WCS – ACCESS CONTROL POLICY

ACP – The Introductory Overview

WebSphere Commerce access control framework uses access check to determine whether the given user is permitted to perform a given action on a given resource. These logical relations are set from XMLs and termed as Access Control Policies. These policies are enforced by the access control policy manager. Let’s checkout WCS access control policy.

Generally, when a user attempts to access a protected resource then the access control policy manager first determines what access control policies are applicable for that protected resource. Then based upon the applicable access control policies it determines if the user is allowed to access the requested resources or not. Access Control Framework works along with WebSphere Application Server but does not replace the access control provided by it.

In this whole scenario we will come across its four pillars.
1) User: These are the people that uses the resource to perform some task. They must be grouped into some relevant user groups. These groups are required by Access Control Framework to make a proper access check. Roles are one common attribute that is used to determine membership of an access group. Roles are assigned to users on a per organization basis.

2) Action: Its an activity that an user can perform on the resource. It must be grouped into some relevant action groups. These groups are the required by Access Control Framework to make a proper access check. For example, a common action used in a store is a View. A View is invoked to display a store page to customers. The views used in the store must be declared as actions and assigned to an action group before they can be accessed.

3) Resource: Its an entity that are protected. It must be grouped into some relevant resource groups. These groups are the required by Access Control Framework to make a proper access check. For example, if the action is a View, the resource to be protected is the command that invoked the View e.g MyCustomCmd.

4) Relationship: Its the relationship between the User and the Resource. Access control policies may require a relationship between the User and the Resource to be satisfied. For example, users may only be allowed to display the orders that they have created.

ACP – The Implementation Overview

There are two ways to implement the access control policies in WCS. One way is to execute the DB query and update the respective tables. Other way is to run through configured XMLs. Generally in lower env. we execute the query manually to make quick update and finish our job faster. But for higher env it is not advisable to perform this task manually. We have to make the ACP changes through a configured XML file. This XML file will have the information of your View or Command relationship. For this we need an ACP utility job and execute it through the command prompt.

Follow the below steps to run Access Control Policy in WCS:

a) Create a XML file as per your need i.e you need for View, Command or both. Below are the sample files to create the ACP xmls.

b) Put that XML file at given server location:
Server Location: /opt/IBM/WebSphere/CommerceServer80/xml/policies/xml
Local Location: C:\IBM\WCDE80\xml\policies\xml

c) Open command prompt and goto location C:\IBM\WCDE80\bin> and execute below script.
Command Syntax: acpload db_host_name db_name db_user db_password inputXMLFile schema_name
or
Command Syntax: ./acpload.sh db_host_name db_name db_user db_password inputXMLFile schema_name

db_name: Name of the database in which to load the policy.
db_user: Name of the database user who can connect to the database.
db_password: The associated password for the database user.
inputXMLFile: The input policy XML file that specifies what policy data to load into the database.
schema_name (optional value): The name of target database schema. This name is normally the same as database_user.

Execute Script: 
C:\IBM\WCDE80\bin>acpload xyzdborcl WCV8USER Password-1 MyCustomAccessPolicy.xml WCV8USER
or
C:\IBM\WCDE80\bin>./acpload.sh xyzdborcl WCV8USER Password-1 MyCustomAccessPolicy.xml WCV8USER 

d) After the successful execution of ACP, we observed that another two files are created.
MyCustomAccessPolicy_xmltrans.xml(Xml tranformed file for id resolver utility)
MyCustomAccessPolicy_idres.xml (Id resolved file used for mass load)

ACP – XML FILE FOR SINGLE VIEW ONLY

<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?>
<!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd">

<Policies>
   <Action Name="MyCustomView" CommandName="MyCustomView">
   </Action>
   
   <ActionGroup Name="AllSiteUsersViews" OwnerID="RootOrganization">
       <ActionGroupAction Name="MyCustomView"/>
   </ActionGroup>
</Policies>

ACP – XML FILE FOR MULTIPLE VIEW

<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?>
<!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd">

<Policies>
   <Action Name="MyCustomView1" CommandName="MyCustomView1"/>
   <Action Name="MyCustomView2" CommandName="MyCustomView2"/>
   <Action Name="MyCustomView3" CommandName="MyCustomView3"/>
   <Action Name="MyCustomView4" CommandName="MyCustomView4"/>

   <ActionGroup Name="AllSiteUsersViews" OwnerID="RootOrganization">
       <ActionGroupAction Name="MyCustomView1"/>
       <ActionGroupAction Name="MyCustomView2"/>
       <ActionGroupAction Name="MyCustomView3"/>
       <ActionGroupAction Name="MyCustomView4"/>
   </ActionGroup>
</Policies>

ACP – XML FILE FOR SINGLE COMMAND ONLY

<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?>
<!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd">

<Policies>
   <Action Name="ExecuteCommand" CommandName="Execute">
   </Action>

   <ResourceCategory Name="com.ibm.commerce.sample.MyCustomCmdResourceCategory"
       ResourceBeanClass="com.ibm.commerce.sample.MyCustomCmd">
       <ResourceAction Name="ExecuteCommand"/>
   </ResourceCategory>

   <ResourceGroup Name="AllSiteUserCmdResourceGroup"      OwnerID="RootOrganization">
       <ResourceGroupResource Name="com.ibm.commerce.sample.MyCustomCmdResourceCategory" />
   </ResourceGroup>
</Policies>

ACP – XML FILE FOR MIX SET OF VIEW AND COMMAND

<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?>
<!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd">

<Policies>
   <Action Name="MyCustomView1" CommandName="MyCustomView1"/>
   <Action Name="MyCustomView2" CommandName="MyCustomView2"/>
   <Action Name="MyCustomView3" CommandName="MyCustomView3"/>
   <Action Name="MyCustomView4" CommandName="MyCustomView4"/>

   <ActionGroup Name="AllSiteUsersViews" OwnerID="RootOrganization">
       <ActionGroupAction Name="MyCustomView1"/>
       <ActionGroupAction Name="MyCustomView2"/>
       <ActionGroupAction Name="MyCustomView3"/>
       <ActionGroupAction Name="MyCustomView4"/>
   </ActionGroup>

   <ResourceCategory Name="com.ibm.commerce.sample.MyCustomCmdResourceCategory"
       ResourceBeanClass="com.ibm.commerce.sample.MyCustomCmd">
       <ResourceAction Name="ExecuteCommand"/>
    </ResourceCategory>

    <ResourceGroup Name="AllSiteUserCmdResourceGroup" OwnerID="RootOrganization">
        <ResourceGroupResource Name="com.ibm.commerce.sample.MyCustomCmdResourceCategory"/>
    </ResourceGroup>
</Policies>

ACP – DB QUERY FOR SINGLE VIEW

Selection Query:(Run insertion query only if this query gives empty result)
SELECT * FROM ACACTGRP WHERE ACACTGRP_ID IN (SELECT ACACTGRP_ID FROM ACACTACTGP WHERE ACACTION_ID IN (SELECT ACACTION_ID FROM ACACTION WHERE ACTION = 'MyCustomView'));

Insertion & Updation Query:
INSERT INTO ACACTION (ACACTION_ID, ACTION) VALUES ((SELECT COUNTER FROM KEYS WHERE TABLENAME='acaction'), 'MyCustomView');

INSERT INTO ACACTACTGP (ACACTGRP_ID,ACACTION_ID) VALUES ((SELECT ACACTGRP_ID FROM ACACTGRP WHERE GROUPNAME = 'AllSiteUsersViews' AND MEMBER_ID IN (SELECT ORGENTITY_ID FROM ORGENTITY WHERE ORGENTITYNAME ='Root Organization') ),(SELECT ACACTION_ID FROM ACACTION WHERE ACTION='MyCustomView'));

UPDATE KEYS SET COUNTER = COUNTER+1 WHERE TABLENAME = 'acaction';

Rollback Query:
DELETE FROM ACACTACTGP WHERE ACACTION_ID IN (SELECT ACACTION_ID FROM ACACTION WHERE ACTION='MyCustomView');

DELETE FROM ACACTION WHERE ACTION ='MyCustomView';

ACP – DB QUERY FOR SINGLE COMMAND

Selection Query:(Run insertion query only if this query gives empty result)
SELECT * FROM ACRESCGRY WHERE RESCLASSNAME = 'com.ibm.commerce.sample.MyCustomCmd';

Insertion & Updation Query:
INSERT INTO ACRESCGRY(ACRESCGRY_ID,RESCLASSNAME) VALUES((SELECT MAX(ACRESCGRY_ID)+1 FROM ACRESCGRY),'com.ibm.commerce.sample.MyCustomCmd');

INSERT INTO ACRESACT(ACRESCGRY_ID,ACACTION_ID) VALUES((SELECT ACRESCGRY_ID FROM ACRESCGRY WHERE RESCLASSNAME LIKE 'com.ibm.commerce.sample.MyCustomCmd'),(SELECT ACACTION_ID FROM ACACTION WHERE ACTION LIKE 'Execute'));

INSERT INTO ACRESGPRES(ACRESGRP_ID,ACRESCGRY_ID) VALUES((SELECT ACRESGRP_ID FROM ACRESGRP WHERE GRPNAME LIKE 'AllSiteUserCmdResourceGroup'),(SELECT ACRESCGRY_ID FROM ACRESCGRY WHERE RESCLASSNAME LIKE 'com.ibm.commerce.sample.MyCustomCmd'));

UPDATE KEYS SET COUNTER=COUNTER+1 WHERE TABLENAME ='acrescgry';

Rollback Query:
DELETE FROM ACRESGPRES WHERE ACRESCGRY_ID IN (SELECT ACRESCGRY_ID FROM ACRESCGRY WHERE RESCLASSNAME='com.ibm.commerce.sample.MyCustomCmd');

DELETE FROM ACRESACT WHERE ACRESCGRY_ID IN (SELECT ACRESCGRY_ID FROM ACRESCGRY WHERE RESCLASSNAME='com.ibm.commerce.sample.MyCustomCmd';

DELETE FROM ACRESCGRY WHERE RESCLASSNAME='com.ibm.commerce.sample.MyCustomCmd';

How to disable Access Control Policy:

There are two ways to disable Access Control Policy.
1) Through wc-server.xml

a) Open wc-server.xml (location: WCDE80\workspace\WC\xml\config\wc-server.xml)
b) Search only for “<Instance” tag
c) Add AccessControlUnitTest=”true” immediately after “<Instance” tag
d) Save your file and restart the server.
e) It will not give any ACP related exception, since it has been bypassed.

Updated code as:
<Instance
  AccessControlUnitTest="true"
  ChannelOrgDN="ou=Channel Organization,o=Manufacturer Organization,o=Root Organization"
  ConfigFilePath="C:\IBM\WCDE80/conf"
  DefaultLang="-1"
  DefaultStoreAlias="wcsstore"

2) Through controller command.
If you want to disable access control policy for a controller command then call setAccCheck(false) before calling execute.Below are the methods used while handling ACP through Controller Command.

a) getResources(): This method is used to implement resource level access control. Basically it returns a list of resources, upon which the command can act. If the resource level action is performed, then it returns vector which contains resource-action pair and if no action is performed then it returns null value. The default implementation of the getResources() method returns null.

private AccessVector resources = null;
public AccessVector getResources() throws ECException {
  
if (resources == null) {
OrderAccessBean orderAB = new OrderAccessBean();
orderAB.setInitKey_orderId(getOrderId().toString());
resources = new AccessVector(orderAB);
}
return resources;
}

b) checkIsAllowed(): This method throws an ECApplicationException if the current user is not allowed to perform the specified action on the specified resource. If access is granted, then the method simply returns.

c) accessControlCheck(): This method performs a command level access control check for this command. The default implementation invokes the access control manager to perform the check.This method returns true if the user has authority and false otherwise.

d) getAccCheck(): This method performs a command level access control check.

public boolean getAccCheck()
{
return false;
}

Method Calling:
OrderCreateCmd orderObj= (OrderCreateCmd)CommandFactory.createCommand(OrderCreateCmd.NAME, getStoreId());
orderObj.setCommandContext(getCommandContext());
orderObj.setRequestProperties(new TypedProperty());
orderObj.setAccCheck(false);
orderObj.execute();

ACP – The Troubleshoot Overview

Below are the trace loggers you can use to print the logs while troubleshooting.
com.ibm.websphere.commerce.WC_SERVER=all:
com.ibm.websphere.commerce.WC_USER=all:
com.ibm.websphere.commerce.WC_ACCESSCONTROL=all
com.ibm.commerce.foundation.logging.*=all

Logs Location:
WC_userdir/logs/acpload.log
WC_userdir/logs/messages.txt
C:\IBM\WCDE80\logs\acpload.log
C:\IBM\WCDE80\logs\messages.txt

Access Control Policy related table:

ACACTION: It stores actions that are to be performed on the resources in the system.
ACPOLDESC: It stores local specific information for ACPOLICY.
ACPOLICY: It stores all the access control policies in the system.
ACRESGRP: It stores all access control resource groups in a system.
ACRESGPRES: It associates access control resource groups with classes.
ACRELATION: It has the relation between resources and members in system.
ACRESREL: It associates a resource and relationships that it supports.
ACACTGRP: It stores all the access control action groups.
ACACTACTGP: It stores the association between actions and action groups.
ACRESACT: It captures the relationship between access control resources and actions.
ACRESCGRY: It stores all the access control resource categories in the system and the metadata information about them.