|
Oracle® Application Server Forms Services Deployment Guide
10g Release 2 (10.1.2) B14032-03 |
|
 Previous |
 Next |
|
Oracle® Application Server Forms Services Deployment Guide
10g Release 2 (10.1.2) B14032-03 |
|
|
Previous |
Next |
Oracle Forms applications are Web deployed solutions that users access through a browser. Oracle Forms architecture allows Forms developers two ways to choose and configure how a Forms application runs. One option is to set the parameter and the value in the URL. The second option is to set the parameter and its value(s) in the configuration file, i.e. formsweb.cfg. The parameter that is set in the formsweb.cfg can be overridden by the parameter set in the URL.
|
Note: You manage therestrictedURLparams parameter through the Configuration page of Enterprise Manager Application Server Control Console.
|
A Forms administrator can override this default behavior, and give the Forms administrator full control over what parameter can be used in the URL.
Here are two scenarios to consider when deciding which parameters to allow or not allow in a URL. The first scenario is when an administrator just wants to restrict the usages of the USERID parameter in the URL that forces the end-user to always log in using the default login window. The second scenario is when an administrator would like to disable all parameters except a few, such as CONFIG=MyApp in a URL.
The parameter restrictedURLparams allows flexibility for the Forms administrator to consider any URL-accessible parameter in the formsweb.cfg file as restricted to a user. An administrator can specify this parameter in a named configuration section to override the one specified in the default configuration section. The restrictedURLparams parameter itself cannot be set in the URL.
Figure 4-1, "Defining the restricedURLparams Parameter" is an example of how the restrictedURLparams parameter is defined in the [myApp] section to override the one set in the [default] configuration section:
By default, this user, scott, is not allowed to debug this Forms application, use Forms Trace, or edit records in it. In the myApp section, user scott is only forced to log in when accessing the application, and not allowed to debug it. He can now, though, work with Forms Trace and edit records through a URL for this application.
An administrator can use the restrictedURLparams parameter to redirect a user to an error page that lists the parameters the user is restricted from using (or allowed to use) for this application.
The test form runs when you access an Oracle Forms URL but do not specify an application to run. For example, normally you call an Oracle Forms application with the following syntax:
http://<host>:<port>/forms/frmservlet?config=myApp
The Forms Servlet will locate [myApp] in the formsweb.cfg file and launch that application. However, when no application is specified, for example:
http://<host>:<port>/forms/frmservlet
The Forms Servlet uses the settings in the default section of the formsweb.cfg file. These settings are located under [default] in the Forms Configuration file (anytime an application does not override any of these settings, the defaults are used). The default section has the following setting:
form=test.fmx
This is the test form which allows you to test your Oracle Forms Services installation and configuration. Thus if you don't specify an application, Forms will launch the test.fmx file. You could change this to:
form=
And the form will not run. However, this is not optimal; the Forms Servlet still sends the dynamically generated HTML file to the client, from which a curious user could obtain information. The optimally secure solution is to redirect requests to an informational HTML page that is presented to the client instead. You'll need to change some parameters in the formsweb.cfg file.
Here are the parameters to change, along with their default values when you install Oracle Forms Services:
# System parameter: default base HTML file
baseHTML=base.htm
# System parameter: base HTML file for use with JInitiator client
baseHTMLjinitiator=basejini.htm
# System parameter: base HTML file for use with Sun's Java Plug-In
baseHTMLjpi=basejpi.htm
# System parameter: base HTML file for use with Microsoft Internet Explorer
# (when using the native JVM)
baseHTMLie=baseie.htm
These parameters are templates for the HTML information that are sent to the client. Create an informational HTML page and have these variables point to that instead. For example, in the ORACLE_HOME/forms/server directory, create a simple HTML page called forbidden.html with the following content:
<html>
<head>
<title>Forbidden</title>
</head>
<body>
<h1>Forbidden!</h1>
<h2>You may not access this Forms application.</h2>
</body>
</html>
|
Note: this redirecting of client information and presenting a message page instead is not the same Web page that the Web server returns when the requested content has restricted permissions on it. |
Next, modify the formsweb.cfg parameters by commenting out or modifying the original parameters:
# System parameter: default base HTML file
#baseHTML=base.htm
baseHTML=forbidden.html
# System parameter: base HTML file for use with JInitiator client
#baseHTMLjinitiator=basejini.htm
baseHTMLjinitiator=forbidden.html
# System parameter: base HTML file for use with Sun's Java Plug-In
#baseHTMLjpi=basejpi.htm
baseHTMLjpi=forbidden.html
# System parameter: base HTML file for use with Microsoft Internet Explorer
# (when using the native JVM)
#baseHTMLie=baseie.htm
baseHTMLie=forbidden.html
When a user enters the URL
http://<host>:<port>/forms/frmservlet
the customized Web page is presented. Of course, you can customize forbidden.html, including its contents, its filename, and its location as long as you make the corresponding changes to these parameters in the formsweb.cfg file. Administrators can put any information, such as warnings, errors, time stamps, IP logging, or contact information in this information Web page with minimal impact on the server configuration.
|
Note: Overriding the base HTML template entries in the default section of formsweb.cfg requires that you add the same entries pointing to the original values (or some other valid HTML file) in your application-specific named configuration:[myApp] form=myApplication.fmx lookandfeel=oracle baseHTML=base.htm baseHTMLjinitiator=basejini.htm baseHTMLjpi=basejpi.htm baseHTMLie=baseie.htm If you don't specify these base HTML values, and when a user runs an application, they will see the forbidden.html page because the application-specific configuration section hasn't overridden the default values. |
