You may configure to protect certain URL in your web applications by configure the URL firewall file in $IAS_CONFIG_HOME/Apache/Apache/conf/url_fw.conf. If you have read the DMZ configuration notes by Oracle, url_fw.conf configuration needs to be changes in order to allow or block the external access to reach certain URL.
How To Add Rules In url_fw.conf
By default, the url_fw.conf will be generated each time when you run autoconfig in your external web instance and there’s no access allowed to any product in Oracle Applications.
The config file consist of commented RewriteRule for all the product of Oracle Applications. You will need to uncomment the RewriteRule for the product pages that you want to enable for external user to access such as iSupplier, iSupport, iStore, iProcurement or others.
If the RewriteRule was commented for OA.jsp and let say the external user try to access the URL https://oracle.external.apps.com/OA_HTML/OA.jsp, they will get the error as below.
Access to the requested URI has been blocked by the URL Firewall
If you believe that you have reached this page while performing valid operations within the application, please send mail to firstname.lastname@example.org explaining what you were doing when you got this error.
To allow them access, you need to uncomment the setting for user to reach the OA.jsp as below.
RewriteRule ^/OA_HTML/OA\.jsp$ - [L]
There’s certain RewriteRule in url_fw.conf should be uncommented in order to prevent SQL injection or cross site scripting attack.
Create a backup after your change in order to save before you run autoconfig as it will refresh your changes back to square one.
Next» 500 Internal Server Error