on 2019 Feb 08 4:45 PM
I have a method which can be accessed by both anonymous and registered user.
@Secured( { "ROLE_GUEST", "ROLE_CUSTOMERMANAGERGROUP", "ROLE_TRUSTED_CLIENT", "ROLE_CUSTOMERGROUP" }) @RequestMapping(value = "/{cartId}/addtocart", method = RequestMethod.POST) @ResponseBody @ApiOperation(value = "Saves the coverage options to the cart.", notes = "Saves the coverage options to the cart.", authorizations = { @Authorization(value = "oauth2_client_credentials")}) @ApiBaseSiteIdUserIdAndCartIdParam public CartWsDTO saveCoverageOptions( @ApiParam(value = "CoverageWsDTO productId, priceId, isSelected ", required = true) @RequestBody(required = true) final CoverageWsDTO coverageWsDTO, @ApiParam(value = "Response configuration (list of fields, which should be returned in response)", allowableValues = "BASIC, DEFAULT, FULL") @RequestParam(required = false, defaultValue = DEFAULT_FIELD_SET) final String fields) <
> {{host}}/abcwebservices/v2/insurance/users/gomathi@jenkins.com/carts/769d379a-63c3-4f98-80b4-1f286e1d78ab/addtocart.
I generated an anonymous token and when I pass the registered user's username and cart guid, i am able to access it. Why is this happening?
Also i am getting the same oauth token from different machines for the anonymous users.
{{host}}/{{authorizationserver}}/oauth/token?client_id=abcservices&client_secret=secret&grant_type=client_credentials
because of that one anonymous user is able to access another anonymous users cs well.
Please help.
Request clarification before answering.
Hi
1) You are not generating anonymous user token - you are generating client application token (client_credential grant type). And your client has ROLE_TRUSTED_CLIENT - that mean you should be careful with using it, because it has got specific, extended rights (make sure you are using it in save way that nobody can see its client_secret).
2) You are getting the same oauth token from different machines because Spring implementation of OAuth server is working this way (and this implementation is used here). If there is already generated token for given client or user - it will return existing one.
3) Access to anonymous cart is done by it's guid and is not restricted. So if you know guid you can access cart. Such behaviour allow assign such cart to user after he will login.
Check 'Registered Customer' scenario : https://help.hybris.com/1811/hcd/8b9e95cf866910148348c3bcab4be0b6.html
4) In title you wrote that 'Anonymous user able to access registered user cart' - and this should not be possible (logic responsible for this is in DefaultCartLoaderStrategy). But you have described opposite situation - when registered user took over anonymous user cart.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Logged in to xxyy.ca
Added an item to cart.
copied the URL for add item to cart from chrome inspect element
I logged out.
5a. Now open another window and access xxyy.ca as an anonymous user.
6a. Add an item to cs an anonymous user.
8a. Copied the URL
9a. copied the anonymous OAuth token
Bearer 09985dac-c6f4-4d6e-855f-d7040840d652 - This token was created using the TRUSTED_CLIENT. THE Password is not revealed. Instead the token in generated in the backend and just returns the token alone to the front end.
Open postman
https://www.xxyy.ca/xxyycacommercewebservices/v2/xxyyca/users/mail4test@gmail.com/carts/C0097345396 - GET cart call. Actually, this is my registered user cart.
with anonymous token which i got from step 9a. - "Bearer 09985dac-c6f4-4d6e-855f-d7040840d652"
Since get cart call should be accessed by both anonymou and registered user. if i have the anonymous token and the registered user cartId and email id , I am able to get his cnd also i am able to delete the cart. GET cnd DELETE CART or out of the box methods. How is this possible. What kind of token then i have to use for anonymous user ?
As I already wrote you have token with ROLE_TRUSTED_CLIENT and because of that you have extended rights like e.g you can call request for another user. Because of that you can access another user cart . Logic for this is defined in UserMatchingFilter.
Calls for anonymous user can be done without any token. Check 'OCC Users role' section in https://help.hybris.com/1811/hcd/8c189dc48669101496b594a9bb97a11b.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
19 | |
14 | |
3 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.