Forum Stats

  • 3,750,523 Users
  • 2,250,188 Discussions



Ali_Alnomani Member Posts: 5 Green Ribbon

I make a form with oracle form builder 10g that call an PDF file stored on an other PC in the same local network , it's work normally even when I run from applications server but if I run it from other computer don't work


  • Billy Verreynne
    Billy Verreynne Software Engineer Member Posts: 28,570 Red Diamond

    How do you reference that PDF on a client PC? What security is applied by that client PC to control access to files on it?

    And just how wise and secure and robust is having code reference files on some other PC that just might be powered on, be on the network, have the files on its local disk, and happens to provide network access to these files?

    Very simple answer. It is NOT. Not secure. Not robust. Not how client-server or client-client peer architecture should be implemented.

  • Ali_Alnomani
    Ali_Alnomani Member Posts: 5 Green Ribbon

    first it's local network without any connections outside the office and the PDFs file share to be seen by all members , now I use excel with hyperlinks , but I want to use oracle forms to do that .

  • Billy Verreynne
    Billy Verreynne Software Engineer Member Posts: 28,570 Red Diamond

    What link are you using - a UNC network path? A local file path reference to a mapped drive? Explain with an example.

    The link reference to the PDF needs to be valid across all clients. The link reference from such a client needs the required network and security privs on that client, for access.

    If a Windows NTLM UNC is used (e.g. \\netbios-servername\sharename\dir\file) for example, the local client process using the UNC path determines the security and ACLs that can be used for authenticated and authorised access.

    This process thus need to have the required access rights - which some processes (like a Windows service or Java VM sandbox process thread) may not have.

    Bottom line - your justification that this is local network only, is not valid. Your network is exposed to the Internet in some form or another. Which means it can be compromised. Spearphising attacks are common in subverting a so-called secured LAN via stolen network administration rights - it compromise access from the inside, opening it to the outside.

    Security in s/w development ALWAYS need to be a PRIMARY consideration. And this does not seem to be the case here.

  • Ali_Alnomani
    Ali_Alnomani Member Posts: 5 Green Ribbon

    host ('\\PC14\sample\'||:entity_code||'.pdf');

    I used this sentence

  • Billy Verreynne
    Billy Verreynne Software Engineer Member Posts: 28,570 Red Diamond

    This is executed how by Forms? The PDF file referred to is not an executable.

    If executed via an API call like CreateProcess() then it could be using the Registry to determine the open action for that file type, and so determine the executable to launch for opening that PDF.

    Two issues though. The could be no associated open action for that file type, or an association with an application other than what your client has. One PC can launch Adode PDF reader. Another may launch Libre Office. Etc.

    The 2nd issue is one of security. The Windows process created needs to have the security context for read access to that PC14 computer's SAMPLE drive/directory share. As I have already mentioned, this security might not be inherited by the process created, and it will fail read access to that share's file. This can be expected within a Java VM as processes are running in a sandbox isolated from the underlying o/s.

  • Michael Ferrante-Oracle
    Michael Ferrante-Oracle Senior Principal Product Manager USMember Posts: 6,803 Employee

    I'll start by saying that directly accessing the file system on a remote machine is not a good idea. I realize this was common practice decades ago, but with so much concern about security these days, doing that should be avoided.

    That said, exactly how you could alternatively do it depends on the use case. If you are trying to display the file/doc to the user then store the files on a machine that has a web server (like the one hosting Forms). Then in Forms use the WEB.SHOW_DOCUMENT built-in to open the file. The directory where you store the files must be virtually mapped in the web server. Example:

    WEB.SHOW_DOCUMENT ('https://serverhostingpdffiles/thefile.pdf');

    Using this method, user will not have direct access to the contents of the remote file system.

    If you really want to use a net share to access the files, you must understand that Forms PLSQL is processed on the server, not the client. Therefore, calls like HOST will execute on the server. So in your example, if the server process has access to the remote machine where the PDF is located, the file will attempt to be opened on the server and not the user's machine.

    In order to open a file on the user's machine, you have at least three options:

    • Use the WEB.SHOW example I mentioned above.
    • WebUtil enable your form then use CLIENT_HOST with a call similar to the one you were using. This will cause the user's machine to attempt to access the file and open it.
    • WebUtil enable your form then use its ability to transfer the file to the local machine. As desired, you can then use CLIENT_HOST to open the file, now stored on the local machine. If you do not want to store the file locally permanently, you can use CLIENT_HOST to delete the file whenever it becomes appropriate (e.g. on form exit).

    Having said all that, unless you are using Oracle E-Business Suite, I strongly recommend you upgrade to a supported Forms version. The latest version is Continuing to use old versions like 10.1.2 is not recommended or supported.

    Details about the latest version can be found on the Forms product page. On that page you will find download information, documentation, customer stories, and the latest announcements and more.