| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Owarepl : Is this a bug or feature?
On 23 Jun 1997 08:05:48 GMT, aak2_at_Ra.MsState.Edu (Atif Ahmad Khan) wrote:
>tkyte_at_us.oracle.com (Thomas Kyte) writes:
>
>...
>>You need to figure out what logon is being used with your DCD to see what tables
>>are accessible. If you are using a DCD that gets its logon from the owa.cfg,
>>its the tables that user can see. If you are using a DCD that gets its
>>logon/password from the user at runtime using basic authentication, then its
>>that users list of accessible tables you will see.
>
>I am using a DCD that gets its login from owa.cfg. Am I correct in assuming
>that all objects that this user has access to are available to users connecting
>through owarepl?
>
Yes. Any stored procedure that can be run by that user in sql*plus can be run on the web by putting it and its inputs in the URL.
This is true with the OWA that comes with the Oracle webserver as well. Starting with OWS2.1 though, they disabled the ability to call htp, owa_util, owa, etc from the URL. The code in OWA (but not owarepl) won't call these procedures unless you set a magic flag in the svXXXXX.app file.
>>the big difference between the oracle tag and just running a procedure is that
>>ROLES are active with the oracle tag but not so with the procedure (roles are
>>never active in a procedure). For example, try this:
>>create procedure show_count_of_tables
>>is
>> l_n number;
>>begin
>> select count(*) into l_n from all_objects;
>> htp.p( 'We see ' || l_n || ' things' );
>>end;
>>Run that from the web and see how many objects your procedure can see. Then,
>>create a page:
>
>I ran it and it can apparently see 751 objects.
>
>>....
>><oracle>
>>declare
>> l_n number;
>>begin
>> select count(*) into l_n from all_objects;
>> htp.p( 'We see ' || l_n || ' things' );
>>end;
>></oracle>
>>....
>>Now, since roles are enabled, you'll 'see' more stuff.
>
>
>Thanks for your patience, however I am still a little confused.
>I was under the impression that people using owarepl, to connect to my
>Oracle instance can only execute stored procedures that are present
>in the my schema. I am the user whose login/passwd information is in
>owa.cfg. Does this mean that Oracle tag allows visitors to write their
>own procedures and submit them through owarepl?
>
One of the other features of the owarepl app is that it can use the userid/passwd supplied in basic authentication to log into the database. It'll use the owa.cfg file to get the database connect string and/or oracle_sid but it'll use the username/passwd you supply in the basic authentication dialog to log into oracle with. You need to make sure your webserver can pass the environment variable HTTP_AUTHORIZATION through to the cgi-bin process for this to work, or be using the OWS.
the oracle tag does not allow visitors to write their own procedures.
The above just demonstrated the difference between running a procedure "show_count_of_tables" and an anonyous block. Try this in sql*plus to see the difference. Change the htp.p in the above 2 blocks to dbms_output.put_line. issue:
SQL> set serveroutput on
in plus. Run the procedure. Then run the anonymous block. You'll see two different answers. One shows you how many objects your stored procedure can see, the other shows you how many objects you can see (including those visible due to roles)
>I tried using the Oracle tag but am unable to get owarepl to read a plain
>html file.
Yes, you need to supply owarepl with an oracle svXXXX.cfg style file like you did with the svXXXX.app file where you set the variables owa.cfg, server.cfg and dirSeparator.
This file will look like:
[Server]
DefaultMIMEType = application/octet-stream
;
[DirMaps]
/usr/oracle/ows2/WebDocs/home CN / /tmp/foo/bar CN /foobar/something;
text/html htm html image/jpeg jpg jpeg JPG image/gif gif GIF text/plain txt ksh lst
You would set your server.cfg variable to point to this file. the DirMaps section would have the physical to virtual mappings for owarepl to translate the path_info against. It does it's own path_translation and does not take the path_translated from the environment. So for example, give the above dirMaps, and the URL http://localhost/cgi-bin/owassi/index.html, owassi would try to read /usr/oracle/ows2/WebDocs/home/index.html (it would translate the virtual path /index.html). Likewise the url:
http://localhost/cgi-bin/owassi/foobar/something/x/y/z/a.html
would result in the file
/tmp/foo/bar/x/y/z/a.html
being accessed. Without the above file though, owassi is disabled, won't work. Also, you need to use owassi for owassi to work correctly, especially if you want to stick paths after it in the url (eg: /foobar/something/z/y/z/a.html above would work only if owassi is in the URL, not owarepl)
>http://localhost/cgi-bin/owarepl/index.html results in the following error :
>ORA-04044: procedure, function, or package is not allowed here and
>http://localhost/cgi-bin/owassi/index.html gives the following :
>Premature end of script headers
>
>This is running under Apache. And access to http://localhost/index.html
>works without a problem. Also http://localhost/cgi-bin/showenv and other
>procedures work as expected.
>
>P.S. After compiling the owarepl I noticed the owarepl.so library file in
>the solbin directory and was wondering if I need to move it around. And what
>purpose does it serve?
>
It is the cartridge version that can be used with the Oracle WRB. With Apache, you can just get rid of it. It does nothing. The default makefile builds both a cgi-bin version and cartridge version.
>Thanks a million again.
>
>Atif Khan
>aak2_at_ra.msstate.edu
Thomas Kyte
tkyte_at_us.oracle.com
Oracle Government
Bethesda MD
http://govt.us.oracle.com/ -- downloadable utilities
 |
 |