Allowed Resources –Configuration
1. Allowed Resources enabled by default starting with 12.2.6
2. Allowed JSPs in 12.2.4 and 12.2.5 not enabled by default
3. New profile option for enabling of Allowed Resources
4. Allowed Resources lists stored in database
Profile OptionName | Description |
Security: Allowed Resources(FND_SEC_ALLOWED_RESOURCES) | Set at Site or Server LevelCONFIG–Allow only whitelisted |
5. 12.2.7 New web interface released to allow configuration
Functional Administrator responsibility →Allowed Resources
6. 12.2.4 and 12.2.5 Allowed JSP configuration is through the allowed_jsp.confile
Allowed JSPs –If Not Allowed (12.2.4/12.2.5)
Error
Requested resource or page is not allowed in this site
Allowed JSPs –If Not Allowed (12.2.6+)
403 Forbidden
Requested resource or page is not allowed in this site
Allowed JSPs –Logging (12.2.4/12.2.5)
Logging is disabled by default –no visibility if a disallowed page is accessed
Ø No HTTP error
Ø Redirects to
§ /jsp/fnd/fnderror.jsp?msg_app=FND&msg_name=FND_INVALID_RESOURCE
Ø Must enable Allowed JSPs logging in web.xml
§ Logging is verbose and not recommended for production