Reports 12c: FolderAccess Wildcard Does Not Work -- REP-177 & REP-56133

Reports 12c: FolderAccess Wildcard Does Not Work -- REP-177 & REP-56133

Reports 12c: FolderAccess Wildcard Does Not Work -- REP-177 & REP-56133

Titleimage

Posted by Marion Pertin on 2017:12:02 17:59:49

APPLIES TO:

Oracle Reports Developer - Version 12.2.1.0.0 and later
Information in this document applies to any platform.

SYMPTOMS

In Oracle Reports 12c v. 12.2.1.0.0, when using the folderAccess, the wildcard (*) does not work.

See 12c Documentation :

https://docs.oracle.com/middleware/1221/formsandreports/use-reports/pbr_conf002.htm#sthref310

Steps to Reproduce:  

     Scenario 1:  

1. Configure report server to allow writing to any directory by adding *:

<folderAccess>
     <write>*</write>
</folderAccess>


2. Run any report with desname=<output location> desformat=file.


3. It fails with the exception: 


REP-177: An error occurred while running in a remote server. An internal error occurred
REP-56133: Access is denied to write to the specific location

 

 

     Other Scenarios :

The following configuration works for "read" but not for "write" :


e.g.


<read>*</read> works - Can read any folder
<write>*</write> does not work
<write> </write> does not allow reports server to start
<write>c:\*</write> does not work

 

CHANGES

New install of Oracle Fusion Middleware 12c v. 12.2.1.0.0

CAUSE

PLEASE NOTE:

Due to a security mandate, this Reports 12c folderAccess wildcard (*) feature has changed and the online documentation has changed accordingly to reflect the fact this feature will only work in a sub-directory : 

Note: Blank or * in the read or write sub-element specifies global access. Separate directory names with a semicolon (;). 

See Bug: 22334822 in Reports 12c : 

Bug:22334822 : ISSUE WITH FOLDER ACCESS NOT SUPPORTING '*' TO ALLOW READ/WRITE TO ANY LOCATION

 

SOLUTION

Please perform the following solution:

1.  You will need to download and apply the following patch:

https://updates.oracle.com/download/22334822.html

Note: Please review the Readme file for instructions on how to install the patch.

WARNING: This patch is not subject to the same rigorous level of testing as done for Oracle patchsets. One-off patches are inherently more risky than patchsets, since they have not gone through our full QA regression testing. Customers who take one-offs should both understand this risk, and conduct whatever backups and/or additional testing they feel necessary to be comfortable with the patch before moving it into their production environment.

2.  PLEASE NOTE: Due to a security mandate, this Reports 12c folderAccess wildcard (*) feature has changed and the online documentation has been revised accordingly.

The REVISED Reports 12c folderAccess wildcard (*) Feature is expected to function as follows :

a. Reports will allow all the sub-directories below a directory like /dir/*

<folderAccess>
<read>/dir/*</read>
<write>/dir/*</write>
</folderAccess>

Example 1 (single location):

<folderAccess>
<read>/tmp/*</read>
<write>/tmp/*</write>
</folderAccess> 

desname=/tmp/a/b/output.pdf ==> tested OK
desname=/tmp/a/output.pdf ==> tested OK
desname=/tmp/output.pdf ==> tested OK

 

All sub-directories under /tmp were tested to work.

 

Example 2 (multiple locations):

<folderAccess>
<read>/tmp/*;/home/oracle/*</read>
<write>/tmp/*;/home/oracle/*</write>
</folderAccess>

PLEASE NOTE:  Make sure the user has full OS permissions (ie. chmod 777) to the folder(s)/directories being written to.  

Otherwise, it may fail with the following error: 

REP-0177: An error occurred while running in a remote server.
The report generated successfully but distribution to destinations failed. 

...  and the following may be seen in the rwserver_diagnostic.log: 

[2016-11-04T11:08:08.594-06:00] [reports] [WARNING] [] [oracle.reports.server] [tid: 1] [ecid: 6f292414-9c6f-49e4-ab5a-d2f2df543ab4-00000002,0] SecurityHelper:start Write directory configured does not exist or is not writeable: /u01/app/xyz 

b. The following is NOT allowed as it leads to security vulnerabilities : 

<folderAccess>
<read>*</read>
<write>*</write>
</folderAccess>

-or-

<folderAccess>
<read>/*</read>
<write>/*</write>
</folderAccess> 

 

SUMMARY:

In other words...
The implementation will not allow <write>/*</write> or <write>*</write> for security reasons.

 

A folder needs to be defined for the <write> tag and when using it with "/folder/*"
then any sub-directory under "/folder/" can be used.

 

Posted by Marion Pertin on 2017:12:02 17:59:49

Return to Blog