These off-the-shelf methods are provided in EBS 12.2 patch 37197085 (R12.AD.C.DELTA.17) / 37182900 (12.5.15)
In a valid EBS session, through the navigator menu user makes a URL call to APEX page. So it is a one-way access: EBS to APEX.
The entry point is a Menu Form Function URL from EBS. The HTML Call of such function is in this format (should be in 1 line; break down just for reading):
GWY.jsp?targetAppType=APEX&apexLayout=[FULLWINDOW|EMBEDDED]&p=[AppID]:[PageID]:::::EBS_LANG_CODE,EBS_SEC_GROUP,EBS_APP_ID,EBS_RESP_ID:[LANGUAGE_CODE],[SECURITY_GROUP_ID],[RESP_APPL_ID],[RESPONSIBILITY_ID]
Optional parameters [LANGUAGE_CODE], [SECURITY_GROUP_ID], [RESP_APPL_ID], [RESPONSIBILITY_ID] values will be replaced by actual values in that EBS session (these parameters must be enclosed by square brackets)
Profile option FND_APEX_URL value is retrieved so that the forwarding APEX URL becomes
http(s)://[FND_APEX_URL]/f?p=[AppID]:[PageID]:::::EBS_LANG_CODE,EBS_SEC_GROUP,EBS_APP_ID,EBS_RESP_ID:[LANGUAGE_CODE],[SECURITY_GROUP_ID],[RESP_APPL_ID],[RESPONSIBILITY_ID]
When the APEX page is hit, it first triggers the authentication process FND_APEX_AUTHENTICATION.
The stored procedure apps.fnd_apex.authentication (source from $FND_TOP/patcxh/115/sql/AFAPXAU.pls) run this query for checking:
SELECT iss.user_id, iss.responsibility_id, iss.responsibility_application_id, iss.security_group_id, iss.org_id, iss.time_out, iss.language_code, iss.function_idFROM icx_sessions iss, icx_session_attributes isaWHERE iss.session_id = icx_sec.getsessioncookieAND isa.session_id = iss.session_idAND isa.name = '_USERORSSWAPORTALURL';
This FND_APEX package is granted to APEX custom schema by $AD_TOP/patch/115/sql/ADAPEXSCHREG.sql (this schema is also used by this APEX application, e.g. XXAPEX)
The function icx_sec.getsessioncookie return the session ID from the cookie value. This authentication function will return FALSE if session ID is not found.
If session ID exists, then
Execute fnd_global.apps_initialize(user_id, resp_id, resp_appl_id, security_group_id, server_id) to create a EBS session
ExecuteAPEX_CUSTOM_AUTH.SET_USER(FND USER NAME). The user name is from the USER_ID found from the above query. Then, the :APP_USER variable in APEX app is the same as this FND USER.
All APEX pages will also secured by the authorization schema apps.fnd_apex.authorization:
Call fnd_function.TEST_ID(function_id) to check that this form function is accessible for current responsibility. The function_id (EBS Form Function) is found in the same query above.
Executeapex_util.set_session_max_idle_seconds(LEAST([time_out]*60,28800), 'APPLICATION') to set the timeout duration.
One can log on to APEX using EBS credentials, and then accesses different authorized pages in the app, just like a normal APEX application.
User can also log on to EBS, then through the navigator menu to access the APEX page.
This is a 2-way access (able to access the pages from both sides). Also, we can create settings that some pages can be accessed only from APEX side, but not from EBS side (without a Menu Form Function for that APEX page).
This authentication uses the function APEX2EBS_PKG.LOGIN_AUTHENTICATION to validate the EBS credentials. This function make use of fnd_user_pkg.validatelogin which will return true if username/password combination is correct.
It is controlled by the function A2E_PAGE_AUTHORIZATION(:EBS_USER_ID, :EBS_RESP_ID, :APP_ID, :APP_PAGE_ID). The user-responsibility-page mappings and controls are stored in table A2E_RESP_PAGE_MAPPING. In every page visit, this mapping is evaluated to determine whether that page is authorized to use by this user and responsibility.
The profile option "Allow Unrestricted Redirects" FND_SEC_ALLOW_UNRESTRICTED_REDIRECT sets unrestricted (set to Yes) or restricted access (set to No).
Open $FND_TOP/secure/allowed_redirects.conf and add the line (host destination.example.com):
host win11-apex.symbolthree.com
Note: The Oracle E-Business Suite 12.2.4+ Allowed Redirects feature allows you to define a list of allowed redirects for your Oracle E-Business Suite 12.2 environment. The Allowed Redirects is enabled by default with Oracle E-Business Suite 12.2.6.
© 2026 by Christopher Ho. All Rights Reserved