Skip Headers
Oracle® Fusion Middleware Publishing Reports to the Web with Oracle Reports Services
11g Release 1 (11.1.1)

Part Number B32121-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

17.6 Oracle Forms Services Security Considerations

The default configuration for Oracle Fusion Middleware Forms Services does not run in OracleAS Single Sign-On (SSO) mode. The default configuration for Oracle Reports Services does run in SSO mode.

Oracle Forms Services applications calling integrated Oracle Reports Services using the RUN_REPORT_OBJECT built-in procedure will not experience any problems when Oracle Forms Services is running in non-SSO mode and Oracle Reports Services is running in Single Sign-On mode as long as the Reports Server and the requested report are not registered in Oracle Portal.

Other Requirements:

Table 17-2 lists the possible Forms/Reports combinations and expected results:

Table 17-2 Outcome of Forms/ Reports Integration when Forms is running in SSO Mode or Non-SSO Mode

Report Type Registered, Secure Reports Server (runs only registered reports) Registered, Secure Reports Server (runs any reports) Non-Secure Reports Server

Reports with public access

report generated

report generated

report generated

Reports with specific user access

report generated

report generated

report generated

Reports with no specific user access

report not generated

report not generated

report generated

Non-registered reports

report not generated

report not generated

report generated


17.6.1 What's New In This Release?

As discussed above, a large number of applications use Oracle Reports in a non-secure mode with Oracle Forms Services. In this mode, the end user need not provide an AUTHID to run a report from Oracle Forms Services; the URL command needs to include only JOBID and the Reports Server name. If unauthorized or malicious users discover the job ID, they can view the job output using GETJOBID through rwservlet to obtain job output that belongs to another user. Prior to 11g Release 1 (11.1.1), Oracle Reports generated sequential job IDs, making it easy to predict the job ID. With 11g Release 1 (11.1.1), Oracle Reports allows the users to generate random and non-sequential job IDs to make it impossible to predict the job ID for a particular job. For more information, see Section 18.8.2, "Generating Random and Non-Sequential Job IDs".

Additionally, 11g Release 1 (11.1.1) provides support for database authentication using proxy users:

  • Additional security through control of Oracle Forms Services connections based on users and roles.

  • Scalability, through reuse of a single database connection.