Hiding / Encrypting Keymap file info passed to url???

From: Pheare <pheareme_at_***hotmail.com>
Date: Wed, 05 Dec 2001 13:31:20 -0700
Message-ID: <st0t0u475qhpdnp2u22lujet8q3edqc5ts_at_4ax.com>

Hi,

Here is our situation:

We are have developed an application using PL/SQL Server pages from which a user can run Oracle Reports reports; we are using LDAP to do the initial verification when a user logs in.

When a user runs a report, the request gets redirected from our application to the Oracle Reports Server. We are using a keymap file to store database login info, report server name, etc. Below is a sample line from our cgicmd.dat file:

SBAL: REPORT=%1 USERID=username/pass_at_jade SERVER=rep60_jade DESTYPE=cache DESFORMAT=PDF P_SHIPPER=%2 P_PRODUCT=%3 P_FACILITY=%4 P_COMPANY=%5 P_PERIOD=%6 The problem is that after the report is run, the user can copy the url that shows up in the web browser
(http://jade/dev60cgi.exe?SBAL+paorsbal.rdf+1+0+0+0+2001/06), launch another browser, paste the URL and re-run the report, bypassing the application security. Further, by manipulating the parameter values in the url, they could possibly run the report against data they shouldn't have access to.

Is there any way to scramble the url that gets generated by the Reports server, so this copying and pasting will not work?

Anyone have any other ideas?

Thanks.

Darren. Received on Wed Dec 05 2001 - 21:31:20 CET

This message: [ Message body ]
Next message: Paul Sture: "Re: Oracle problems."
Previous message: Vittorio: "Forms and PRO*C"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message