oracle commerce atg: advanced profile management

43
Kate Soglaeva ADVANCED ATG PROFILE MANAGEMENT

Upload: kate-soglaeff

Post on 24-Dec-2015

54 views

Category:

Documents


6 download

DESCRIPTION

Advanced Profile Management for ATG Developers

TRANSCRIPT

Page 1: Oracle Commerce ATG:  Advanced Profile Management

Kate Soglaeva

ADVANCED ATG PROFILE

MANAGEMENT

Page 2: Oracle Commerce ATG:  Advanced Profile Management

DAF Servlet Pipeline Tracking users Security status Access control Auto login Profile markers Password management

AGENDA

Page 3: Oracle Commerce ATG:  Advanced Profile Management

DAF SERVLET PIPELINE

Page 4: Oracle Commerce ATG:  Advanced Profile Management
Page 5: Oracle Commerce ATG:  Advanced Profile Management

PageFilter starts the DAF servlet pipeline by calling DynamoHandler

PAGEFILTER

Page 6: Oracle Commerce ATG:  Advanced Profile Management

startRequestServletName

Page 7: Oracle Commerce ATG:  Advanced Profile Management

TRACKING USERS

Page 8: Oracle Commerce ATG:  Advanced Profile Management

8

Users

anonymous

registered

USERS

Page 9: Oracle Commerce ATG:  Advanced Profile Management

9

•Transient profile

•Transient order

Session started

•Persistent profile

•Persistent order

Registration

USERS

Page 10: Oracle Commerce ATG:  Advanced Profile Management

10

1. Store anonymous users

# /atg/userprofiling/ProfileRequestServletpersistAft erLogout=truepersistentAnonymousProfiles=true

2. Update required properties

TRACKING ANONYMOUS USERS

Page 11: Oracle Commerce ATG:  Advanced Profile Management

11

Set up auto-login

CookieManager sendProfi leCookies=true

ProfileRequestServlet verifyBasicAuthentication=false

TRACKING REGISTERED USERS

Page 12: Oracle Commerce ATG:  Advanced Profile Management
Page 13: Oracle Commerce ATG:  Advanced Profile Management

PROFILEREQUESTSERVLET

creates an instance of the atg/userprofiling/Profile 

create a cookie containing the Profile ID of the current guest user

Auto-logs in

maintain persistent information: persistentAnonymousProfiles=true

Page 14: Oracle Commerce ATG:  Advanced Profile Management

14

SECURITY STATUS

Page 15: Oracle Commerce ATG:  Advanced Profile Management

Value Login method used

0 Anonymous

1 Auto Login by URL parameter

2 Auto Login by Cookie

3 Login by HTTP basic auth

4 Explicit login or registration by http

5 Explicit login or registration by https

6 Certificate provided

Group Explanation

0 The user is unknown

1,2 Auto login. Personalization is fine by restricted access to sensitive pages.

4,5 Explicit login. Full access

3,6 Project specific

SECURITY STATUS VALUES

Page 16: Oracle Commerce ATG:  Advanced Profile Management

16

Extract profi le by DYN_USER_ID

PROFILEREQUEST

Page 17: Oracle Commerce ATG:  Advanced Profile Management

17

<dsp:droplet name="Compare">

<dsp:param bean="Profi le.securityStatus" name="obj1"/>

<dsp:param bean="PropertyManager.securityStatusLogin" name="obj2"/>

<dsp:oparam name="lessthan">

<!-- send the user to the login form -->

<dsp:include page="login_form.jsp"></dsp:include>

</dsp:oparam>

<dsp:oparam name="default">

<!-- allow the user to proceed to the protected content -->

<dsp:include page="protected_content.jsp"></dsp:include>

</dsp:oparam>

</dsp:droplet>

SECURITY STATUS USAGE

Page 18: Oracle Commerce ATG:  Advanced Profile Management

provides authentication using the Basic HTTP authentication mechanism

AUTHENTICATIONSERVLET

Page 19: Oracle Commerce ATG:  Advanced Profile Management

19

ACCESS CONTROL

Page 20: Oracle Commerce ATG:  Advanced Profile Management
Page 21: Oracle Commerce ATG:  Advanced Profile Management

21

Page 22: Oracle Commerce ATG:  Advanced Profile Management

22

ACCESSCONTROLLER

Page 23: Oracle Commerce ATG:  Advanced Profile Management

23

<ruleset> <accepts> <rule op=eq> <valueof target="Gender"> <valueof constant="female"> </rule> </accepts></ruleset>

RULEACCESSCONTROLLER. RULESETSERVICE

Page 24: Oracle Commerce ATG:  Advanced Profile Management

25

PASSWORD EXPIRATION

Page 25: Oracle Commerce ATG:  Advanced Profile Management
Page 26: Oracle Commerce ATG:  Advanced Profile Management

27

/atg/userprofi ling/ExpiredPasswordService

enabled=true

passwordValidForNumDays=30

redirectPath=expirePassword.jsp

/atg/dynamo/servlet/pipeline/ExpiredPasswordServlet

localUrlsToAllow=/style/css/style1.jsp

PASSWORD EXPIRATION

Page 27: Oracle Commerce ATG:  Advanced Profile Management

Confidential 28

PASSWORD EXPIRATION

Page 28: Oracle Commerce ATG:  Advanced Profile Management

Confidential 29

PASSWORD EXPIRATION

Page 29: Oracle Commerce ATG:  Advanced Profile Management

INSERTING SERVLETS IN THE PIPELINE

Page 30: Oracle Commerce ATG:  Advanced Profile Management

STEPS TO CREATE PIPELINE SERVLET

Add the servlet  to /atg/dynamo/servlet/Initial.initialServices

Set the new servlet’s nextServlet property

Reset the previous servlet’s nextServlet property

Define global scope component

Extend atg.servlet.pipeline.PipelineableServletImpl

Page 31: Oracle Commerce ATG:  Advanced Profile Management

PIPELINEBLESERVLET

Page 32: Oracle Commerce ATG:  Advanced Profile Management

INSERTABLESERVLET

Page 33: Oracle Commerce ATG:  Advanced Profile Management

1. Disable unnecessary servlets2. Add new servlets if required

Ex. Reprice order functionality

HOW TO USE?

Page 34: Oracle Commerce ATG:  Advanced Profile Management

35Confidential

PROFILE MARKERS

Page 35: Oracle Commerce ATG:  Advanced Profile Management

USER PROFILE MARKERS

Page 36: Oracle Commerce ATG:  Advanced Profile Management

37Confidential

PASSWORD

Page 37: Oracle Commerce ATG:  Advanced Profile Management

Confidential 38

Page 38: Oracle Commerce ATG:  Advanced Profile Management

Confidential 39

ATG 10.0 /atg/userprofi ling/PropertyManager/

ATG 10.1 /atg/userprofi ling/InternalPropertyManager/

PASSWORD HASHING

Page 39: Oracle Commerce ATG:  Advanced Profile Management

Confidential 40

SHA-256 algorithm with a random salt, and iteratively rehashes the result.

ATG 10.1 OOTB PASSWORD HASHING

Page 40: Oracle Commerce ATG:  Advanced Profile Management

Confidential 41

MD5 algorithm and then encodes the result using base 16 encoding

ATG 10.0 OOTB PASSWORD HASHING

Page 41: Oracle Commerce ATG:  Advanced Profile Management

Confidential 42

passwords will be stored and compared in clear text

DISABLE PASSWORD HASHING

Page 42: Oracle Commerce ATG:  Advanced Profile Management

Confidential 43

PASSWORDRULECHECKER

Page 43: Oracle Commerce ATG:  Advanced Profile Management

THANK YOU!QUESTIONS?