Relying on an implicit default url-invoke-disallowed
setting lacks clarity and can lead to unwanted behavior if the default changes unexpectedly.
By default, task flows in a Fusion application are not directly accessible from a GET request: whenever a URL attempts to invoke the task flow, it receives an HTTP 403
status code. However, relying on an implicit setting always lacks clarity and can potentially lead to unwanted behavior if the default setting changes underneath.
Example 1: The following snippet from a task flow definition file shows an example of a task flow configured with the implicit default url-invoke-disallowed
setting.
...
<task-flow-definition id="password">
<default-activity>PasswordPrompt</default-activity>
<view id="PasswordPrompt">
<page>/PasswordPrompt.jsff</page>
</view>
<use-page-fragments/>
</task-flow-definition>
...
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management
[2] Standards Mapping - FIPS200 - (FISMA) CM
[3] Oracle(R) Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework, 15.6.4.How to Call a Bounded Task Flow Using a URL