Post on 13-Dec-2014
description
Kate Soglaeva
ADVANCED ATG PROFILE
MANAGEMENT
DAF Servlet Pipeline Tracking users Security status Access control Auto login Profile markers Password management
AGENDA
DAF SERVLET PIPELINE
PageFilter starts the DAF servlet pipeline by calling DynamoHandler
PAGEFILTER
startRequestServletName
TRACKING USERS
8
Users
anonymous
registered
USERS
9
•Transient profile
•Transient order
Session started
•Persistent profile
•Persistent order
Registration
USERS
10
1. Store anonymous users
# /atg/userprofiling/ProfileRequestServletpersistAft erLogout=truepersistentAnonymousProfiles=true
2. Update required properties
TRACKING ANONYMOUS USERS
11
Set up auto-login
CookieManager sendProfi leCookies=true
ProfileRequestServlet verifyBasicAuthentication=false
TRACKING REGISTERED USERS
PROFILEREQUESTSERVLET
creates an instance of the atg/userprofiling/Profile
create a cookie containing the Profile ID of the current guest user
Auto-logs in
maintain persistent information: persistentAnonymousProfiles=true
14
SECURITY STATUS
Value Login method used
0 Anonymous
1 Auto Login by URL parameter
2 Auto Login by Cookie
3 Login by HTTP basic auth
4 Explicit login or registration by http
5 Explicit login or registration by https
6 Certificate provided
Group Explanation
0 The user is unknown
1,2 Auto login. Personalization is fine by restricted access to sensitive pages.
4,5 Explicit login. Full access
3,6 Project specific
SECURITY STATUS VALUES
16
Extract profi le by DYN_USER_ID
PROFILEREQUEST
17
<dsp:droplet name="Compare">
<dsp:param bean="Profi le.securityStatus" name="obj1"/>
<dsp:param bean="PropertyManager.securityStatusLogin" name="obj2"/>
<dsp:oparam name="lessthan">
<!-- send the user to the login form -->
<dsp:include page="login_form.jsp"></dsp:include>
</dsp:oparam>
<dsp:oparam name="default">
<!-- allow the user to proceed to the protected content -->
<dsp:include page="protected_content.jsp"></dsp:include>
</dsp:oparam>
</dsp:droplet>
SECURITY STATUS USAGE
provides authentication using the Basic HTTP authentication mechanism
AUTHENTICATIONSERVLET
19
ACCESS CONTROL
21
22
ACCESSCONTROLLER
23
<ruleset> <accepts> <rule op=eq> <valueof target="Gender"> <valueof constant="female"> </rule> </accepts></ruleset>
RULEACCESSCONTROLLER. RULESETSERVICE
25
PASSWORD EXPIRATION
27
/atg/userprofi ling/ExpiredPasswordService
enabled=true
passwordValidForNumDays=30
redirectPath=expirePassword.jsp
/atg/dynamo/servlet/pipeline/ExpiredPasswordServlet
localUrlsToAllow=/style/css/style1.jsp
PASSWORD EXPIRATION
Confidential 28
PASSWORD EXPIRATION
Confidential 29
PASSWORD EXPIRATION
INSERTING SERVLETS IN THE PIPELINE
STEPS TO CREATE PIPELINE SERVLET
Add the servlet to /atg/dynamo/servlet/Initial.initialServices
Set the new servlet’s nextServlet property
Reset the previous servlet’s nextServlet property
Define global scope component
Extend atg.servlet.pipeline.PipelineableServletImpl
PIPELINEBLESERVLET
INSERTABLESERVLET
1. Disable unnecessary servlets2. Add new servlets if required
Ex. Reprice order functionality
HOW TO USE?
35Confidential
PROFILE MARKERS
USER PROFILE MARKERS
37Confidential
PASSWORD
Confidential 38
Confidential 39
ATG 10.0 /atg/userprofi ling/PropertyManager/
ATG 10.1 /atg/userprofi ling/InternalPropertyManager/
PASSWORD HASHING
Confidential 40
SHA-256 algorithm with a random salt, and iteratively rehashes the result.
ATG 10.1 OOTB PASSWORD HASHING
Confidential 41
MD5 algorithm and then encodes the result using base 16 encoding
ATG 10.0 OOTB PASSWORD HASHING
Confidential 42
passwords will be stored and compared in clear text
DISABLE PASSWORD HASHING
Confidential 43
PASSWORDRULECHECKER
THANK YOU!QUESTIONS?