Skip Headers
Oracle® Application Server Forms Services Deployment Guide
10g Release 2 (10.1.2)
B14032-03
  Go To Documentation Library
Library
Go To Product List
Product
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

2.1 About OracleAS Forms Services Security

This section describes the OracleAS Portal features that you can use to secure your Forms applications when you enable Single Sign-on.

2.1.1 OracleAS Forms Services Single Sign-On

Single Sign-on in Oracle Application Server Forms Services is available through mod_osso, an Oracle module for the Oracle HTTP Server. mod_osso authenticates a user against Oracle Application Server Single Sign-On, which in turn uses Oracle Internet Directory as a user repository, before further passing the Forms application request to the Forms servlet.

Forms applications expect a database connect string to be passed along with the application request, otherwise a logon dialog is shown. To retrieve the database connect information in a OracleAS Single Sign-On environment, the Forms servlet queries Oracle Internet Directory for the value of the combined unique key that is constructed from the user's OracleAS Single Sign-On name, the authenticated user name, and the name of the application that the user is requesting to start.

Resource Access Descriptors (RAD) are entries in Oracle Internet Directory that are defined for each user and application which contain the required database connect information. The Forms servlet reads the database connect information from the RAD and passes it along with the command line that starts the Forms Web application. Although the Forms authentication is still database-centric, mod_osso and the Forms servlet are now integrated in a Web-based OracleAS Single Sign-On environment.

2.1.2 Classes of Users and Their Privileges

Historically, Forms applications use the database to authenticate and authorize application users. To use Oracle Application Server Forms Services with OracleAS Single Sign-On, the user account and its connect information must be available in Oracle Internet Directory. The Oracle Internet Directory provides several ways of provisioning user data, using PL/SQL, Java or the Oracle Delegated Administration Services. Oracle Delegated Administration Services is a Web-based user interface for OracleAS Single Sign-On users and delegated administrators to administer self-service data in Oracle Internet Directory for which they are authorized.

Once a user account is created in Oracle Internet Directory, the Resource Access Descriptors (RAD) entries can be created dynamically the first time that a user requests a Forms application, assuming the user knows about the database connect information required for this application.

Another option is to use the RAD entries that can be created using Oracle Delegated Administration Services. The default RAD entries are accessible for all users that are authenticated through Oracle Application Server Single Sign-On. Use the default RAD if all users share the same database connect information when running a particular Forms application on the Web. This way, users are authenticated individually by their OracleAS Single Sign-On credentials; however, all users share a common database connect for the application defined by a default RAD entry.

2.1.3 Resources That Are Protected

When you enable OracleAS Single Sign-On for your Forms applications, you can secure your Forms applications with these features:

2.1.3.1 Dynamic Directives

The dynamic mod_osso directive runs OracleAS Single Sign-On protected Forms applications as well as non OracleAS Single Sign-On protected Forms applications from the same Oracle Application Server Forms Services instance while using the same configuration files and Forms Servlet. Single sign-on is enabled for applications by a OracleAS Single Sign-On parameter in the application definition of the forms/server/formsweb.cfg configuration file.

2.1.3.2 Dynamic Resource Creation in Oracle Internet Directory

In previous releases of Oracle Application Server Forms Services, if no resource access descriptor (RAD) definition was found for a specific application and user, an error message was displayed which locked out the user from running that Forms application, despite having authorization to do so. In this release of Oracle Application Server Forms Services, you can now configure Oracle Application Server Forms Services to allow users to create the RAD for this application on the fly if it doesn't exist.

2.1.3.3 Database Password Expiration when Using Single Sign-On

In previous releases of Oracle Application Server Forms Services, the RAD information in Oracle Internet Directory was not updated if the database password had expired, and users then renewed them when connecting to a Forms application. In this release, Oracle Application Server Forms Services automatically updates the RAD information in Oracle Internet Directory whenever a database password is updated through Forms. There is no extra configuration necessary to enable this feature in Oracle Application Server Forms Services.

2.1.4 Authorization and Access Enforcement

For detailed information about the authentication flow of OracleAS Single Sign-On support in Oracle Application Server Forms Services, such as when the first time the user requests an Oracle Application Server Forms Services URL, or from a partner application, see Section 5.6, "Authentication Flow".

2.1.5 Leveraging Oracle Identity Management Infrastructure

Oracle Application Server Forms Services has tighter integration with Oracle Internet Directory with minimal configuration. When you configure OracleAS Single Sign-On for your Forms applications, Oracle Application Server Forms Services handles much of the configuration and interaction with Oracle Internet Directory. For more information about configuring OracleAS Single Sign-On and Oracle Internet Directory, see Chapter 5, "Using Forms Services with Oracle Application Server Single Sign-On".