2
Forms Services Security Overview

The ability to control user access to Web content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for OracleAS Forms Services:

For additional information about security, refer to the following documents:

The Oracle Application Server 10g Security Guide provides an overview of Oracle Application Server security and its core functionality.
The Oracle Identity Management Concepts and Deployment Planning Guide provides guidance for administrators of the Oracle security infrastructure.

2.1 About OracleAS Forms Services Security

This section describes the OracleAS Portal features that you can use to secure your Forms applications when you enable Single Sign-on.

2.1.1 OracleAS Forms Services Single Sign-On

Single sign-on in Oracle Application Server Forms Services is available through mod_osso, an Oracle module for the Oracle HTTP Server. mod_osso authenticates a user against Oracle Application Server Single Sign-On, which in turn uses Oracle Internet Directory (OID) as a user repository, before further passing the Forms application request to the Forms servlet.

Forms applications expect a database connect string to be passed along with the application request, otherwise a logon dialog is shown. To retrieve the database connect information in a single sign-on environment, the Forms servlet queries OID for the value of the combined unique key that is constructed from the user's single sign-on name, the authenticated username, and the name of the application that the user is requesting to start.

Resource Access Descriptors (RAD) are entries in OID that are defined for each user and application which contain the required database connect information. The Forms servlet reads the database connect information from the RAD and passes it along with the command line that starts the Forms Web application. Although the Forms authentication is still database-centric, mod_osso and the Forms servlet are now integrated in a Web based single sign-on environment.

2.1.2 Classes of Users and Their Privileges

Historically, Forms applications use the database to authenticate and authorize application users. To use Oracle Application Server Forms Services with single sign-on, the user account and its connect information must be available in Oracle Internet Directory. The Oracle Internet Directory provides several ways of provisioning user data, using PL/SQL, Java or the Oracle Delegated Administration Services (DAS). DAS is a Web-based user interface for SSO users and delegated administrators to administer self-service data in OID for which they are authorized.

Once a user account is created in OID, the Resource Access Descriptors (RAD) entries can be created dynamically the first time that a user requests a Forms application, assuming the user knows about the database connect information required for this application.

Another option is to use the RAD entries that can be created using DAS. The default RAD entries are accessible for all users that are authenticated through Oracle Application Server Single Sign-On. Use the default RAD if all users share the same database connect information when running a particular Forms application on the Web. This way, users are authenticated individually by their SSO credentials; however, all users share a common database connect for the application defined by a default RAD entry.

2.1.3 Resources That Are Protected

When you enable single sign-on for your Forms applications, you can secure your Forms applications with these features:

2.1.3.1 Dynamic Directives

The dynamic mod_osso directive runs single sign-on protected Forms applications as well as non single sign-on protected Forms applications from the same Oracle Application Server Forms Services instance while using the same configuration files and Forms Servlet. Single sign-on is enabled for applications by a single sign-on parameter in the application defintion of the forms90/server/formsweb.cfg configuration file.

2.1.3.2 Dynamic Resource Creation in OID

In previous releases of Oracle Application Server Forms Services, if no resource access descriptor (RAD) definition was found for a specific application and user, an error message was displayed which locked out the user from running that Forms application, despite having authorization to do so. In this release of Oracle Application Server Forms Services, you can now configure Oracle Application Server Forms Services to allow users to create the RAD for this application on the fly if it doesn't exist.

2.1.3.3 Database Password Expiration when Using Single Sign-On

In previous releases of Oracle Application Server Forms Services, the RAD information in OID was not updated if the database password had expired, and users then renewed them when connecting to a Forms application. In this release, Oracle Application Server Forms Services automatically updates the RAD information in OID whenever a database password is updated through Forms. There is no extra configuration necessary to enable this feature in Oracle Application Server Forms Services.

2.1.4 Authorization and Access Enforcement

For detailed information about the authentication flow of SSO support in Oracle Application Server Forms Services, such as when the first time the user requests an Oracle Application Server Forms Services URL, or from a partner application, see Chapter 6.6, "Authentication Flow".

2.1.5 Leveraging Oracle Identity Management Infrastructure

Oracle Application Server Forms Services has tighter integration with Oracle Internet Directory with minimal configuration. When you configure single sign-on for your Forms applications, Oracle Application Server Forms Services handles much of the configuration and interaction with OID. For more information about configuring single sign-on and OID, see Chapter 6, "Using Forms Services with Oracle Application Server Single Sign-On and OID".