Oracle® Fusion Middleware Publishing Reports to the Web with Oracle Reports Services 11g Release 1 (11.1.1) Part Number B32121-02 |
|
|
View PDF |
Oracle Reports 11g Release 1 (11.1.1) provides new security measures for reports run from Oracle Forms Services in non-secure mode:
Oracle Reports allows you to generate random and non-sequential job IDs to make it impossible to predict the job ID for a particular job. For more information, see Section 18.8.2, "Generating Random and Non-Sequential Job IDs".
Prior to 11g Release 1 (11.1.1), Oracle Reports generated sequential job IDs, making it easy to predict the job ID. This meant that unauthorized or malicious users could potentially view the job output using GETJOBID through rwservlet
to obtain job output that belongs to another user.
Web commands (rwservlet
keywords) are now categorized for added security:
End user Web commands: GETJOBID, KILLJOBID, SHOWAUTH, SHOWJOBID
Administrator Web commands: DELAUTH, GETSERVERINFO, KILLENGINE, PARSEQUERY, SHOWENV, SHOWJOBS, SHOWMAP, SHOWMYJOBS. AUTHID is required to run administrator commands
L0
: no Web commands allowed.
L1
: only end user Web commands allowed (GETJOBID, KILLJOBID, SHOWAUTH, SHOWJOBID).
L2
: administrator Web commands (DELAUTH, GETSERVERINFO, KILLENGINE, PARSEQUERY, SHOWENV, SHOWJOBS, SHOWMAP, SHOWMYJOBS) are also allowed. AUTHID is required to run administrator commands.
NO
(for backward compatibility with DIAGNOSTIC=NO
in 10g rwservlet.properties
). No Web commands allowed.
YES
(for backward compatibility with DIAGNOSTIC=YES
in 10g rwservlet.properties
). Administrator Web commands (DELAUTH, GETSERVERINFO, KILLENGINE, PARSEQUERY, SHOWENV, SHOWJOBS, SHOWMAP, SHOWMYJOBS) are also allowed. AUTHID is required to run administrator commands.
Administrators are allowed to run both end user and administrator Web commands. For a non-secure Reports Server, the user ID and password for administrators can be set in the identifier element of the Reports Server configuration file.
The new webcommandaccess parameter in the Oracle Reports Servlet (rwservlet
) configuration file (rwservlet.properties
) defines access levels for executing rwservlet
keywords (Web commands). These values can be set using Oracle Enterprise Manager, as described in Section 7.8.4, "Defining Security Policies for Web Commands".