This chapter covers the following topics:
This topic describes how to register a custom return URL in the allow list for the Allowed Return URLs feature. The Allowed Return URLs feature is a mechanism to ensure that only registered return URLs are accepted.
The Configurator receives an XML parameter return url from the calling application, enabling it to redirect users back to a specified page in the hosting application along with configuration details at the end of the session.
During runtime, the configurator checks the return_url provided matches an entry in the allow list before redirecting, thus ensuring that only registered urls are used.
The feature is ON by default and has a seeded allow list. If required, you can register custom return_urls in the allow list.
The Allowed Return URLs feature is controlled by the new CZ: Allow Unrestricted Return URLs system profile option. The default value is No which activates the feature.
This new system profile option controls the validation of return URLs passed in the Configuration initialization message against an allow list that is specific to the calling application ID or calling application short name. The default value is No. Administrators can configure the allow list.
Oracle highly recommends that you leave the value set to No to ensure the security of return URL processing in the Configurator. For a custom integration, you can temporarily set the system profile option value to Yes while you register missing return_urls.
The configuration of this feature varies based on the type of integration you have with the Configurator. Follow the instructions for the scenario that are applicable to your integration.
Integration Types
Configurator Called From EBS Products:
For the following EBS applications that are integrated with the Configurator, the return URLs are predefined. You do not require any configuration. These include:
ONT_RETURN_URL - Order Management
OKS_RETURN_URL - Oracle Service Contracts
IBE_RETURN_URL - Oracle iStore
QOT_RETURN_URL - Oracle Quoting
ASO_RETURN_URL - Order Capture
ASN_RETURN_URL - Sales User
Configurator Called From Siebel:
For the following integrations, use the steps in the Registering a Return URL step. Use a different setting_id than the one that already exists in the database. Use this format: <calling_application_short_name>_RETURN_URL_<serial_number> to create the setting_id.
SEBLQ_RETURN_URL - Siebel Quoting
SEBLO_RETURN_URL - Siebel Order
SEBLA_RETURN_URL - Siebel Agreement
Configurator Called from Non-EBS Applications Using CZ as the Calling Application ID:
If you are using a custom application to invoke Configurator and utilizing models published to the Configurator application where calling_application_short_name = CZ or calling_application_id = 708, use the steps in Registering a Return URL. Use a different setting_id than the one that already exists in the database. Use this format: <calling_application_short_name>_RETURN_URL_<serial_number> to create the setting_id.
If you have additional return URLs to register other than the one predefined, you must perform the Registering a Return URL step.
Configurator Called From Non-EBS Calling Applications Using a Calling Applications ID Other Than CZ:
If you are using a custom application to invoke the Configurator and utilizing models published to an application other than the Configurator, follow the Register a Return URL steps to register the return URL. If you have additional return URLs to register other than the one predefined, you must perform the Registering a Return URL step for each URL.
To register a return URL for a specific calling application in CZ_DB_SETTINGS, enter the setting_id in the format :
<calling_application_short_name>_RETURN_URL (for example, CUSTOM_RETURN_URL)
For example, to launch a model with the calling application short name CUSTOM and the associated return URL the has not been defined in the allow list for that application and if your custom application’s return URL is:
http://host.example.com:16690/OA_HTML/CheckOut?customLaunch=Y
then you must insert the relevant setting using the following SQL:
insert into cz_db_settings (setting_id, section_name, data_type, value, desc_text) select 'CUSTOM_RETURN_URL', 'ORAAPPS_INTEGRATE', 4, 'http://host\.example\.com:16690/OA_HTML/CheckOut\?customLaunch=Y', 'Return URL for custom application' from dual where not exists (select 1 from cz_db_settings where section_name='ORAAPPS_INTEGRATE' and setting_id='CUSTOM_RETURN_URL');
Note: When you insert the return URL value, be sure to escape any special characters to define it correctly as a Java regular expression. For example, . and ? are special characters in Java regular expressions and need to be escaped by a preceding \ as shown in the return URL value in the previous insert statement.
Because return URLs vary by application, you must register a unique entry for each calling application. Sometimes, Configurator may be launched from multiple locations or sub modules within the same calling application, resulting in different return URLs based on the entry point. In such cases, you can add additional entries for that calling application using the format as:
<calling_application_short_name>_RETURN_URL_<serial_number>
for example, CZ_RETURN_URL_2.