URL Allow List
Note: The URL allow list is blank by default unless otherwise configured as part of your customizations.
Note: For this facility to be used the com.oracle.ouaf.uriValidation.enable parameter in the spl.properties file must be set to true.
It is possible to limit the values of URL's within the product for key objects with the configuration. This is implemented as a allow list that can filter on scheme (aka protocol), hosts and ports. These are checked at runtime and can generate an error if they do not adhere to the allow list.
The feature allows for the following:
Individual scheme hosts and port combinations can be configured to limit runtime access for specific features.
Specification of the '*' wildcard is supported for scheme, hosts and ports.
The allow list is configured using the following settings in the spl.properties file:
Configuration Parameter
Comments
com.oracle.ouaf.uriValidation.enable
Enable or disable URI validation.
com.oracle.ouaf.whitelist.file
Location and name of product allow list file.
com.oracle.ouaf.customer.whitelist.file
Location and name of custom allow list file.
 
The format of the allow list file is as follows:
XML Tag
Comments
"<Parameter>"
Feature within product to limit. This is a preset string linked to a URI parameter in the product.
uri
URI tag.
scheme
Protocol supported by <Parameter>. Valid values will vary depending on the <Parameter> value. For example, URL's support file, http, https, and so on.
host
Host name(s) or IP Address(es) to filter upon.
port
Port number(s) to filter upon.
For example:
<?xml version="1.0" encoding="UTF-8"?>
<whitelist>
"Message Sender HTTP URL properties"
<uri>
<scheme>https<scheme/>
<host>myhost.mycompany.com<host/>
<port>*<port/>
</uri>
</whitelist>
Refer to the Server Administration Guide for more details of the usage and format of this file.
Implementing a Custom URL Allow Lists
It is possible to establish a custom allow list to implement URL allow lists for non-cloud implementations. The format of the allow list is the same as the above allow list and this will augment and enhance the existing allow list (if present). To support a custom allow list perform the following steps:
Logon to the machine you have made the changes upon as the product administrator.
If you have not already done so, use the splenviron utility to set the environment variables for the product environment.
If it does not already exist, clone the product allow list located as indicated in the com.oracle.ouaf.whitelist.file parameter. Ensure the custom file is in the same location as this allow list file and is prefixed with "cm" to indicate it is a customization. The file name can be valid for your operating system and site preferences and must be suffixed with ".xml". Uncomment any section you want to set.
Create a custom spl.properties template or use the templating function to set the following parameter with the filename and location of the custom allow list.
com.oracle.ouaf.customer.whitelist.file=<filename>
Execute the initialSetup.sh to implement the new setting.