oracle commerce atg: advanced profile management

Kate Soglaeva

ADVANCED ATG PROFILE

MANAGEMENT

DAF Servlet Pipeline Tracking users Security status Access control Auto login Profile markers Password management

AGENDA

DAF SERVLET PIPELINE

PageFilter starts the DAF servlet pipeline by calling DynamoHandler

PAGEFILTER

startRequestServletName

TRACKING USERS

8

Users

anonymous

registered

USERS

9

•Transient profile

•Transient order

Session started

•Persistent profile

•Persistent order

Registration

USERS

10

1. Store anonymous users

# /atg/userprofiling/ProfileRequestServletpersistAft erLogout=truepersistentAnonymousProfiles=true

2. Update required properties

TRACKING ANONYMOUS USERS

11

Set up auto-login

CookieManager sendProfi leCookies=true

ProfileRequestServlet verifyBasicAuthentication=false

TRACKING REGISTERED USERS

PROFILEREQUESTSERVLET

creates an instance of the atg/userprofiling/Profile 

create a cookie containing the Profile ID of the current guest user

Auto-logs in

maintain persistent information: persistentAnonymousProfiles=true

14

SECURITY STATUS

Value Login method used

0 Anonymous

1 Auto Login by URL parameter

2 Auto Login by Cookie

3 Login by HTTP basic auth

4 Explicit login or registration by http

5 Explicit login or registration by https

6 Certificate provided

Group Explanation

0 The user is unknown

1,2 Auto login. Personalization is fine by restricted access to sensitive pages.

4,5 Explicit login. Full access

3,6 Project specific

SECURITY STATUS VALUES

16

Extract profi le by DYN_USER_ID

PROFILEREQUEST

17

<dsp:droplet name="Compare">

<dsp:param bean="Profi le.securityStatus" name="obj1"/>

<dsp:param bean="PropertyManager.securityStatusLogin" name="obj2"/>

<dsp:oparam name="lessthan">

<!-- send the user to the login form -->

<dsp:include page="login_form.jsp"></dsp:include>

</dsp:oparam>

<dsp:oparam name="default">

<!-- allow the user to proceed to the protected content -->

<dsp:include page="protected_content.jsp"></dsp:include>

</dsp:oparam>

</dsp:droplet>

SECURITY STATUS USAGE

provides authentication using the Basic HTTP authentication mechanism

AUTHENTICATIONSERVLET

19

ACCESS CONTROL

21

22

ACCESSCONTROLLER

23

<ruleset> <accepts> <rule op=eq> <valueof target="Gender"> <valueof constant="female"> </rule> </accepts></ruleset>

RULEACCESSCONTROLLER. RULESETSERVICE

25

PASSWORD EXPIRATION

27

/atg/userprofi ling/ExpiredPasswordService

enabled=true

passwordValidForNumDays=30

redirectPath=expirePassword.jsp

/atg/dynamo/servlet/pipeline/ExpiredPasswordServlet

localUrlsToAllow=/style/css/style1.jsp

PASSWORD EXPIRATION

Confidential 28

PASSWORD EXPIRATION

Confidential 29

PASSWORD EXPIRATION

INSERTING SERVLETS IN THE PIPELINE

STEPS TO CREATE PIPELINE SERVLET

Add the servlet  to /atg/dynamo/servlet/Initial.initialServices

Set the new servlet’s nextServlet property

Reset the previous servlet’s nextServlet property

Define global scope component

Extend atg.servlet.pipeline.PipelineableServletImpl

PIPELINEBLESERVLET

INSERTABLESERVLET

1. Disable unnecessary servlets2. Add new servlets if required

Ex. Reprice order functionality

HOW TO USE?

35Confidential

PROFILE MARKERS

USER PROFILE MARKERS

37Confidential

PASSWORD

Confidential 38

Confidential 39

ATG 10.0 /atg/userprofi ling/PropertyManager/

ATG 10.1 /atg/userprofi ling/InternalPropertyManager/

PASSWORD HASHING

Confidential 40

SHA-256 algorithm with a random salt, and iteratively rehashes the result.

ATG 10.1 OOTB PASSWORD HASHING

Confidential 41

MD5 algorithm and then encodes the result using base 16 encoding

ATG 10.0 OOTB PASSWORD HASHING

Confidential 42

passwords will be stored and compared in clear text

DISABLE PASSWORD HASHING

Confidential 43

PASSWORDRULECHECKER

THANK YOU!QUESTIONS?