Reports 12c: FolderAccess Wildcard Does Not Work -- REP-177 & REP-56133
Reports 12c: FolderAccess Wildcard Does Not Work -- REP-177 & REP-56133
Titleimage
Posted by Patrick Hamou on 2017:12:02 17:59:49
APPLIES TO:
Oracle Reports Developer - Version 12.2.1.0.0 and later
Information in this document applies to any platform.
SYMPTOMS
In Oracle Reports 12c v. 12.2.1.0.0, when using the folderAccess, the wildcard (*) does not work.
See 12c Documentation :
https://docs.oracle.com/middleware/1221/formsandreports/use-reports/pbr_conf002.htm#sthref310
Steps to Reproduce:
Scenario 1:
1. Configure report server to allow writing to any directory by adding *:
<folderAccess>
<write>*</write>
</folderAccess>
2. Run any report with desname=<output location> desformat=file.
3. It fails with the exception:
REP-177: An error occurred while running in a remote server. An internal error occurred
REP-56133: Access is denied to write to the specific location
Other Scenarios :
The following configuration works for "read" but not for "write" :
e.g.
<read>*</read> works - Can read any folder
<write>*</write> does not work
<write> </write> does not allow reports server to start
<write>c:\*</write> does not work
CHANGES
New install of Oracle Fusion Middleware 12c v. 12.2.1.0.0
CAUSE
PLEASE NOTE:
Due to a security mandate, this Reports 12c folderAccess wildcard (*) feature has changed and the online documentation has changed accordingly to reflect the fact this feature will only work in a sub-directory :
See Bug: 22334822 in Reports 12c :
Bug:22334822 : ISSUE WITH FOLDER ACCESS NOT SUPPORTING '*' TO ALLOW READ/WRITE TO ANY LOCATION
SOLUTION
Please perform the following solution:
1. You will need to download and apply the following patch:
https://updates.oracle.com/download/22334822.html
Note: Please review the Readme file for instructions on how to install the patch.
WARNING: This patch is not subject to the same rigorous level of testing as done for Oracle patchsets. One-off patches are inherently more risky than patchsets, since they have not gone through our full QA regression testing. Customers who take one-offs should both understand this risk, and conduct whatever backups and/or additional testing they feel necessary to be comfortable with the patch before moving it into their production environment.
2. PLEASE NOTE: Due to a security mandate, this Reports 12c folderAccess wildcard (*) feature has changed and the online documentation has been revised accordingly.
The REVISED Reports 12c folderAccess wildcard (*) Feature is expected to function as follows :
a. Reports will allow all the sub-directories below a directory like /dir/*
<read>/dir/*</read>
<write>/dir/*</write>
</folderAccess>
Example 1 (single location):
<read>/tmp/*</read>
<write>/tmp/*</write>
</folderAccess>
desname=/tmp/a/b/output.pdf ==> tested OK
desname=/tmp/a/output.pdf ==> tested OK
desname=/tmp/output.pdf ==> tested OK
All sub-directories under /tmp were tested to work.
Example 2 (multiple locations):
<read>/tmp/*;/home/oracle/*</read>
<write>/tmp/*;/home/oracle/*</write>
</folderAccess>
PLEASE NOTE: Make sure the user has full OS permissions (ie. chmod 777) to the folder(s)/directories being written to.
Otherwise, it may fail with the following error:
The report generated successfully but distribution to destinations failed.
... and the following may be seen in the rwserver_diagnostic.log:
b. The following is NOT allowed as it leads to security vulnerabilities :
<read>*</read>
<write>*</write>
</folderAccess>
-or-
<read>/*</read>
<write>/*</write>
</folderAccess>
SUMMARY:
In other words...
The implementation will not allow <write>/*</write> or <write>*</write> for security reasons.
A folder needs to be defined for the <write> tag and when using it with "/folder/*"
then any sub-directory under "/folder/" can be used.
Posted by Patrick Hamou on 2017:12:02 17:59:49