Oracle Reports 11g Release 2 (11.1.2) provides new security measures for reports run from Oracle Forms Services in non-secure mode:
Oracle Reports allows you to generate random and non-sequential job IDs to make it impossible to predict the job ID for a particular job. For more information, see Section 17.8.2, "Generating Random and Non-Sequential Job IDs".
Prior to 11g Release 2 (11.1.2), Oracle Reports generated sequential job IDs, making it easy to predict the job ID. This meant that unauthorized or malicious users could potentially view the job output using GETJOBID through rwservlet
to obtain job output that belongs to another user.
Web commands (rwservlet
keywords) are now categorized for added security:
End user Web commands: GETJOBID, KILLJOBID, SHOWAUTH, SHOWJOBID
Administrator Web commands: DELAUTH, GETSERVERINFO, KILLENGINE, PARSEQUERY, SHOWENV, SHOWJOBS, SHOWMAP, SHOWMYJOBS. AUTHID is required to run administrator commands
L0
: no Web commands allowed.
L1
: only end user Web commands allowed (GETJOBID, KILLJOBID, SHOWAUTH, SHOWJOBID).
L2
: administrator Web commands (DELAUTH, GETSERVERINFO, KILLENGINE, PARSEQUERY, SHOWENV, SHOWJOBS, SHOWMAP, SHOWMYJOBS) are also allowed. AUTHID is required to run administrator commands.
NO
(for backward compatibility with DIAGNOSTIC=NO
in 10g rwservlet.properties
). No Web commands allowed.
YES
(for backward compatibility with DIAGNOSTIC=YES
in 10g rwservlet.properties
). Administrator Web commands (DELAUTH, GETSERVERINFO, KILLENGINE, PARSEQUERY, SHOWENV, SHOWJOBS, SHOWMAP, SHOWMYJOBS) are also allowed. AUTHID is required to run administrator commands.
Note:
For L2 Web command access, you do not need to pass the authid. The authid parameter is required only for the STOPSERVER command irrespective of the webcommandaccess value.Administrators are allowed to run both end user and administrator Web commands. For a non-secure Reports Server, the user ID and password for administrators can be set in the identifier element of the Reports Server configuration file.
The new webcommandaccess parameter in the Oracle Reports Servlet (rwservlet
) configuration file (rwservlet.properties
) defines access levels for executing rwservlet
keywords (Web commands). These values can be set using Oracle Enterprise Manager, as described in Section 6.8.4, "Defining Security Policies for Web Commands".