cancel
Showing results for 
Search instead for 
Did you mean: 

Anonymous user able to access registered user cart

Former Member
0 Kudos
1,577

I have a method which can be accessed by both anonymous and registered user.

  @Secured(
         { "ROLE_GUEST", "ROLE_CUSTOMERMANAGERGROUP", "ROLE_TRUSTED_CLIENT", "ROLE_CUSTOMERGROUP" })
 @RequestMapping(value = "/{cartId}/addtocart", method = RequestMethod.POST)
 @ResponseBody
 @ApiOperation(value = "Saves the coverage options to the cart.", notes =
         "Saves the coverage options to the cart.", authorizations = {
         @Authorization(value = "oauth2_client_credentials")})
 @ApiBaseSiteIdUserIdAndCartIdParam
 public CartWsDTO saveCoverageOptions(
         @ApiParam(value = "CoverageWsDTO productId, priceId, isSelected ", required = true) @RequestBody(required = true) final CoverageWsDTO coverageWsDTO,
         @ApiParam(value = "Response configuration (list of fields, which should be returned in response)", allowableValues = "BASIC, DEFAULT, FULL") @RequestParam(required = false, defaultValue = DEFAULT_FIELD_SET) final String fields) <


> {{host}}/abcwebservices/v2/insurance/users/gomathi@jenkins.com/carts/769d379a-63c3-4f98-80b4-1f286e1d78ab/addtocart.


I generated an anonymous token and when I pass the registered user's username and cart guid, i am able to access it. Why is this happening?

Also i am getting the same oauth token from different machines for the anonymous users.

{{host}}/{{authorizationserver}}/oauth/token?client_id=abcservices&client_secret=secret&grant_type=client_credentials

because of that one anonymous user is able to access another anonymous users cs well.

Please help.

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member747843
Active Participant
0 Kudos

Hi
1) You are not generating anonymous user token - you are generating client application token (client_credential grant type). And your client has ROLE_TRUSTED_CLIENT - that mean you should be careful with using it, because it has got specific, extended rights (make sure you are using it in save way that nobody can see its client_secret).

2) You are getting the same oauth token from different machines because Spring implementation of OAuth server is working this way (and this implementation is used here). If there is already generated token for given client or user - it will return existing one.

3) Access to anonymous cart is done by it's guid and is not restricted. So if you know guid you can access cart. Such behaviour allow assign such cart to user after he will login.
Check 'Registered Customer' scenario : https://help.hybris.com/1811/hcd/8b9e95cf866910148348c3bcab4be0b6.html

4) In title you wrote that 'Anonymous user able to access registered user cart' - and this should not be possible (logic responsible for this is in DefaultCartLoaderStrategy). But you have described opposite situation - when registered user took over anonymous user cart.

Former Member
0 Kudos
  1. Logged in to xxyy.ca

  2. Added an item to cart.

  3. copied the URL for add item to cart from chrome inspect element

https://www.xxyy.ca/xxyycacommercewebservices/v2/xxyyca/users/mail4test@gmail.com/carts/C0097345396/...

  1. I logged out.

5a. Now open another window and access xxyy.ca as an anonymous user.

6a. Add an item to cs an anonymous user.

8a. Copied the URL

https://www.xxyy.ca/xxyycacommercewebservices/v2/xxyyca/users/anonymous/carts/30a63826-93bc-4771-ac9...

9a. copied the anonymous OAuth token

Bearer 09985dac-c6f4-4d6e-855f-d7040840d652 - This token was created using the TRUSTED_CLIENT. THE Password is not revealed. Instead the token in generated in the backend and just returns the token alone to the front end.

Former Member
0 Kudos

Open postman

https://www.xxyy.ca/xxyycacommercewebservices/v2/xxyyca/users/mail4test@gmail.com/carts/C0097345396 - GET cart call. Actually, this is my registered user cart.

with anonymous token which i got from step 9a. - "Bearer 09985dac-c6f4-4d6e-855f-d7040840d652"

Since get cart call should be accessed by both anonymou and registered user. if i have the anonymous token and the registered user cartId and email id , I am able to get his cnd also i am able to delete the cart. GET cnd DELETE CART or out of the box methods. How is this possible. What kind of token then i have to use for anonymous user ?

former_member747843
Active Participant
0 Kudos

As I already wrote you have token with ROLE_TRUSTED_CLIENT and because of that you have extended rights like e.g you can call request for another user. Because of that you can access another user cart . Logic for this is defined in UserMatchingFilter.
Calls for anonymous user can be done without any token. Check 'OCC Users role' section in https://help.hybris.com/1811/hcd/8c189dc48669101496b594a9bb97a11b.html

Former Member
0 Kudos