Tuesday, April 3, 2012

How to implement access control in customized code?

Enterprise beans and data beans are resources that may need to protect. However, not all Enterprise bean and data beans should be protected.

Typically, the question of what to protect comes into play when you create new Enterprise beans and data beans.

Decide which resource to protect depends on your application.

If a command returns an Enterprise bean in the getResources method, then the Enterprise bean must be protected because the ACP manager will call the getOwner() method on the enterprise ban. The fulfills() method will also be called if a relationship is specified in the corresponding resource-level ACP.

if we implements the protectable interface for all of enterprise bean and data bean ( in number of policy increase) performance may degrade.

Primary resources should be protected, but dependent resources often do not require protection. if user allowed to access a primary resource, it makes sense that, by default, the user should also be allowed to access its dependent resource.
Posted by at No comments:

Monday, April 2, 2012

Understanding Access Control Policy

Access control in WCS is composed of the following elements:

1. Users - Users are the people that use the System. so users must be grouped into relevent access group.
2. Actions - Actions are the activities that users can perform on the resource. so action must also be grouped into relevent action groups.
3. Resources - Resources are the entities that are protected. Ex: if the action is a view, the resource to be protected is the command that invoked the view.
4. relationships - are the relationship between the user and the resource.

There are two level/type ACP.

1. Command-level ACP - The first level of ACP is performed by the WAS. In this respect, WC uses WAS to protect Enterprise beans and servlets.
2. Resource-level ACP - The Second level ACP is the fine-grained access control system of WCS.

Note: A command-level ACP alwasy has the ExecuteCommandActionGroup as the action group for Controller command. for views, the resource group is always ViewCommandResourceGroup. (ACPOLICY, MBRGRP, MBRGRPCOND, ACACTGRP, ACRESGRP)

ACP are enforced by the access control policy manager. when a user attempts to access a protected resource, ACP manager determines what ACP are applicable for that protected resource, and based upon the applicable ACP, it determines if the user is allowed to access the requested resources.

An ACP is a 4-element that is stored in the ACPOLICY table. Each access control policy takes the following form:

AccessControlPolicy [UserGroup, ActionGroup, ResourceGroup, Relationship]

The above elements say, a user belonging to a specific user group is permitted to perfrom action in the specified ActionGroup on resource belonging to the specified ResourceGroup, as long as the user satisfies the conditions specified in the Relationship or relationship group, with respect to the resource in question.

Ex: [AllUsers, UpdateDoc, doc, creator] specifies that all users can update a document, if they are the create of the document.

  • The user group is a specific type of member group that is defined in the MBRGRP table.
  • A user group must be associated with member group type of -2. the value of -2 represent an access group and is defined in the MBRGRPTYPE table.
  • Association between the usergroup and membergroup type is stored in the MBRGRPUSG table.
The membership of a user into a particular user group may be stated explicitly or implicitly. An explicit specification occurs if the MBRGRPMBR tables states that user belongs to a particular member group. An implicit specification occurs fi the user satisfies a condition (all users that fulfill the role of Product Manager) that is stated in the MBRGRPCOND table.

Most conditions to include a user in a user group are based upon the user fulfilling a particular role. Ex: there could be ACP that allows all users that fulfill the Product Manager role to perform catalog management operations. in this case, any user that has been assigned the Product Manager role in the MBRROLE table is implicitly included in the user group.

The ActionGroup elements comes from the ACACTGRP table. An action group refers to an explicitly specified group of actions. The list of actions is stored in the ACACTION table and the relationship of each action to its action group(or group) is stored in the ACACTACTGP table.

An example of an action group is the "OrderWriteCommands" action group. this action group includes the following action that are used to update orders

  • OrderDeleteCmd
  • OrderCancelCmd
  • OrderAProfileUpdateCmd
  • OrderUnlockCmd
  • OrderScheduleCmd
  • ScheduledOrderCancelCmd
  • ScheduledOrderProcessCmd
  • OrderItemAddCmd
  • OrderItemDeleteCmd
  • OrderItemUpdateCmd
  • PayResetPMCmd

The resource group is mechanism to group together particular types of resources. membership of a resource in a ResourceGroup can be specified in one of two ways.

using the conditions column in the ACRESGRP table
using the ACRESGPRES table.

in most case, it is sufficient to use the ACRESGPRES table for associating resources to resource group. using this method, resources are defined in the ACRESCGRY table suing their java class name.

These resources are associated with appropriate resource group(ACRESGRP) using the ACRESGPRES association table. in this case where the java class name alone is not sufficient to define the members a resource group.

The ACP can optionally include either a Relationship or RelationshipGroup element as its fourth element.

if ACP uses a Relationship element, this come from the ACRELATION table. if on other hand, it includes a RelationshipGroup Element, that comes from the ACRELGRP table. A ReletionshipGroup specification from the ACRELGRP table takes precedeence over the Relationship information from the ACRELATION table.


Posted by at No comments:

Wednesday, February 1, 2012

Enabling JDBCAccessBean for Management Center

Use WebSphere Application Server administrative console to trace queries serviced by the data service layer.

a. Set the log level setting to 'all' for the com.ibm.commerce.foundation.server.services.dataaccess* component in the WebSphere Application Server Administrative console.

Note: To trace the UPDATE and INSERT queries, set the log level setting to 'all' for all classes under component com.ibm.ws.sdo.mediator.jdbc (com.ibm.ws.sdo.mediator.jdbc*=all). You must restart the server after enabling this trace.
Posted by at No comments:

Thursday, January 5, 2012

massextract utility example

Mass extract (massextract) is an OOB utility which can be used to extract data from any tables in IBM WCS. Use the massextract utility to extract selective subsets of data from the WebSphere Commerce database in the form of XML files.
You can extract data on products related to an upcoming holiday, for example, or you can extract information from a consolidated database for use with other systems.

Step-1

Pre-Request for before running this utility

i. Assume that environment variable setting done.
ii. JVM Setting (optional)
iii. (Oracle) Optional: By default, the massextract utility uses the Oracle thick JDBC client. To change the massextract utility to use the Oracle thin JDBC client.

Step-2

Create an extraction filter: An extraction filter is an XML file that defines the data want to extract from the WebSphere Commerce database. Must create an extraction filter before run the massextract utility.

Procedure to extraction filter

1. Develop SQL queries for the data you want to extract from the WebSphere
Commerce database.

Extraction filter format


This tag and its closing tag define the extraction filter. All of the text in the extraction
file must be contained within this tag.

This tag defines the SQL query used to extract data from the database.
Every tag requires one or more tags.

This tag is responsible for the running of the SQL query. In this tag, you can also
specify for any values required for variable parameter defined in the tag.
Multiple tags can be associated with one tag.

Example:

1. Create file called CatentryFilter.xml
2. Add the following content to CatentryFilter.xml




3. Finally execute the below extract utility

./massextract.sh -filter /opt/IBM/WebSphere/CommerceServer60/bin/CatentryFilter.xml -outfile /opt/IBM/WebSphere/CommerceServer60/bin/CatentryFilterExtracted.xml -dbname PPSTGDB -dbuser MIPRODSTA -dbpwd MIPRODSTA -customizer OracleConnectionCustomizer


Note: we can query multiple tables using join conditions.
Posted by at No comments:

Tuesday, December 20, 2011

To enable the attribute dictionary and non attribute dictionary attribute functionality concurrently

1. witch the implementation of ResolveSkuCmd to ResolveSkuAllCmdImpl in CMDREG table:

a. Open a respected database command window.
b. Run the following SQL command:

SQL> update cmdreg set classname='com.ibm.commerce.catalog.commands.ResolveSkuAllCmdImpl' where interfacename ='com.ibm.commerce.catalog.commands.ResolveSkuCmd';

2. To enable the attribute dictionary only, switch the implementation of ResolveSkuCmd to ResolveSkuNewCmdImpl in the CMDREG table:

a. Open a respected database command window.
b. Run the following SQL command:


SQL> update cmdreg set classname='com.ibm.commerce.catalog.commands.ResolveSkuNewCmdImpl' where interfacename ='com.ibm.commerce.catalog.commands.ResolveSkuCmd';

c. Customize the Catalogs tool to hide the local attribute table to prevent users from using the table to create a new attribute in the legacy table.

Note: To change the ResolveSkuCmd implementation for one store, you create a new row in the CMDREG table with the STOREENT_ID set to the store ID. If you set the STOREENT_ID to "0", the command applies to all the stores.


There are two types of attribute. Determine type of attribute you want to add

i. Allowed value attribute
ii. Assigned value attribute

Note: Supported data types : Text (STRING), Whole number(INTEGER) and Decimal Number(FLOAT)
Posted by at No comments:

To enable the attribute dictionary and non attribute dictionary attribute functionality concurrently

1. witch the implementation of ResolveSkuCmd to ResolveSkuAllCmdImpl in CMDREG table:

a. Open a respected database command window.
b. Run the following SQL command:

SQL> update cmdreg set classname='com.ibm.commerce.catalog.commands.ResolveSkuAllCmdImpl' where interfacename ='com.ibm.commerce.catalog.commands.ResolveSkuCmd';

2. To enable the attribute dictionary only, switch the implementation of ResolveSkuCmd to ResolveSkuNewCmdImpl in the CMDREG table:

a. Open a respected database command window.
b. Run the following SQL command:


SQL> update cmdreg set classname='com.ibm.commerce.catalog.commands.ResolveSkuNewCmdImpl' where interfacename ='com.ibm.commerce.catalog.commands.ResolveSkuCmd';

c. Customize the Catalogs tool to hide the local attribute table to prevent users from using the table to create a new attribute in the legacy table.

Note: To change the ResolveSkuCmd implementation for one store, you create a new row in the CMDREG table with the STOREENT_ID set to the store ID. If you set the STOREENT_ID to "0", the command applies to all the stores.


There are two types of attribute. Determine type of attribute you want to add

i. Allowed value attribute
ii. Assigned value attribute

Note: Supported data types : Text (STRING), Whole number(INTEGER) and Decimal Number(FLOAT)
Posted by at No comments:

Tuesday, November 29, 2011

Solr Re-indexing steps WCS 7

Pre-requests: you need to have V7 FEP2+.

IBM WCS is now a fully operational search engine. the product now includes Lucene Solr as the interal search engine, also incorporates industry best practices.


Once you get the latest database, follow these steps to re-index the products.

  1. Install "WebSphere Commerce Developer Enterprise" version 7
  2. Update "WebSphere Commerce Developer Enterprise" to version 7.0.0.5
  3. Stop Server
  4. Enable the Store Enhancement Features
    1. cd WCDE_installdir\bin
    2. enableFeature.bat -DfeatureName=store-enhancements
  5. Publish the Madisons Feature Pack Store Archive:
    1. Publish Madisons-FEP.sar
  6. Enable the Solr foundation
    1. cd WCDE_installdir\bin
    2. enableFeature.bat -DfeatureName=foundation [DsolrHome=C:\IBM\WCDE_ENT70\search\solr\home]
  7. Setup the Search Index: (WC Server must be Stoped)
    1. cd 'WCDE_installdir'\components\foundation\subcomponents\search\bin
    2. setupSearchIndex.bat -masterCatalogId 10001 -instance WCDE_ENT70 -dbuser db2admin -dbuserpwd db2admin [-solrhome C:\IBM\WCDE_ENT70\search\solr\home]
    3. To see log file : \WCDE_ENT70\components\foundation\subcomponents\search\log\wc-search-index-setup.log
    4. Once successfully completed the status code could be : Program exiting with exit code: 0
  8. Preprocess the Search index: (Run the di-preprocess.bat file against the search index, again server stopped at this point)
    1. cd WCDE_installdir\bin
    2. di-preprocess.bat C:\IBM\WCDE_ENT70\search\pre-processConfig\MC_10001\DB2\ [-fullbuild true] [-localename en_US]
  9. Test the current Solr index to ensure that a request can be recognized: (Server should be started)
    1. http://host_name/solr/Default/select?q=*%3A*
  10. Build out the index (first make sure to start the WC server):
    1. cd WCDE_installdir\bin
    2. di-buildindex.bat -masterCatalogId 10001 
  11. Test the indexed Solr index to ensure results are returning:
    1. http://localhost/solr/MC_10001_CatalogEntry_en_US/select?q=catentry_id:10251
  12. Enable the store to display the search breadcrumb and faceting filters:
    1. Open Management Center
    2. Click "Management Center Tools" menu and select "Store Management"
    3. Select the "Madisons" store and click the "Catalog" tab
    4. check "Search-based navigation"
    5. click Save
  13. Test live on the starter store:
    1. http://localhost/webapp/wcs/stores/servlet/Madisons/index.jsp
    2. http://localhost/webapp/wcs/stores/servlet/en/eliteesite/home
Posted by at No comments:
Subscribe to: Posts (Atom)