Sie sind auf Seite 1von 43

ADVANCED

ATG PROFILE
MANAGEMENT

Kate
Soglaeva

AGENDA

DAF Servlet Pipeline


Tracking users
Security status
Access control
Auto login
Profi le markers
Password management

DAF SERVLET
PIPELINE

PAGEFILTER
PageFilter starts the DAF servlet pipeline by calling
DynamoHandler

startRequestServletNam
e

TRACKING USERS

USERS

Users
anonymo
us

registere
d
8

USERS

Session
started

Transient profile
Transient order

Registratio
n

Persistent profile
Persistent order
9

TRACKING ANONYMOUS USERS

1.

Store anonymous users

# /atg/userprofi ling/Profi leRequestServlet


persistAfterLogout=true
persistentAnonymousProfi les=true
2. Update required properties

10

TRACKING REGISTERED USERS


Set up auto-login

CookieManager
sendProfi leCookies=true

Profi leRequestServlet
verifyBasicAuthentication=false

11

PROFILEREQUESTSERVLET
creates an instance of
theatg/userprofiling/Profile
create a cookie containing theProfileID of the
current guest user
Auto-logs in
maintain persistent
information:persistentAnonymousProfiles=true

SECURITY STATUS

14

SECURITY STATUS VALUES


Value Login method used
0

Anonymous

Auto Login by URL parameter

Auto Login by Cookie

Login by HTTP basic auth

Explicit login or registration by http

Explicit login or registration by https

Certificate provided

Group Explanation
0

The user is unknown

1,2

Auto login. Personalization is fine by restricted access to


sensitive pages.

4,5

Explicit login. Full access

3,6

Project specific

PROFILEREQUEST
Extract profi le by DYN_USER_ID

16

SECURITY STATUS USAGE


<dsp:droplet name="Compare">
<dsp:param bean="Profi le.securityStatus" name="obj1"/>
<dsp:param bean="PropertyManager.securityStatusLogin"
name="obj2"/>
<dsp:oparam name="lessthan">
<!-- send the user to the login form -->
<dsp:include page="login_form.jsp"></dsp:include>
</dsp:oparam>
<dsp:oparam name="default">
<!-- allow the user to proceed to the protected content
-->
<dsp:include
page="protected_content.jsp" ></dsp:include>
</dsp:oparam>
</dsp:droplet>

17

AUTHENTICATIONSERVLET
provides authentication using the Basic HTTP
authentication mechanism

ACCESS CONTROL

19

21

ACCESSCONTROLLER

22

RULEACCESSCONTROLLER.
RULESETSERVICE
<ruleset>
<accepts>
<rule op=eq>
<valueof target="Gender">
<valueof constant="female">
</rule>
</accepts>
</ruleset>

23

PASSWORD
EXPIRATION

25

PASSWORD EXPIRATION
/atg/userprofi ling/ExpiredPasswordService

enabled=true
passwordValidForNumDays=30
redirectPath=expirePassword.jsp
/atg/dynamo/servlet/pipeline/ExpiredPasswordServlet

localUrlsToAllow=/style/css/style1.jsp

27

PASSWORD EXPIRATION

Confidential

28

PASSWORD EXPIRATION

Confidential

29

INSERTING SERVLETS
IN THE PIPELINE

STEPS TO CREATE PIPELINE SERVLET

Extendatg.servlet.pipeline.PipelineableServletImpl
Define global scope component
Reset the previous servletsnextServletproperty
Set the new servletsnextServletproperty
Add the servlet
to/atg/dynamo/servlet/Initial.initialServices

PIPELINEBLESERVLET

INSERTABLESERVLET

HOW TO USE?
1. Disable unnecessary servlets
2. Add new servlets if required
Ex. Reprice order functionality

PROFILE MARKERS

Confidential

35

USER PROFILE MARKERS

PASSWORD

Confidential

37

Confidential

38

PASSWORD HASHING
ATG 10.0
/atg/userprofi ling/PropertyManager/
ATG 10.1 /atg/userprofi ling/InternalPropertyManager/

Confidential

39

ATG 10.1 OOTB PASSWORD HASHING


SHA-256
algorithm with a random salt, and iteratively rehashes
the result.

Confidential

40

ATG 10.0 OOTB PASSWORD HASHING


MD5
algorithm and then encodes the result using base 16
encoding

Confidential

41

DISABLE PASSWORD HASHING


passwords will be stored and compared in clear text

Confidential

42

PASSWORDRULECHECKER

Confidential

43

THANK YOU!
QUESTIONS?