cfg file run_report_obect works fine. If I use wallet connection to connect forms run_report_object is not able to connect database.

I personally did not like storing username, password values in cfg file, because developer can get password by using get_application_property(password) in any of the form which is a security threat.

What is the standrad practice to avoid this problem?

Anonymous said...

Hi Vikram,

We have implemented SSO integration with EBS and AD. We have enabled WNA for AD users.

We have issue with EBS logout page.

In Detail: We are able to login EBS but we are unable to logout, when press EBS logot it will get login once again into EBS.

Could you please help me to know whether logout will work for SSO? if yes then how I can fix this issue.

Thanks in advance,

Regards
Shashidhar

Anonymous said...

Hi Vikram,

We have implemented SSO integration with EBS and AD. We have enabled WNA for AD users.

We have issue with EBS logout page.

In Detail: We are able to login EBS but we are unable to logout, when press EBS logot it will get login once again into EBS.

Could you please help me to know whether logout will work for SSO? if yes then how I can fix this issue.

Thanks in advance,

Regards
Shashidhar

Black N Blue said...

Hi Vikram,

Is there a way to redirect a user to a specific OAF page after they successfully login? (Essentially, they will by pass the homepage.)

Thanks,

Dwayne

Unknown said...

Hi Vikram,
Very useful blog to understand end-to-end connection flow in 11.5.10.2.
Appreciate if you can provide us insight R12 connection flow.

Thanks,
Niranjan

Gopi said...

Hi,

Is there any way to redirect the Logout url to custom url.

I tried to pass the below url for Oracle login page with cancelUrl.

https://tlogistics.power-one.com/OA_HTML/fndvald.jsp?username=iatp&password=Oracle123&langCode=US&&cancelUrl=https://tlogistics.power-one.com/ilogin&&requestUrl=APPSHOMEPAGE


Once access the above url the oracle home page will be display. In that i click on Logout button its redirect to oracle login page. Instead of that i need to redirect to our custom screen when Logout.

So I just pass parameter in the name of cancelUrl (cancelUrl=https://tlogistics.power-one.com/ilogin). This my custom login page.

If you know its very helpful for me.

Thanks,
Gopi

Gopi said...

Hi,

Is there any way to redirect the Logout url to custom url.

I tried to pass the below url for Oracle login page with cancelUrl.

https://tlogistics.power-one.com/OA_HTML/fndvald.jsp?username=iatp&password=Oracle123&langCode=US&&cancelUrl=https://tlogistics.power-one.com/ilogin&&requestUrl=APPSHOMEPAGE


Once access the above url the oracle home page will be display. In that i click on Logout button its redirect to oracle login page. Instead of that i need to redirect to our custom screen when Logout.

So I just pass parameter in the name of cancelUrl (cancelUrl=https://tlogistics.power-one.com/ilogin). This my custom login page.

If you know its very helpful for me.

Thanks,
Gopi