Calling Demantra

Workflow using HTTP

POST method in Oracle
Demantra 12.2.5.1 and
up
An Oracle White Paper
March 2016
Demantra Development
 Calling Demantra Workflow using HTTP POST
method in Oracle Demantra 12.2.5.1 and up

OVERVIEW ............................................................................................................................................................. 3
UTL_HTTP .............................................................................................................................................................. 4
URL ........................................................................................................................................................................ 5
EBS ........................................................................................................................................................................ 6
SUMMARY ............................................................................................................................................................. 6
Overview
All Demantra customers today use workflows by calling workflow in these 4
manners:

1. Directly from the Demantra Workflow Manager

2. Calling a Workflow from a PL/SQL scripts

3. Calling a Workflow via URL

4. Calling a Workflow from EBS

This white paper describes some of the new security measures implemented in
Oracle Demantra 12.2.5.1 as part of Oracles continuous security assertion, and
focuses on 3 types of workflow callouts: UTL_HTTP, URL and EBS.

GET is one of many request methods supported by the HTTP protocol.

If a GET method is used, the form parameters are encoded in the URL in what is
called query string.

The form parameter can be anything, and in the case of workflow they would be
the username and password to authenticate connection.

For example:

http://myserver.com:8080/Demantra/WorkflowServer?action=run_proc&u
ser=dm&password=xyz&schema=RunEngineWF

In the GET method above, all the parameters are visible (user, password, and
schema). For this reason, one should consider using a POST method whenever
sensitive information is involved.

A POST method passes the form parameters in the body of the HTTP request to
the web server. The POST method is enforced in Oracle Demantra from version
12.2.5.1 by blocking GET method.

Many customers used to call Demantra workflows via one of the above
mentioned methods, after upgrading to Oracle Demantra 12.2.5.1 or above, the
calls to Workflows will stop working, and the new call process should be
implemented.
 This is the responsibility of the Customer/ System Integrator, to implement these
changes.

UTL_HTTP
UTL_HTTP () is a package that makes HTTP callouts from PL/SQL and must
adopt POST method to work.

Below is an example of wrapper function to enable UTL_HTTP to use POST

method that can be used to implement this need:

PROCEDURE POST_URL_HTTP(http_url IN VARCHAR2, http_url_params IN

VARCHAR2, http_resp OUT NOCOPY VARCHAR2) AS
req UTL_HTTP.req;
resp UTL_HTTP.resp;
length_in_bytes NUMBER := LENGTHB(http_url_params);
begin
req := utl_http.begin_request(http_url, 'POST');
utl_http.set_header(req, 'Content-Type', 'application/x-
www-form-urlencoded;charset=UTF-8');
utl_http.set_header(req, 'Content-Length',
length_in_bytes);
utl_http.write_text(req, http_url_params);
resp := utl_http.get_response(req);
utl_http.read_line(resp, http_resp, true);
utl_http.end_response(resp);
exception
when utl_http.end_of_body then
utl_http.end_response(resp);

In case of ACL permission related error after running the procedure, the user must
perform the following:

1. If needed, Update 'AppServerURL' parameter:

UPDATE SYS_PARAMS SET PVAL =

<http://customer_url:port/demantra>
 WHERE PNAME = 'AppServerURL';
COMMIT;

2. Run GRANT_HTTP_TO_DEMANTRA.sql

@GRANT_HTTP_TO_DEMANTRA.sql <schema_name> ACL_DEFAULT

ACL_DEFAULT ACL.log

3. Restart Application Server

Similarly if EBS is involved, the custom procedure can be registered as a concurrent

program in EBS which accepts workflow name as a parameter. Using this
concurrent program any Demantra workflow can be launched thus no need to log in
to workflow manager.

URL
When customer executes the URL in a web browser, by default request is called
with GET method.

As mentioned before GET method is blocked.

The solution is to turn on parameter JSPGetAllow in Business Modeler.

 It is highly recommended, due to security reasons, not to turn on this
parameter and use other alternatives described in this paper.

EBS
Prior to 12.2.5.1, when calling Demantra workflow from EBS using Oracles
provided concurrent program Launch Demantra Workflow, EBS has generated
URL using GET method:
http://myserver.com:8080Demantra/WorkflowServer?action=run_pr
oc&user=dm&password=xyz&schema=EBS%20Full%20Download&

EBS calls to Demantra workflows has been changed to use the POST method.
The new functionality can be obtained by applying patch:
21520322:R12.SCP_PF.C - VCP PATCH #1 ON TOP OF VCP 12.2.5.1

Summary
In this document I summarized the various options customer has when running
Demantra workflow. Enhancing security and following best practice delivers
secure processes.
These security benefits can enable customer to foster safeguard and adopt
stronger security policy.

Calling Demantra Workflow using HTTP POST method in Oracle Demantra 12.2.5.1 and up
March 2016
Authors: Demantra Development
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.

Worldwide Inquiries:
Phone: +1.650.506.7000, Fax: +1.650.506.7200
oracle.com

Copyright 2010, Oracle. All rights reserved.

This document is provided for information purposes only and the contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied
in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates.

Other names may be trademarks of their respective owners.