Skip Headers
Oracle® Application Server Forms Services Deployment Guide
10g Release 2 (10.1.2)
B14032-03
  Go To Documentation Library
Library
Go To Product List
Product
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

4.6 Managing URL Security for Applications

Oracle Forms applications are Web deployed solutions that users access through a browser. Oracle Forms architecture allows Forms developers two ways to choose and configure how a Forms application runs. One option is to set the parameter and the value in the URL. The second option is to set the parameter and its value(s) in the configuration file, i.e. formsweb.cfg. The parameter that is set in the formsweb.cfg can be overridden by the parameter set in the URL.


Note:

You manage the restrictedURLparams parameter through the Configuration page of Enterprise Manager Application Server Control Console.

A Forms administrator can override this default behavior, and give the Forms administrator full control over what parameter can be used in the URL.

Here are two scenarios to consider when deciding which parameters to allow or not allow in a URL. The first scenario is when an administrator just wants to restrict the usages of the USERID parameter in the URL that forces the end-user to always log in using the default login window. The second scenario is when an administrator would like to disable all parameters except a few, such as CONFIG=MyApp in a URL.

The parameter restrictedURLparams allows flexibility for the Forms administrator to consider any URL-accessible parameter in the formsweb.cfg file as restricted to a user. An administrator can specify this parameter in a named configuration section to override the one specified in the default configuration section. The restrictedURLparams parameter itself cannot be set in the URL.

Figure 4-1, "Defining the restricedURLparams Parameter" is an example of how the restrictedURLparams parameter is defined in the [myApp] section to override the one set in the [default] configuration section:

Figure 4-1 Defining the restricedURLparams Parameter

This image shows a sample configuration section.

By default, this user, scott, is not allowed to debug this Forms application, use Forms Trace, or edit records in it. In the myApp section, user scott is only forced to log in when accessing the application, and not allowed to debug it. He can now, though, work with Forms Trace and edit records through a URL for this application.

An administrator can use the restrictedURLparams parameter to redirect a user to an error page that lists the parameters the user is restricted from using (or allowed to use) for this application.

4.6.1 Securing the Oracle Forms Test Form

The test form runs when you access an Oracle Forms URL but do not specify an application to run. For example, normally you call an Oracle Forms application with the following syntax:

http://<host>:<port>/forms/frmservlet?config=myApp

The Forms Servlet will locate [myApp] in the formsweb.cfg file and launch that application. However, when no application is specified, for example:

http://<host>:<port>/forms/frmservlet

The Forms Servlet uses the settings in the default section of the formsweb.cfg file. These settings are located under [default] in the Forms Configuration file (anytime an application does not override any of these settings, the defaults are used). The default section has the following setting:

form=test.fmx

This is the test form which allows you to test your Oracle Forms Services installation and configuration. Thus if you don't specify an application, Forms will launch the test.fmx file. You could change this to:

form=

And the form will not run. However, this is not optimal; the Forms Servlet still sends the dynamically generated HTML file to the client, from which a curious user could obtain information. The optimally secure solution is to redirect requests to an informational HTML page that is presented to the client instead. You'll need to change some parameters in the formsweb.cfg file.

Here are the parameters to change, along with their default values when you install Oracle Forms Services:

    # System parameter: default base HTML file
    baseHTML=base.htm
    # System parameter: base HTML file for use with JInitiator client
    baseHTMLjinitiator=basejini.htm
    # System parameter: base HTML file for use with Sun's Java Plug-In
    baseHTMLjpi=basejpi.htm
    # System parameter: base HTML file for use with Microsoft Internet Explorer
    # (when using the native JVM)
    baseHTMLie=baseie.htm

These parameters are templates for the HTML information that are sent to the client. Create an informational HTML page and have these variables point to that instead. For example, in the ORACLE_HOME/forms/server directory, create a simple HTML page called forbidden.html with the following content:

    <html>
      <head>
        <title>Forbidden</title>
      </head>
      <body>
       <h1>Forbidden!</h1>
        <h2>You may not access this Forms application.</h2>
      </body>
    </html>

Note:

this redirecting of client information and presenting a message page instead is not the same Web page that the Web server returns when the requested content has restricted permissions on it.

Next, modify the formsweb.cfg parameters by commenting out or modifying the original parameters:

    # System parameter: default base HTML file
    #baseHTML=base.htm
    baseHTML=forbidden.html
    # System parameter: base HTML file for use with JInitiator client
    #baseHTMLjinitiator=basejini.htm
    baseHTMLjinitiator=forbidden.html
    # System parameter: base HTML file for use with Sun's Java Plug-In
    #baseHTMLjpi=basejpi.htm
    baseHTMLjpi=forbidden.html
    # System parameter: base HTML file for use with Microsoft Internet Explorer
    # (when using the native JVM)
    #baseHTMLie=baseie.htm
    baseHTMLie=forbidden.html

When a user enters the URL

http://<host>:<port>/forms/frmservlet

the customized Web page is presented. Of course, you can customize forbidden.html, including its contents, its filename, and its location as long as you make the corresponding changes to these parameters in the formsweb.cfg file. Administrators can put any information, such as warnings, errors, time stamps, IP logging, or contact information in this information Web page with minimal impact on the server configuration.


Note:

Overriding the base HTML template entries in the default section of formsweb.cfg requires that you add the same entries pointing to the original values (or some other valid HTML file) in your application-specific named configuration:
[myApp]
form=myApplication.fmx
lookandfeel=oracle
baseHTML=base.htm
baseHTMLjinitiator=basejini.htm
baseHTMLjpi=basejpi.htm
baseHTMLie=baseie.htm

If you don't specify these base HTML values, and when a user runs an application, they will see the forbidden.html page because the application-specific configuration section hasn't overridden the default values.