Thursday, March 23, 2023

Fluid Page Naming Conventions

Best practices are an essential part of our curriculum. When creating Fluid pages, we recommend the following page name pattern:

<site-prefix><purpose><page-type>

For example, when creating a Fluid subpage to manage widgets, we would name it JSM_WIDGETS_SBF. Here is a list of page-type suffixes derived from Oracle-delivered pages:

FL
Fluid Page
SBF
Subpage Fluid
SCF
Secondary Page Fluid
SFL
Side Page (1 or 2)
FFL
Footer Page
LFL
Layout Page

But four more page types aren't used enough to have a suffix pattern: Header Page, Search Page, Prompt Page, and Master&Detail Target Page. For those page types, we've come up with our own suffixes:

HFL
Header Page
SRF
Search Page
PFL
Prompt Page
MDF
Master&Detail Target Page

For the most part, the convention is easy to understand. First initial of page type, and then FL. But what about SRF? Where did that come from? There are four page types that start with the letter S. Adding the R after the S looked more like Search than any of the other options we considered.

With Classic already having the suffixes SEC, SUB, and POP, we have suffixes for every page type except Classic standard pages. Should we, therefore, adopt _CL for Classic pages? PeopleSoft uses exception-based design. For example, the page bar is on until you turn it off, and the standard component toolbar is on until you turn it off. Changing these properties would be exceptions. Naming conventions are no different. Our naming conventions document the exceptions. With over 12,000 Classic pages in HCM, Classic is clearly the norm, and everything else is an exception.

What do you think? Do you have different naming conventions you use for page development? If so, share your ideas in the comments!

At JSMpros, we teach PeopleSoft Fluid training and best practices regularly. We look forward to hosting you in a future class!

Friday, February 24, 2023

Does Event Mapping Apply to Content References?

Help! My Event Mapping code isn't firing! Because this happens occasionally, I have a simple debugging process:

  1. Insert a "Hello World!" Message Box statement into my code. The point is to prove whether or not Event Mapping is properly configured. If I don't see the Message Box, then I know PeopleSoft ignored my code, and I may have a misconfiguration. If the MessageBox appears, then the configuration is correct, and the problem is in my code.
  2. If the Message Box does not appear, the next step is to confirm the correct Content Reference. We apply Event Mapping through Content References. Selecting the wrong Content Reference will keep the code from executing. This is an easy mistake to make because several Content References use the same label. Sometimes the solution is a bit of trial and error, testing various Content References until we find one that works. We can also query PeopleTools metadata to confirm we selected the correct Content Reference.

Those two steps usually identify any issues. But this time was different. First, my "Hello World" Message Box did not appear. Second, I confirmed I was using the correct Content Reference. I was puzzled. What could it be?

As I dug through the metadata, I found something interesting! There were two Content References pointing to the same menu/component combination! The point of a Content Reference is to generate a unique URL fragment. PeopleSoft Component Content References use the menu, component, and market to generate that unique URL fragment. Have you ever tried to create two content references that point to the same menu/component combination? It doesn't work. PeopleSoft won't let you save until you make the URL unique. An old trick that developers use is to add Additional Parameters. A simple "X=X" is usually enough. Or in this case, it was "Tile=Y." (Note: While there may be a reason to create a redundant Content Reference, a better approach is usually to use a Content Reference Link).

Actually, finding redundant Content References is commonplace in today's Fluid Portal Registry. Fluid's framework components, such as Activity Guides, Dashboards, and Homepages require creating Content References that all point to the same menu/component combination, with Additional Parameters identifying uniqueness. We have done extensive research on Event Mapping and found this is normally not an issue. What we found is that applying Event Mapping to any one of those redundant Content References results in Event Mapping applying to all of the Content References. The example we use in our Event Mapping course is applying Event Mapping to Tile Wizard's runtime component.

This is what puzzled me with today's scenario. I already knew there were multiple Content References pointing to the same Menu/Component combination. I've repeated this many times without issue. If I apply Event Mapping to one of those redundant Content References, all exhibit the same behavior. But this time, nothing happened. Or more appropriately, the system didn't do what I thought it should do. Upon further inspection, I found that someone else had used Page and Field Configurator to apply Event Mapping to the other Content Reference. It appears that PeopleSoft properly found Event Mapping for the menu/component combination, but the configuration it found wasn't mine. It seems that Event Mapping queries the database for the first configuration. Mine happened to be second.

I find it interesting that we configure Event Mapping through Content References, not Menu/Component combinations. Based on my experience today, and the fact that we must apply a Menu to a Component Interface to leverage Event Mapping against Component Interfaces, it seems that Event Mapping really applies to Menu/Component combinations, not Content References. What if the Event Mapping configuration asked us to select a Menu, and then gave us a list of Components attached to that menu? What if we configured Event Mapping through Menu/Component combinations, not Content References?

  • Redundant Content References would be irrelevant.
  • We wouldn't have to create Content References against hidden components simply to apply Event Mapping.
  • We wouldn't have to guess if we chose the proper Content Reference based on a label and a root folder.
  • We would know for sure that we selected the correct Menu/Component.

With that in mind, I created a new Idea in the PeopleSoft Idea Labs. If you like this idea, please upvote, share, and leave comments.

At JSMpros, we teach Event Mapping regularly. Check out our website to see what we are offering next!

Thursday, February 09, 2023

Did Event Mapping Break Your Update?

I love Event Mapping. But I have a concern:

The benefit of Event Mapping is that your customizations no longer appear on a compare report, and the problem with Event Mapping is that your customizations no longer appear on a comapre report.

I know what you are thinking: "Wait, didn't he just contradict himself?" Yes! Let me explain with a scenario:

Let's say you move a customization into Event Mapping. Later you apply an update. You run a compare report and see the beautiful "change/change" with no asterisks. Perfect! You have no customized code, and therefore nothing to retrofit. And then you test the upgraded system. And you find the system is broken. Since you have no customizations identified in the compare report, you should be fine, right? If this happened to me, my first thought would be that something is wrong with the update, and I would file a support ticket. But unfortunately, Oracle support can't replicate the issue. After escalation and further analysis, Oracle discovers that custom Event Mapping is causing the problem.

I share this scenario because it is possible, but it seems like a worst-case scenario. Does it really happen? Do custom, invisible event mapping "configurations" ever break an update/get current? It turns out they do! MOS doc 2798164.1 was posted in 2021 and demonstrates this scenario.

The problem with broken Event Mapping code is that it fails just like any other code, so we can't tell that the failure was caused by Event Mapping. Event Mapping is not a configuration. It is an isolated customization.

Event Mapping is amazing! But until Oracle provides us with LCM tools that identify potential Event Mapping issues, we must perform our own analysis. Here are some options to help you catch troublesome Event Mapping:

  1. Use SQL in this blog post to create your own Event Mapping analysis.
  2. Use PTF to create Event Mapping and Page and Field Configurator Regression tests.
  3. Wrap Event Mapping in a try/catch block to log and notify.
We teach Event Mapping and PeopleSoft Test Framework regularly. Check out our website to see what we are offering next!

Thursday, January 19, 2023

See you in St Louis for Alliance 2023!



The HEUG Alliance 2023 conference begins next month! I've been reviewing the schedule, and there are some incredible sessions on the agenda.

I am presenting the following sessions:

Monday, Feb 27th

9:00 AM - 10:00 AM: PeopleSoft Fluid: Zero to Hero in 60 Minutes

1:00 PM - 2:00 PM: Getting the most out of PeopleSoft PeopleTools: Tips and Techniques

Tuesday, Feb 28th

9:00 AM - 10:00 AM: PeopleSoft Integration Strategies

See you there!

Monday, November 21, 2022

"Find Definition References" for Page and Field Configurator

A student recently asked:

Is there an Edit | Find Definition References equivalent for Page and Field Configurator?

Great question! In Application Designer, we can open a field and choose Edit | Find Definition References to find all usages of that field. Unfortunately, Page and Field Configurator does not have an equivalent. The good news, however, is Page and Field Configurator is metadata driven. In other words, we can create our own "Find Definition References" equivalent by writing SQL. Here is a short example to get you started:

SELECT *
  FROM PS_EOCC_CONFIG_FLD
 WHERE FIELDNAME = 'DESCR'

The EOCC_CONFIG_FLD record contains the Component name, Record name, and Field name, allowing us to effectively "Find Definition References" for any of those three items.

At JSMpros, we teach PeopleTools Tips like this every week. Be sure to check our website to see what we are offering next!

Tuesday, November 08, 2022

TokenChpoken


Several years ago, ERPScan published a series of articles describing PeopleSoft security attack vectors. While reading the series, keep in mind it was written nearly a decade ago, and PeopleSoft has made changes to security to mitigate the issues raised by ERPScan. For example, their article about the Access Token ends with the note, "this vulnerability was patched in Oracle CPU for October 2014." Note to self: Apply CPUs! But the topic that keeps coming up is TokenChpoken.

What is TokenChpoken?

When you authenticate (log in) to PeopleSoft, PeopleSoft sends a cookie to your browser. Thereafter, PeopleSoft identifies you by that cookie. For every request, PeopleSoft asks, "who are you?" and that cookie supplies the answer. This cookie is critical to cross-product SSO for unified navigation, Interaction Hub, etc. TokenChpoken describes how to decrypt that cookie, change the OPRID, and assume the identity of someone else. Pretty scary! But is it legitimate? As described by the TokenChpoken write-up, someone leveraging this approach must know your user ID, the SSO node name, and the node password must be discoverable through a modern brute-force attack. If you renamed your nodes and use strong passwords, you are a long way from a TokenChpoken "vulnerability." But that doesn't eliminate the potential. It is now a risk calculation.

Is TokenChpoken still relevant for today's PeopleSoft? In PeopleTools 8.56, PeopleSoft implemented a "knock knock/callback" pattern with a check token. Dan Iverson has a great write-up on this 8.56 feature. Likewise, as of 8.56, if I restart my web server while browsing PeopleSoft, PeopleSoft renders the message "unauthorized token detected." It seems like PeopleSoft now keeps a list of issued tokens in memory, and a restart clears that list. These are fantastic safeguards against a potential TokenChpoken Switch User. My thought is,

"If PeopleSoft won't accept its own token after a restart, why would it accept a modified token?"

But is this enough?

A few years ago, Colton Fischer came up with a simple way to test functionality as a different user. You log into PeopleSoft as yourself, press a bookmark in your web browser, supply the node name, node password, and the target user ID, and instantly become someone else. You may find his project here. As a developer and tester, this sounds fantastic! Through a "master password," I can assume the identity of anyone for testing purposes, of course. How does it work? It is essentially TokenChpoken in the web browser. What does that mean? TokenChpoken is alive and well.

Mitigation

As documented by Dan Iverson, setting the Check Token and node password on your nodes, as well as changing node names from something other than the default PSFT_xx, is a great start. And that start may be enough. But you might want to try Colton's bookmarklet to see if you can become someone else. If so, here is another idea: Eliminate the PS_TOKEN cookie. Eliminating the PS_TOKEN is a bit controversial as this is the "key" to PeopleSoft SSO, and it may not be the right solution for you. But here is how it works: As a request leaves a load balancer or web server, the web server/load balancer replaces PS_TOKEN with a different, randomized cookie. On re-entry, the web server/load balancer maps that random cookie to the original PS_TOKEN. PeopleSoft is unaware and functions as usual. If all of your PeopleSoft instances are behind the same load balancer and use the same domain, then SSO may work as usual, and token replacement may be a great option. If you want an off-the-shelf solution, check out Pathlock's ERP Firewall, which has built-in TokenChpoken mitigation.

Since most PeopleTools classes involve nodes and security, we talk about TokenChpoken regularly. To learn more about this topic and other PeopleTools tips, check out our website to see what we are offering next!

Friday, October 28, 2022

Triggering FieldChange from JavaScript

We love a challenge, and we believe anything is possible with PeopleTools. It is never a question of "can you?" but "how?" A customer recently shared a challenge with us:

We use a handheld scanner to enter values into a text field of a Fluid Page. After scanning, we want FieldChange PeopleCode to load data into the remainder of the page. Our solution worked great in PeopleTools 8.58, but quit working after upgrading to 8.59.

Since many scanners act as automated keyboards, sending keystrokes derived from barcodes, there are several ways to handle this. The simplest way is to include a button immediately following the data entry field and use this button to trigger FieldChange. But this got us thinking about another scenario:

How do you trigger FieldChange if you use JavaScript to update a data entry field?

 The process involves three steps:

1. Use JavaScript to update a data entry field. The JavaScript might look something like this:

document.getElementById('MYRECORD_MYFIELD_ID').value = 'The new value';

2. Stage field changes by triggering the onchange handler

document.getElementById('MYRECORD_MYFIELD_ID').onchange();

3. Trigger PeopleSoft's Ajax processing

submitAction_win0(document.win0, id);

Notice the win0 in step 3? That is a system-generated name that reflects the current window ID. PeopleSoft uses the Meta-HTML %FormName at design time.

Here is a short example I put together for the PeopleTools 8.59 Event Mapping configuration page, complete with HTML element IDs, that demonstrates using %FormName. The purpose of the fragment is to set the service name for an event and trigger PeopleSoft processing:

Please note: this is an unsupported example that worked for a specific use case but may not work for others. We provide it as an example of what's possible and as a starting point for your own solution.

Are you interested in learning more PeopleSoft Fluid tips and tricks? Be sure to enroll in one of our upcoming events!