4-30 Forms Services Deployment Guide configure how a Forms application runs. One option is to set the parameter and the value in the URL. The second option is to set the parameter and its values in the configuration file, that is, formsweb.cfg. The parameter that is set in the formsweb.cfg can be overridden by the parameter set in the URL. A Forms administrator can override this default behavior, and give the Forms administrator full control over what parameter can be used in the URL. Here are two scenarios to consider when deciding which parameters to allow or not allow in a URL. The first scenario is when an administrator just wants to restrict the usage of the USERID parameter in the URL that forces the end-user to always log in using the default login window. The second scenario is when an administrator disables all parameters except a few, such as CONFIG=MyApp in a URL. The parameter restrictedURLparams allows flexibility for the Forms administrator to consider any URL-accessible parameter in the formsweb.cfg file as restricted to a user. An administrator can specify this parameter in a named configuration section to override the one specified in the default configuration section. The restrictedURLparams parameter itself cannot be set in the URL. By design, command line arguments passed in a URL always override similar definitions in the formsweb.cfg. In this example, the userid is defined as scotttiger and debug is set to false. An application that is configured to connect to the database as scotttiger can connect as a different user with the userid parameter added as a URL parameter. To prevent this, the userid parameter is defined in the restrictedURLparams as shown in Figure 4–7, Defining the restrictedURLparams Parameter . Figure 4–7 Defining the restrictedURLparams Parameter Similarly, an administrator can use the restrictedURLparams parameter to redirect a user to a page which lists the restricted parameters that were used.

4.5.1 Securing the Oracle Forms Test Form

The test form runs when you access an Oracle Forms URL but do not specify an application to run. For example, normally you call an Oracle Forms application with the following syntax: http:host:portformsfrmservlet?config=myApp The Forms servlet locates [myApp] in the formsweb.cfg file and launches that application. However, when no application is specified, for example: http:host:portformsfrmservlet The Forms servlet uses the settings in the default section of the formsweb.cfg file. These settings are located under [default] in the Forms Configuration file anytime an application does not override any of these settings, the defaults are used. The default section has the following setting: Configuring and Managing Forms Services 4-31 form=test.fmx This is the test form which enables you to test your Oracle Forms Services installation and configuration. Thus if you do not specify an application, Forms launches the test.fmx file. You could change this to: form= And the form does not run. However, this is not optimal; the Forms servlet still sends the dynamically generated HTML file to the client, from which a curious user could obtain information. The optimally secure solution is to redirect requests to an informational HTML page that is presented to the client instead. Some parameters in the formsweb.cfg file must be changed. Here are the parameters to change, along with their default values when you install Oracle Forms Services: System parameter: default base HTML file baseHTML=base.htm System parameter: base HTML file for use with Suns Java Plug-In baseHTMLjpi=basejpi.htm These parameters are templates for the HTML information that are sent to the client. Create an informational HTML page and have these variables point to that instead. For example, in the ORACLE_ INSTANCEconfigFormsComponentformsserver directory, create a simple HTML page called forbidden.html with the following content: html head titleForbiddentitle head body h1Forbiddenh1 h2You may not access this Forms application.h2 body html Next, modify the formsweb.cfg parameters by commenting out or modifying the original parameters: System parameter: default base HTML file baseHTML=base.htm baseHTML=forbidden.html System parameter: base HTML file for use with Suns Java Plug-In baseHTMLjpi=basejpi.htm baseHTMLjpi=forbidden.html System parameter: base HTML file for use with Microsoft Internet Explorer when using the native JVM When a user enters the URL http:host:portformsfrmservlet Note: This message page displayed as a result of redirecting of client information is different from the page that the Web server returns when the requested content has restricted permissions on it. 4-32 Forms Services Deployment Guide the customized Web page is presented. Of course, you can customize forbidden.html, including its contents, its filename, and its location if you make the corresponding changes to these parameters in the formsweb.cfg file. Administrators can put any information, such as warnings, errors, time stamps, IP logging, or contact information in this information Web page with minimal impact on the server configuration.

4.6 Creating Your Own Template HTML Files