15-10 Publishing Reports to the Web with Oracle Reports Services The AUTHID cookies are terminated when the user closes their browser session, but you should not rely strictly on this method of terminating the cookie. You should limit the lifetime of the cookie within a given session. For example, a user might log on and then go to lunch, leaving the browser session open. To minimize the potential for a security breach in this situation, the administrator may specify the COOKIEEXPIRE parameter as an attribute of the element cookie in the rwservlet.properties file. For example, you can specify the cookie element in the rwservlet.properties file as follows: cookie cookieexpire=30 encryptionkey=reports When rwservlet receives a job request, it compares the time saved in the cookie with the current system time. If the time is longer than the number of minutes defined in the environment variable for example, 30 minutes, the cookie is rejected and the user is challenged to provide authentication information. 15.3.2.1 Report Request Flow with Non-SSO Oracle Internet Directory-Based, File-Based, or Embedded ID Store In this scenario, the report request is sent to a secured Reports Server with Single Sign-On disabled. Non-SSO authentication methods include Oracle Internet Directory-based, File-based, and Embedded ID store. In this case, rwservlet or a JSP report might be called through the use of a bookmark or from an Oracle Portal component. Note: If you want to force users to authenticate themselves for a specific report, you can use the SHOWAUTH command line keyword. Alternatively, you can include a S in the corresponding report entry in the key map file. This file is usually called cgicmd.dat and is located in DOMAIN_ HOMEconfigfmwconfigserversWLS_SERVER_ NAMEapplicationsreports_ versionconfigurationcgicmd.dat. S forces users to enter their username and password each time the report is called. For more information, see Section 18.13, Using a Key Map File . See Also: Section 8.3, Oracle Reports Servlet Configuration File for more information about the COOKIEEXPIRE parameter and the rwservlet.properties file. Securing Oracle Reports Services 15-11 Figure 15–3 Authentication Process Without Single Sign-On The following numbered steps map to the numbers in Figure 15–4 :

1. User requests the report through a URL

. The user must somehow gain access to the URL that launches the report request for example, through a link on a Web page or a bookmark, and choose the URL.

2. Oracle HTTP Server routes the request to

rwservlet deployed on Oracle WebLogic Server .

3. rwservlet

asks for user credentials that is, user name and password. rwservlet checks for the AUTHID parameter in the URL or an existing Oracle Reports AUTHID cookie. If it finds the AUTHID parameter, it uses that to authenticate the user. If it does not find the AUTHID parameter, it looks for an existing Oracle Reports AUTHID cookie. If the report is launched from Oracle Portal, AUTHID is added to the URL automatically. If neither the AUTHID parameter nor an Oracle Reports AUTHID cookie is found, rwservlet sends the System Authentication page to the Oracle HTTP Server, to display to the user.

4. Oracle HTTP Server displays the login page to the user, and the user provides

user name and password . On the login page, the user must supply a user name and password. This information is stored in an Oracle Reports AUTHID cookie for future reference.

5. User name and password are passed on to

rwservlet. If only partial data source credentials are provided in the URL for example, USERID=scottorqa, the Database Authentication page displays with the partial credentials shown. The user must supply the remainder of the data source credentials before proceeding further. Note that you can control which Database Authentication page is used through the DBAUTH parameter in the rwservlet.properties file. If no data source credentials are provided, the Database Authentication page does not display and it is assumed the report does not require a data source. See Also: Section 8.3, Oracle Reports Servlet Configuration File for more information about the DBAUTH parameter and the rwservlet.properties file.