Managing URL Security for Applications
Oracle Forms applications are web-deployed solutions that users access using a URL. Oracle Forms architecture allows Forms developers two ways to choose and configure how a Forms application runs. One option is to set the parameter and the value in the URL. The second option is to set the parameter and its value(s) in the Web Configuration (formsweb.cfg).
The parameter that is set in the Web Configuration can be overridden by the parameter set in the URL. A Forms administrator can override this default behavior, and give the Forms administrator full control over what parameter can be used in the URL.
Here are two scenarios to consider when deciding which parameters to allow or not allow in a URL. The first scenario is when an administrator just wants to restrict the usage of the USERID parameter in the URL that forces the end-user to always log in using the default login window. The second scenario is when an administrator disables all parameters except a few, such as CONFIG=MyApp in a URL.
The parameter restrictedURLparams allows flexibility for the Forms administrator to consider any URL-accessible parameter in the formsweb.cfg file as restricted to a user. An administrator can specify this parameter in a named configuration section to override the one specified in the default configuration section. The restrictedURLparams parameter itself cannot be set in the URL.
By design, command line arguments passed in a URL always override similar definitions in the formsweb.cfg.
In this example, the userid is defined as user1/user1pwd and debug is set to false. An application that is configured to connect to the database as user1/user1pwd can connect as a different user with the userid parameter added as a URL parameter. To prevent it, define the userid parameter in the restrictedURLparams parameter.
Figure -47 Defining the restrictedURLparams Parameter
Description of "Figure -47 Defining the restrictedURLparams Parameter"
Similarly, an administrator can use the restrictedURLparams parameter to redirect a user to a page which lists the restricted parameters that were used. The restrictedURLparams parameter can be set to 'all' which will prevent any parameters (other than config section) from being specified in the URL.
Securing the Oracle Forms Test Form
The test form runs when you access an Oracle Forms URL but do not specify an application to run. For example, normally you call an Oracle Forms application with the following syntax:
https://<host>:<port>/forms/frmservlet?config=myApp
The Forms servlet locates [myApp] in the formsweb.cfg file and launches that application. However, when no application is specified, for example:
https://<host>:<port>/forms/frmservlet
The Forms servlet uses the settings in the default section of the formsweb.cfg file. These settings are located under [default] in the Forms Configuration file (anytime an application does not override any of these settings, the defaults are used). The default section has the following setting:
form=test.fmx
This is the test form which enables you to test your Oracle Forms Services installation and configuration. Thus if you do not specify an application, Forms launches the test.fmx file. You could change this to:
form=
And the form does not run. However, this is not optimal; the Forms servlet still sends the dynamically generated HTML file to the client, from which a curious user could obtain information. The optimally secure solution is to redirect requests to an informational HTML page that is presented to the client instead. Some parameters in the formsweb.cfg file must be changed.
Here are the parameters to change, along with their default values when you install Oracle Forms Services:
# System parameter: default base HTML file
baseHTML=base.htm
# System parameter: base HTML file for use with Oracle's Java Plug-In
baseHTMLjpi=basejpi.htm
These parameters are templates for the HTML information that are sent to the client. Create an informational HTML page and have these variables point to that instead. For example, in the $DOMAIN_HOME/config/fmwconfig/components/FORMS/instances/<Forms Instance Name>/server directory, create a simple HTML page called forbidden.html with the following content:
<html>
<head>
<title>Forbidden</title>
</head>
<body>
<h1>Forbidden!</h1>
<h2>You may not access this Forms application.</h2>
</body>
</html>Note:
This message page was displayed because redirecting of client information is different from the page that the Web server returns when the requested content has restricted permissions on it.Next, modify the formsweb.cfg parameters by commenting out or modifying the original parameters:
# System parameter: default base HTML file
#baseHTML=base.htm
baseHTML=forbidden.html
# System parameter: base HTML file for use with Oracle's Java Plug-In
#baseHTMLjpi=basejpi.htm
baseHTMLjpi=forbidden.html
# System parameter: base HTML file for use with Microsoft Internet Explorer
# (when using the native JVM)
When a user enters the URL
https://<host>:<port>/forms/frmservlet
the customized Web page is presented. Of course, you can customize forbidden.html, including its contents, its file name, and its location if you make the corresponding changes to these parameters in the formsweb.cfg file. Administrators can put any information, such as warnings, errors, time stamps, IP logging, or contact information in this information Web page with minimal impact on the server configuration.
Note:
Overriding the base HTML template entries in the default section of formsweb.cfg requires that you add the same entries pointing to the original values (or some other valid HTML file) in your application-specific named configuration:
[myApp] form=myApplication.fmx lookandfeel=oracle baseHTML=base.htm baseHTMLjpi=basejpi.htm
If you do not specify these base HTML values, and when a user runs an application, the forbidden.html page is displayed because the application-specific configuration section has not overridden the default values.