Frmwebshowdoc Rep 128094

8/8/2019 Frmwebshowdoc Rep 128094

1/14

Oracle Forms Services SecureWeb.Show_Document() calls toOracle Reports

$Q 2UDFOH 7HFKQLFDO :KLWHSDSHU

)HEUXDU\


2/14

! "# $ % & ' ( ) ) 01 % 3 2 ( ) 5 4 6 7 % 03 8 ( 9 1 @

Secure Web.Show_Document() calls to Oracle Reports

Introduction........................................................................................................3Using Web.Show_Document Built-in to call Reports .................................3

Web.Show_Document syntax.....................................................................3Calling Oracle Reports on the Web ...........................................................4Calling Reports from Forms using Web.Show_Document....................4

Secure Web.Show_Document calls to Oracle Reports................................5Using the oracle.reports.utility.FrmReportsInteg Bean in Forms..........6Forms Services Configuration.....................................................................8

Formsweb.cfg file.....................................................................................8

forms90/ java directory ............................................................................8Basejini.htm file.........................................................................................9Summary .............................................................................................................9Appendix A: FrmReportsInteg Bean functionality.......................................9

SET_< nn> ENCRYPTION_KEY............................................................9Example for Oracle9 L Reports................................................................9Example for Oracle10 J Reports ...........................................................10

SET_MAX_AGE .......................................................................................10SET_COOKIE_DOMAIN ......................................................................10SET_COOKIE_PATH .............................................................................10WRITE_LOGOUTPUT ...........................................................................11

Enabling debug messages example......................................................11Disabling debug messages example .....................................................11

WRITE_USERID_COOKIE ..................................................................11Appendix B: Extended PL/ SQL Example..................................................12Appendix C: Known Issues ...........................................................................13


3/14

! "# $ % & ' ( ) ) 01 % 3 2 ( ) 5 4 6 7 % 03 8 ( 9 1 A

Secure Web.Show_Document() calls to Oracle Reports

,1752'8&7,21

Using the Oracle Forms Web.Show_Document() Built-in to call Oracle Reports onthe Web is an alternative to the Run_Report_Object() Built-in. TheWeb.Show_Document() Built-in accesses Web resources by issuing a HTTPGET request from the browser URL. HTTP GET requests, in contrast toPOST requests, show the complete URL string with all the request parameters inthe browsers address bar, including those parameters that are considered sensitiveinformation, such as logon information.

This Whitepaper shows you how to secure calls to Oracle Reports Services, issuedby Forms using the Web.Show_Document() Built-in, by eliminating the need toexpose the sensitive userid information in the Reports request URL.

The solution described in this document is based on a Java Bean that resides onthe Oracle Forms Web client and works with the Forms and Reports componentsof Oracle Application Server releases 9.0.2.x and 10 J . The Java Bean and its sourcecode can be downloaded with this paper.

86,1* :(% 6+2:B'2&80(17 %8,/7 ,1 72 &$// 5(32576

This section briefly covers the use of the Forms Web.Show_Document() Built-in

to call Oracle Reports on the Web.

:HE 6KRZB'RFXPHQW V\QWD[

The Forms Web.Show_Document() Built-In requires two arguments passed withinthe call

Web.Show_Document(URL, Target);

85/ The URL is passed as a string in a variable, or as a combination of both. If the target Web page is located on the same server that runs Forms Services,relative addressing could be used.

7DUJHW Definition of the target where the addressed Web page should bedisplayed. Values must be single-quoted. Possible target values are _blank to showthe Reports output in an extra browser window, _self to replace the Formsapplication with the Reports output, to load the Reports outputinto a named frame of the multi frame HTML page.


4/14

! "# $ % & ' ( ) ) 01 % 3 2 ( ) 5 4 6 7 % 03 8 ( 9 C B

&DOOLQJ 2UDFOH 5HSRUWV RQ WKH :HE

After installing Oracle Application Server, Oracle Reports Services can be accessedby the following URL

http(s)://:/reports/rwservlet?

A complete syntax example to run Reports from a browser looks like this

http://:/reports/rwservlet? VHUYHU =&UHSRUW=.rdf& GHVIRUPDW=[htmlcss|pdf|xml|delimited|]& GHVW\SH=cache

&XVHULG=& SDUDPIRUP=[no|yes]

VHUYHU the name of the Reports Server 1 used. This name can be omitted to use the

in process Reports Server that is automatically started by the Reports Servlet.

UHSRUW the name of the Reports module to execute

GHVIRUPDW the output format of the returned Reports result set. Desformat can be

htmlcss, html, pdf, xml, rtf and delimited. For Reports run from Forms pdf and

htmlcss are the most commonly used options

GHVW\SH determines where the Reports output gets written to. Cache specifiesthat the Reports output gets streamed to the requesting browser.

XVHULG in the case of a Reports that needs to query a database for its data, the

userid parameter contains the username, the user password and the connection

information for the database.

SDUDPIRUP determines if Reports should display a HTML parameter form before

executing the request. The parameter form can be used for the user to further filter

the expected Reports result set. Valid values are yes and no.

To reduce the length of the Reports request URL, you can create a key entry in the

Reports cgicmd.dat configuration file to store command line parameters that dont

change from one Report to the other. In this case the first argument in a ReportsWeb request, right after the question mark, must be the key name 2.

&DOOLQJ 5HSRUWV IURP )RUPV XVLQJ :HE 6KRZB'RFXPHQW

The following PL/ SQL example assumes the Reports Services to run on the sameserver that hosts the Forms Services, thus using relative addressing. The Reportsoutput is formatted in HTML (desformat=htmlcss) and no Reports parameterform is shown before running the report (paramform=no). To filter the Reportsresult set, a user parameter is passed to Reports, specifying the department id toretrieve information for (p_deptno= 10).

1 Please refer to the Reports Services documentation on how to create a Reports Service2 You can also specify the userid parameter in the cgicmd.dat file and thus hide it fromthe URL. However the userid will show in the HTML source code of the parameterform if used


5/14

! "# $ % & ' ( ) ) 01 % 3 2 ( ) 5 4 6 7 % 03 8 ( 9 1 D

When calling Web.Show_Document(), the second argument is specified as_blank, which means that the Reports output is shown in a separate browserwindow.

DECLARE

rep_url varchar2(2000);

BEGIN

rep_url:=/reports/rwservlet?server=repserv10g@fnimphiu-pc&report=reptest.rdf

||&desformat=htmlcss&destype=cache&userid=scott/tiger@orcl

||&p_deptno=10&paramform=no;

WEB.SHOW_DOCUMENT(rep_url,_blank);

END;

([DPSOH 3/ 64/ ([DPSOH XVLQJ :HE 6KRZB'RFXPHQW %XLOW LQ WR2UDFOH 5HSRUWV

The sensitive information for the userid parameter is added to the Reports request

URL and will be shown in the browser.

6(&85( :(% 6+2:B'2&80(17E

&$//6 72 25$&/( 5(32576

One option to secure Reports called by the Forms Web.Show_Document() Built-in is to use run Forms and Reports in single sign-on mode. The Oracle ApplicationServer provides an integrated single sign-on solution that can be used without anychanges required to the Forms and Reports application modules 4.

Another option is the technique explained in the rest of this paper.

Adding the userid parameter to the Reports request URL violates the securitypolicies of many companies. Thus, to avoid exposing the userid parameter at all,the userid connect string must be encrypted and stored in a temporary cookie onthe client browser.

This means the following for Reports to run:

1. The userid parameter is left empty in the Reports HTML parameter formand doesnt show in the requested URL

2. The userid connect string is encrypted and stored as a temporary cookie.The cookie is deleted immediately when closing the browser

3 The solution described was tested with Oracle9i Forms and Reports as well as withOracle10g Forms and Reports.4 Using single sign-on with Forms and Reports is explained in the Oracle9i Forms andReports integration Whitepaper, available at otn.oracle.com/ products/ forms


6/14

! "# $ % & ' ( ) ) 01 % 3 2 ( ) 5 4 6 7 % 03 8 ( 9 1 F

3. The cookie expires after 30 minutes even if the browser isnt closed

4. The default cookie domain is derived from the host running FormsServices. This secures the cookie from applications hosted by otherservers accessing this information

The Reports userid cookie can be set from Forms using a Java Bean in Forms. ABean that performs this action, oracle.reports.utility.FrmReportsInteg, has beenwritten to accompany this Whitepaper, and handles setting the userid parameter ina cookie. The Bean is contained in a jar file called frmrwinteg.jar and can bedownloaded with this document from http:/ / otn.oracle.com/ products/ forms.

8VLQJ WKH RUDFOH UHSRUWV XWLOLW\ )UP5HSRUWV,QWHJ %HDQ LQ

For the Bean to work in Forms, it needs to be added to a Forms Canvas that isvisible when calling Reports.

1. In the Forms Layout Editor, add a Java Bean container to Forms, makingsure that the Bean item is created in a control block.

2. To hide the Bean on the canvas, select the Bean in the Layout editor andpress F4 to open the property inspector. Set the Width and Heightproperties to 1, the Bevel property to Plain and set the background andforeground color to the color of the canvas

3. Set the value oracle.reports.utility.FrmReportsInteg for the Bean ItemImplementation Class property . Ignore any errors shown whennavigating out of the Implementation class property field. This errormessage may show again later on, but then can be ignored too. 5

4. Define the Bean item name as USERID_BEAN and close the PropertyPalette.

5. To use the PL/ SQL code shown in Example 1, the following changesneed to be done in the code to exclude the userid value from the Reportsrequest URL. Instead the userid value is stored in a temporary cookie onthe client.

5 To avoid the error message to be shown, add the frmrwinteg.jar file name with thecomplete path information to the FORMS90_BUILDER_CLASSPATH registryvariable.


7/14

! "# $ % & ' ( ) ) 01 % 3 2 ( ) 5 4 6 7 % 03 8 ( 9 1 G

DECLARE

rep_url varchar2(2000);

BEGIN

rep_url:=/reports/rwservlet?server=repserv10g@fnimphiu-pc&report=reptest.rdf

||&desformat=htmlcss&destype=cache& XVHULG

||&p_deptno=|| :dept.deptno&paramform=no;

-- Write log messages to the Forms JInitiator console. The next line must

-- be disabled before running this code in any production environment

set_custom_property('control.userid_bean',1,'WRITE_LOGOUTPUT','true');

-- VHW XVHULG LQ HQFU\SWHG FRRNLH EHIRUH FDOOLQJ :HE 6KRZB'RFXPHQ

set_custom_property('control.userid_bean',1,'ADD_USERID',

get_application_property(username)||'/'||

get_application_property(password)||'@'||

get_application_property(connect_string));

-- ZULWLQJ WKH FRRNLH

set_custom_property('control.userid_bean',1,'WRITE_USERID_COOKIE','10g');

WEB.SHOW_DOCUMENT(rep_url,_blank);

END;

([DPSOH 3/ 64/ ([DPSOH VHFXULQJ WKH :HE 6KRZB'RFXPHQW %XLOWWR 2UDFOH 5HSRUWV 7KH XVHULG SDUDPHWHU YDOXH LV WHPSRUDHQFU\SWHG FRRNLH RQ WKH FOLHQW

Oracle Reports 9.0.2 and later still require that the userid parameter is added to therequest URL, but the parameter value can be left blank as shown in Example 2(userid= ). All that userid= parameter does is to indicate to the Reports Serverthat the requested report requires a database connect and that the databasecredentials are stored in a temporary cookie on the client.

The first call to SET_CUSTOM_PROPERTY() (Example 2) enables debugmessages to be written to the JInitiator console, which may prove useful duringdesign time. This should be disabled before productizing the application.

The second call to SET_CUSTOM_PROPERTY() sends the connect stringinformation to the Bean, which it needs to create the cookie

Finally, the cookie is created for the client browser using another call toSET_CUSTOM_PROPERTY(). The argument 10g specifies the version of the


8/14

! "# $ % & ' ( ) ) 01 % 3 2 ( ) 5 4 6 7 % 03 8 ( 9 1 H

Reports Server and determines the cookie format. For Oracle9i Reports theargument is 9i.

This sets the cookie to the client browser using the following cookie settings:

1. Expiry is set to temporary, which means that the cookie expires whenthe user closes the browser.

2. Validness is set to 30 minutes by default. This means that the cookieexpires after 30 minutes even if the user doesnt close the browser. TheReports Server checks if the cookie is still valid before executing theReport. Because the cookie time is determined on the Forms client, it isimportant to consider time zone differences between the client and theserver (see Appendix A).

3. The cookie path is set to / which means that all applications that runon a server in the same domain as the server running Forms Services canaccess this cookie (see Appendix A).

4. The cookie domain is set to the domain of the server running FormsServices. If the server domain is us.oracle.com, then only those serversthat run in this domain can access the client side cookie (see AppendixA).

5. The default Reports key is used to encrypt the information. This defaultvalue is reports9i for Oracle9 L and Oracle10 J Reports (see AppendixA).

)RUPV 6HUYLFHV &RQILJXUDWLRQ

To deploy the FrmReportsInteg Bean with Forms, changes are required in theformsweb.cfg file and the basejini.htm file, both located in the < OracleHome>\ forms90\ server directory.

IQ P# RT SV UX W` Y aC b ce dg fh dp i q Y

The archive file fmrRwInteg.jar that contains the FrmReportsInteg Bean needs tobe configured for download when the Forms application is started. Add the

following line to the named configuration section for your application in theformsweb.cfg file, located in the forms90/ server directory:

[ ]archive_jini=f90all_jinit.jar,frmrwinteg.jar...

dg P# RT SV UQ rX se t u vx w vV y# i R Y ce g P# R

Make sure that the frmrwinteg.jar file is located in the forms90/ java directory of your Forms Services installation.

You can tell from looking at the JInitiator Java console on the client if thisconfiguration works. If you see a Java error printed to the console that reports amissing Java class file, then this is most likely a misconfiguration.


9/14

! "# $ % & ' ( ) ) 01 % 3 2 ( ) 5 4 6 7 % 03 8 ( 9 1

3 vx U Y uT i C i b X T S dp i q Y

For the Java Bean to work, it is required to grant permission to the Forms Appletto use scripting. Edit the basejini.htm file, or any other template file you use tolaunch Forms, and add the following lines to the IE section and Netscape section.

,QWHUQHW ([SORUHU

1HWVFDSH

6800$5

Documents

Frmwebshowdoc Rep 128094