Security is like superstition. Hits are always counted while misses doesn't. Recently i was asked to enhance security measure of our siebel ebusiness applications by tracking the IP address along with the login of the client. The first thought that came to mind was @#$@#$@# but then again why-to-fear-when-google-is-here happened. I found a lesser heard OOB business service which returns the session variables, cookies information and many more useful stuff.
"Web Engine HTTP TXN” business service can do the trick for you. Details of this BS is avialable on the support web in "TECHNICAL NOTE 317". "GetAllServerVariables" and "GetServerVariables" are key methods here for fetching the Login and IP address respectively. I followed below steps in order to capture the IP address of the logged in user.
1 - Create a action set which calls a workflow. In this workflow we will have two steps:
- First step calls "Web Engine HTTP TXN" with method "GetServerVariables". The input argument to this BS should be "REMOTE_HOST" and "AUTH_USER_ID". This returns the host ip address and logged in user id respectively.
- Second step makes use of "Inbound E-mail Database Operations" business service with method "InsertRecord". It inserts the fetched IP address and User Id values in the desired audit table.
2 - Invoke the above created action set by using Application Login run time event.
This business service is extensively used for session management and cookies handling. Digging deep will reveal the true power of this BS.
Happy Securing!!
9 comments:
Nice post! With your approval, may I add this to the Business Service series on Siebel Essentials?
I LAU the way you detailed this BS, this helps
Thanks a lot Rahul, finally got it working and able to fetch all the required values. After some trial & error
DKS
For Sucessfull login attempts you need not use the BS mentioned in this blog. look at the
http://docs.oracle.com/cd/B40099_02/books/ContentPub/ContentPub_UsageCollect2.html
For Failed Login attempt currently there is no solution to capture the detials.
Vaibhav,
Thanks for comment. In order to use above log, you need to enable content management workflows while this BS can can be used for lot of things.
Regards,
-Rahul-
Rahul,
Agree that the BS does gives more info. other then just IP address.
Secondly just want to clarify regarding my comment of "Capturing Failed Login", when I wrote "No solutionn" what I ment is we can Get the detials from "Web Engine Interface" BS -- "Request" method but its not recomended as it will hit the performance of the application very badly, hence its not a right solution.
Vibhav Kelkar
Vibhav,
I am not sure how taxing it is on system. It depends on its implementation. This BS is frequently used to set/retrieve cookies in real life scenarios. Elaborative example you can find in tech note 317 on support web.
Regards,
-Rahul-
Post a Comment