Skip Headers
Oracle® Fusion Middleware Forms Services Deployment Guide
11g Release 1 (11.1.1)

Part Number E10240-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

11 Forms Services Security Overview

The ability to control user access to Web content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for Oracle Forms Services:

See Also:

For additional information about security, refer to the following documents:

11.1 Forms Services Single Sign-On

Single Sign-on in Oracle Forms Services is available through mod_osso, an Oracle module for the Oracle HTTP Server. mod_osso authenticates a user against Oracle Single Sign-On Server, which in turn uses Oracle Internet Directory as a user repository, before further passing the Forms application request to the Forms servlet.

Forms applications expect a database connect string to be passed along with the application request, otherwise a logon dialog is shown. To retrieve the database connect information in a Oracle Single Sign-On Server environment, the Forms servlet queries Oracle Internet Directory for the value of the combined unique key that is constructed from the user's Oracle Single Sign-On Server name, the authenticated user name, and the name of the application that the user is requesting to start.

Resource Access Descriptors (RAD) are entries in Oracle Internet Directory that are defined for each user and application which contain the required database connect information. The Forms servlet reads the database connect information from the RAD and passes it along with the command line that starts the Forms Web application. Although the Forms authentication is still database-centric, mod_osso and the Forms servlet are now integrated in a Web-based Oracle Single Sign-On Server environment.

11.1.1 Classes of Users and Their Privileges

Historically, Forms applications use the database to authenticate application users. To use Oracle Forms Services with Oracle Single Sign-On Server, the user account and its connect information must be available in Oracle Internet Directory. Oracle Internet Directory provides several ways of provisioning user data, using PL/SQL, Java or the Oracle Delegated Administration Services. Oracle Delegated Administration Services is a Web-based user interface for Oracle Single Sign-On Server users and delegated administrators to administer self-service data in Oracle Internet Directory for which they are authorized.

Once a user account is created in Oracle Internet Directory, the Resource Access Descriptors (RAD) entries can be created dynamically the first time that a user requests a Forms application, assuming the user knows about the database connect information required for this application.

Another option is to use the RAD entries that can be created using Oracle Delegated Administration Services. The default RAD entries are accessible for all users that are authenticated through Oracle Single Sign-On Server. Use the default RAD if all users share the same database connect information when running a particular Forms application on the Web. This way, users are authenticated individually by their Oracle Single Sign-On Server credentials; however, all users share a common database connect (information) for the application defined by a default RAD entry.

11.1.1.1 Default Single Sign-On Behavior for User Accounts

By default, OracleAS Single Sign-On Server is enabled and no proxy user is involved. Oracle Forms users need to authenticate with OracleAS Single Sign-On Server, retrieve Resource Access Descriptors from the identity store (which is usually Oracle Internet Directory) and use these credentials to connect to the database.

11.1.1.2 Users Using Database Proxy Functionality

There is a new Oracle Single Sign-On Server parameter, ssoProxyConnect. Setting this to true allows users to connect as proxy users. The user is then required to authenticate with Oracle Single Sign-On Server, and a Resource Access Descriptor is configured which holds the proxy user's username and password. There is additional database configuration that needs to be implemented by the database administrator to allow for proxy connections.

11.1.2 Resources That Are Protected

When you enable Oracle Single Sign-On Server for your Forms applications, you can secure your Forms applications with these features:

11.1.2.1 Dynamic Directives

The dynamic mod_osso directive runs Oracle Single Sign-On Server protected Forms applications. This directive can optionally be used to run non-protected Forms applications from the same Oracle Forms Services instance. These applications use the same configuration files and Forms servlet. Single sign-on is enabled for applications by a OracleAS Single Sign-On Server parameter in the application definition of the formsweb.cfg configuration file.

11.1.2.2 Dynamic Resource Creation in Oracle Internet Directory

In some previous releases of Oracle Forms Services, if no resource access descriptor (RAD) definition was found for a specific application and user, an error message was displayed which locked out the user from running that Forms application, despite having authentication to do so. In this release of Oracle Forms Services, you can now configure Oracle Forms Services to allow users to create the RAD for this application on the fly if it does not exist. The funtionality to redirect to DAS pages is achieved with the single sign-on parameter ssoDynamicResourceCreate.

11.1.2.3 Database Password Expiration when Using Single Sign-On

In some previous releases of Oracle Forms Services, the RAD information in Oracle Internet Directory was not updated if the database password had expired, and users then renewed them when connecting to a Forms application. In this release, Oracle Forms Services automatically updates the RAD information in Oracle Internet Directory whenever a database password is updated through Forms. There is no extra configuration necessary to enable this feature in Oracle Forms Services.

11.1.3 Authentication and Access Enforcement

For detailed information about the authentication flow of Oracle Single Sign-On Server support in Oracle Forms Services, such as when the first time the user requests an Oracle Forms Services URL, or from a partner application, see Section 9.1.1, "Authentication Flow".

11.1.4 Leveraging Oracle Identity Management Infrastructure

Oracle Forms Services has tighter integration with Oracle Internet Directory with minimal configuration. When you configure Oracle Single Sign-On Server Server for your Forms applications, Oracle Forms Services handles much of the configuration and interaction with Oracle Internet Directory.

With the absence of Repository API in 11g, Oracle Forms and Identity Management integration involves the registration of Forms application identity at the time of deployment when a relationship is established between Forms and the Oracle Internet Directory (OID) host. This process is know as associating with the Oracle Internet Directory. Related information such as Forms Distinguished Name (formsDN) and the password are stored in Credential Storage Framework (CSF). At run time, a JNDI connection is made to Oracle Internet Directory after extracting the required information from CSF. Oracle Forms and Identity Management integration involves the following:

  • Integration at bootstrap: The Forms application entity (and Distinguished Name) with a password is created in Oracle Internet Directory.

  • Integration at run time: Previously, the connection to Oracle Internet Directory used Repository API. In 11g, a JNDI call is used to directly connect to Oracle Internet Directory.

For more information about associating and disassociating Oracle Internet Directory, see Section 9.7, "Configuring Oracle Internet Directory."

11.2 Configuring Oracle Forms Services Security

Configuring security for Oracle Forms Services is done through Oracle Fusion Middleware Control. Online help is available for each screen. For more information, see Chapter 4, "Configuring and Managing Forms Services" and Chapter 9, "Using Forms Services with Oracle Single Sign-On".

11.2.1 Configuring Oracle Identity Management Options for Oracle Forms

Oracle Forms Services can be configured to create resources dynamically in Oracle Internet Directory, or have a user with no Oracle Internet Directory resource use a common resource.

For more information, see Chapter 9, "Using Forms Services with Oracle Single Sign-On".

11.2.2 Configuring Oracle Forms Options for Oracle Fusion Middleware Security Framework

For more detailed information about configuring and securing Oracle Forms, see the following chapters:

11.2.3 Securing RADs

To increase the security of RADs and prevent them from being viewable by the OID administrator, perform the following steps:

  1. Copy the contents enclosed by ---aci-change.ldif--- into the file aci-change.ldif

    ---aci-change.ldif---
    dn: cn=Extended Properties,%s_OracleContextDN%
    changetype: modify
    delete: orclaci
    orclaci: access to attr=(orclUserIDAttribute,orclPasswordAttribute) by
    guidattr=(orclOwnerGUID)(read,search,compare,write) by
    dnattr=(orclresourceviewers) (read,search, compare, write) by
    groupattr=(orclresourceviewers) (read,search, write) by * (none)
    -
    add: orclaci
    orclaci: access to attr=(orclUserIDAttribute,orclPasswordAttribute)
    DenyGroupOverride by guidattr=(orclOwnerGUID)(read,search,compare,write) by
    dnattr=(orclresourceviewers) (read,search, compare, write) by
    groupattr=(orclresourceviewers) (read,search, write) by * (none)
    ---aci-change.ldif---
    

    Note:

    In aci-change.ldif, the line beginning with orclaci: access to attr= is a single line ending with by * (none) and should not have any line breaks in the middle.

  2. In the LDIF file, replace %s_OracleContextDN% with the distinguished name (DN) of the realm-specific Oracle Context.

    For example, if the DN in the deployment is dc=acme,dc=com, then the realm-specific Oracle Context is cn=OracleContext,dc=acme,dc=com.

  3. Execute the following command on the OID tier:

    ldapmodify -p <port> -h <host> -D cn=orcladmin -q -v -f aci-change.ldif

  4. When this command is run, it will prompt for the cn=orcladmin password since the password is not included as a command-line parameter.

To undo these changes, issue the same command (subject to the notes as above), but using the following contents in the .ldif file:

---aci-revert.ldif---
dn: cn=Extended Properties,%s_OracleContextDN%
changetype: modify
delete: orclaci
orclaci: access to attr=(orclUserIDAttribute,orclPasswordAttribute)
DenyGroupOverride by guidattr=(orclOwnerGUID)(read,search,compare,write) by
dnattr=(orclresourceviewers) (read,search, compare, write) by
groupattr=(orclresourceviewers) (read,search, write) by * (none)
-
add: orclaci
orclaci: access to attr=(orclUserIDAttribute,orclPasswordAttribute) by
guidattr=(orclOwnerGUID)(read,search,compare,write) by
dnattr=(orclresourceviewers) (read,search, compare, write) by
groupattr=(orclresourceviewers) (read,search, write) by * (none)
---aci-revert.ldif---