Forms 6i Security Forums - Powered by vBulletin
Results 1 to 2 of 2

Thread: Forms 6i Security

  1. #1
    Join Date
    May 2005

    Forms 6i Security

    Hi Friends,

    How do I make our 3rd party appl forms login more secure?

    Currently, the appl program uses a primitive database authentication method
    by providing the username and password of the database in clear text inside
    a .ini file. Changing the database user and password will be useless due to
    password being exposed literally. Users of the application are registered in a table in the database with the password of the user exposed in clear text. An administrator or anybody with database access will be able see a user's password in clear text thus user authentication is compromised.

    Can I change the username to point to the database username and not a table?
    Can I incrypt the password table entry itself?
    Can I incrypt the .ini file so as not to show literal passwords?
    Can I use the form to get the userid/passwd from LDAP active directory server?

    Please help ....thanks a lot
    Behind The Success And Failure Of A Man Is A Woman

  2. #2
    Join Date
    Feb 2008
    Near Indianapolis

    Might try External Authentication

    We're on a slightly older version of FORMS as you but this should still work.

    We have a 3rd party FORMS app which, like yours, used to throw up its own login prompt based on a table where ID's and passwords were stored in clear text. We had our 3rd party developer change the application to eliminate the login prompt completely. We then setup in Oracle a bunch of 'external authentication' ID's - one for each of our users. Our icon for launching the application now looks like this:

    G:\95apps\Ciris\Orawin\Bin\F50run32.exe F01MAIN /

    The forward slash at the end designates external authentication. So, if I'm logged into Windows as RPERRY and there exists an Oracle ID of "OPS$RPERRY" then I'm automatically logged into the 3rd party FORMS app without having to deal with a login prompt.

    You would need in your init.ora file these lines:
    remote_os_authent = true
    os_authent_prefix = OPS$
    (you can actually use any prefix you want).

    Oracle ID's are created to match windows ID's with the indicated prefix and the 'external authentication' box checked. No password required.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Click Here to Expand Forum to Full Width