The default configuration for Oracle Fusion Middleware Forms Services does not run in OracleAS Single Sign-On (SSO) mode. The default configuration for Oracle Reports Services does run in SSO mode.
Oracle Forms Services applications calling integrated Oracle Reports Services using the RUN_REPORT_OBJECT built-in procedure will not experience any problems when Oracle Forms Services is running in non-SSO mode and Oracle Reports Services is running in Single Sign-On mode as long as the Reports Server and the requested report are not registered in Oracle Portal.
Other Requirements:
The property Reports Server must be set explicitly for all report objects in the Oracle Forms Services module.
If a Reports Server other than the default is being used, that server must be started (using Oracle Enterprise Manager).
The system variable REPORTS_PATH must be modified in the file ORACLE_INSTANCE/config/reports/bin/reports.sh to reference the path of the reports to be run.
The first time Reports Server is started, it creates a configuration file called rwserver.conf located in the ORACLE_INSTANCE\config\ReportsServerComponent\server_name directory.
The default status of Reports Server is secure. To change the Reports Server status to non-secure, modify ORACLE_INSTANCE\config\ReportsServerComponent\server_name\rwserver.conf by commenting out the <security> tag and removing securityId from the <job> tags.
After making these modifications, the Reports Server must be stopped and restarted (using Oracle Enterprise Manager).
If Oracle Forms Services is configured to run in Single Sign-On mode, then report requests are sent with the authid provided, based on the Single Sign-On user login.
Protected reports and Reports Servers can be registered in Oracle Portal.
Table 17-2 lists the possible Forms/Reports combinations and expected results:
Table 17-2 Outcome of Forms/ Reports Integration when Forms is running in SSO Mode or Non-SSO Mode
| Report Type | Registered, Secure Reports Server (runs only registered reports) | Registered, Secure Reports Server (runs any reports) | Non-Secure Reports Server |
|---|---|---|---|
|
Reports with public access |
report generated |
report generated |
report generated |
|
Reports with specific user access |
report generated |
report generated |
report generated |
|
Reports with no specific user access |
report not generated |
report not generated |
report generated |
|
Non-registered reports |
report not generated |
report not generated |
As discussed above, a large number of applications use Oracle Reports in a non-secure mode with Oracle Forms Services. In this mode, the end user need not provide an AUTHID to run a report from Oracle Forms Services; the URL command needs to include only JOBID and the Reports Server name. If unauthorized or malicious users discover the job ID, they can view the job output using GETJOBID through rwservlet to obtain job output that belongs to another user. Prior to 11g Release 1 (11.1.1), Oracle Reports generated sequential job IDs, making it easy to predict the job ID. With 11g Release 1 (11.1.1), Oracle Reports allows the users to generate random and non-sequential job IDs to make it impossible to predict the job ID for a particular job. For more information, see Section 18.8.2, "Generating Random and Non-Sequential Job IDs".
Additionally, 11g Release 1 (11.1.1) provides support for database authentication using proxy users:
Additional security through control of Oracle Forms Services connections based on users and roles.
Scalability, through reuse of a single database connection.