Thursday, January 14, 2016

Duplicate Emails issue in IBM WCS


Getting Duplicate Emails

Configuring your store to avoid sending multiple marketing e-mails to the same e-mail address

Procedure

1.       Open the WebSphere Commerce configuration file.

2.       Locate the section of the file that starts with the <Instance element.

3.       Within the <Instance element, add the attribute filterDuplicateEmails="true", as shown in the following example:

<Instance BootstrapMulti="wcs.bootstrap_multi_en_US.xml,"

               . . . . . . . . .

              InstanceName="demo"

              filterDuplicateEmails="true"

              InstanceType="local"

              . . . . . . . . . . .

              WCSInstallDir="D:\WebSphere\CommerceServer70"

              WorkspacePath="" />

4.       Save and close the file.

5.       Propagate the changes to the WebSphere Commerce configuration file.
Posted by at 2 comments:
Labels:

Enhancing security in IBm WCS

Enhancing security in IBm WCS
1.       Protecting against Cross-site Scripting (XSS) Attacks
What a Cross Site Scripting vulnerability?
Cross-site Scripting allows an attacker to alter the behavior of your site in many ways, such as inserting HTML, running JavaScript or displaying images.
How it occur :
Lets take below line of code :
<li class=”current”>${searchTerm}</li>
 
http://<servername>/webapp/wcs/stores/servlet/SearchDisplay?categoryId=&storeId=10001&catalogId=10001&langId=-1&sType=SimpleSearch&resultCatEntryType=2&showResultsPage=true&searchSource=Q&pageView=&beginIndex=0&pageSize=12&searchTerm=boys+shirts
 
If someone were to modify this to something malicious, similar to the following:
http://<servername>/webapp/wcs/stores/servlet/SearchDisplay?categoryId=&storeId=10001&catalogId=10001&langId=-1&sType=SimpleSearch&resultCatEntryType=2&showResultsPage=true&searchSource=Q&pageView=&beginIndex=0&pageSize=12&searchTerm=%3C/div%3E%3Cimg%20src=http://%3Cservername%3E/%3Csomeimage%3E.jpg%3E%3Cdiv%3E
It will produce unwanted result.
To control it :
<li class=”current”><wcf:out value=”${searchTerm}”/></li>
This code By converting to HTML Entities, the browser will display the text as entered instead of running it as though it was a script (HTML, JavaScript, ect.).
Using the above example, the input was encoded into HTML entities similar to the following:
</div><img src=http://<servername>/<someimage>.jpg><div>
Although the XSiteScriptingProtection is enabled in wc-server.xml for the Store by default, it didn't stop this particular case. The OOTB prohibitedChar rules are defined to stop script tags.  Adding all possible HTML tags could impact both performance and store functionality.
 
Refer : Protectingagainst Cross-site Scripting (XSS) Attacks
2.       Enabling WhiteList data validation
When enabled, WhiteList data validation ensures that when a URL command or view is run, the parameter values conform to a specified regular expression. For example, you can configure it so that the storeId must be an integer. When a WhiteList violation is detected, the request is changed to the ProhibCharEncodingErrorView view. WhiteList data validation is disabled by default.
 
Procedure
1.       Open the WebSphere Commerce configuration file.
2.       Search for the following element outside of the <Module> element:
<XSiteScriptingProtection display="false" enabled="true" name="Cross Site Scripting Protection">
3.       Insert the following sample WhiteList configuration before the preceding element, and modify it to suit your business needs:
<WhiteListProtection enabled="true" name="WhiteListProtection" display="false">
   <param name="storeId" regex="[-]?[0-9]*"/>
   <param name="langId" regex="[-]?[0-9]*"/>
   <param name="catalogId" regex="[-]?[0-9]*"/>
   <param name="categoryId" regex="[-]?[0-9]*"/>
   <param name="productId" regex="[-]?[0-9]*"/>
   <param name="parent_category_rn" regex="[-]?[0-9]*"/>
   <param name="physicalStoreId" regex="[-]?[0-9]*"/>
   <param name="geoNodeId" regex="[-]?[0-9]*"/> 
</WhiteListProtection>
<XSiteScriptingProtection display="false" enabled="true" name="Cross Site Scripting Protection">
Where:
WhiteListProtection.enabled
Global flag to enable or disable WhiteList data validation. Valid values are true or false.
WhiteListProtection.param.name
The name of the parameter to be validated.
WhiteListProtection.param.regex
The regular expression that defines the allowed values. The regular expression syntax is based on the standard that is used by Java.
For the regular expression syntax, see the Sun Class Pattern Java API documentation.
WhiteListProtection.param.maxLength
The maximum number of characters allowed.
4.       In each web module that requires WhiteList data validation, search for the corresponding Module element. For example, the Stores web module element:
<Module contextPath="/webapp/wcs/stores" fileServletEnabled="false" name="Stores"
   urlMappingPath="/servlet" webAlias="/wcsstore">
   <InitParameters adapters="XML/HTTP, BrowserAdapter" contextSetName="Store" handleDoubleClick="true"/>
   <URLRedirectFilter enable="true"/>
</Module>
5.       Insert a WhiteListProtection element to enable this feature for that web module:
<WhiteListProtection enable="true"/>
For instance, to enable WhiteList data validation in the Stores web module, the WhiteListProtection element is added in the following snippet in bold:
 
<Module contextPath="/webapp/wcs/stores" fileServletEnabled="false" name="Stores"
   urlMappingPath="/servlet" webAlias="/wcsstore">
   <InitParameters adapters="XML/HTTP, BrowserAdapter" contextSetName="Store" handleDoubleClick="true"/>
   <URLRedirectFilter enable="true"/>
   <WhiteListProtection enable="true"/>
</Module>
Note: If the WhiteListProtection element is not specified for a web module, the default WhiteListProtection value is false (WhiteList data validation disabled).
6.       Start your WebSphere Commerce instance if it is not already started.
Posted by at No comments:
Labels:

Tuesday, January 12, 2016

Encrypting data using EncryptionFactory in IBM WCS


Encrypting data using EncryptionFactory in IBM WCS
The following are the encryption providers that you can use for encrypting / decrypting data:
ActiveProvider: This provider is responsible for encrypting and decrypting sensitive data to be stored in the database, for example credit card numbers. The encryption key is the merchant key.
SessionProvider: This provider is responsible for encrypting and decrypting external facing data such as values in a cookie. The encryption key is the session key.
To retrieve a particular encryption provider, call this method:
EncryptionFactory.getInstance().getProvider("name of provider")
To encrypt data that uses an encryption provider, call the encrypt() method. For example, to encrypt data to be stored in the database, use the ActiveProvider (merchant key):

com.ibm.commerce.foundation.common.util.encryption.EncryptionFactory.getInstance()

.getProvider("com.ibm.commerce.server.ECConstants.EC_ENCRYPTION_ACTIVEPROVIDER")

.encrypt("myDataToEncrypt");
 
Similarly, to decrypt data that uses an encryption provider, call the decrypt() method. For example, to decrypt data from the database, use the ActiveProvider (merchant key):

com.ibm.commerce.foundation.common.util.encryption.EncryptionFactory.getInstance()

.getProvicer("com.ibm.commerce.server.ECConstants.EC_ENCRYPTION_ACTIVEPROVIDER")

.decrpypt("myEncryptedData");
Posted by at No comments:
Labels:

Immediately send password reset notification e-mails

Configure WebSphere Commerce to immediately send password reset notification e-mails
When a user resets their password, by default the request is queued in the MSGSTORE table and the temporary password is not e-mailed to the customer until the SendTransactedMsg scheduled job is run.
To modify the behavior of the reset password notification logic, select one of the following solutions:
1. Increase the frequency of the SendTransactedMsg scheduled job, which sends out the temporary password notification e-mail. This might not be ideal as you might still experience some delay based on the frequency of the scheduled job.
You can modify the scheduled job's frequency by updating the Schedule interval value in the WebSphere Commerce Administration Console. 

2. Recommended: Leverage the sendImmediate () method within SendPasswordNotificationCmdImpl.performExecute() as SendPasswordNotificationCmdImpl makes use of the sendTransacted() method, which stores the reset password notification in the MSGSTORE table. For more information on the default behavior of SendPasswordNotificationCmdImpl, 

       SendMsgCmd sendMsgCmd = (SendMsgCmd)CommandFactory.createCommand(
                                "com.ibm.commerce.messaging.commands.SendMsgCmd", getStoreId());
                    sendMsgCmd.setMsgType("PasswordNotify");
                    sendMsgCmd.setStoreID(getStoreId());
                    TypedProperty tp = new TypedProperty();
                    tp.put("resetPasswordUrl", passwordNotifyMsg);
                    tp.put("LANGUAGE_ID", getCommandContext().getLanguageId());
                    sendMsgCmd.compose("NDFPasswordNotify", getCommandContext(), tp);
                    sendMsgCmd.sendImmediate();
                    sendMsgCmd.setCommandContext(getCommandContext());
                    sendMsgCmd.execute();


If you want the password reset notification e-mails to be sent to customers immediately after the request is made, you must extend and replace SendPasswordNotificationCmdImpl.performExecute() to use sendImmediate() rather than sendTransacted(). This sends the message directly to the customer instead of queuing it in the MSGSTORE table and waiting for the SendTransactedMsg job to run.

public void sendImmediate()
This method sends the message immediately to recipients. The caller is blocked until the message has been sent.

public void sendTransacted()

This method stores the message in the MSGSTORE database table. At a predetermined time, the WebSphere Commerce scheduler invokes a job that sends all messages stored in batch mode. Using this method ensures that a send occurs only after the caller has committed or terminated successfully. This method should be used if blocking a call using the sendImmediate() method cannot be tolerated.
Posted by at No comments:
Labels:

Configure the X-Frame-Options header settings

                    Configure the X-Frame-Options header settings
Configure the X-Frame-Options header settings to help you protect your site against Clickjacking. Clickjacking is a technique that tricks a web user into clicking a malicious site, thinking that it is your site. This malicious site can then reveal confidential information or take control of the user's computer.


Procedure
Include the X-Frame-Options header with a response. The Feature Pack 8 Aurora store has the X-Frame-Options header enabled in Stores.war/Aurora/Common/EnvironmentSetup.jspf. You can include this X-Frame-Options header by using one of the following options:

•             Use the IBM HTTP Server (IHS)
Enabling the header with IHS is the more popular technique and this technique ensures that the header is included with all responses. To include the X-Frame-Options header, use a command that is similar to the following command, which appends the X-Frame-Options header SAMEORIGIN to responses:
      Header always append X-Frame-Options SAMEORIGIN
         •             Use the WebSphere Commerce application.
            1.            Go to the following directory:
                            Store_archivedir/Aurora/common
            2.            Open the EnvironmentSetup.jspf for editing and add the following line of code:
                           response.setHeader("X-Frame-Options","SAMEORIGIN");

            3.            Save and close the file.


Refer : Configure the X-Frame-Options header settings
Posted by at 1 comment:
Labels:

Wednesday, December 16, 2015

Set limits to the shopping cart in ibm wcs

set limits to the shopping cart

1. Open the xml/config/com.ibm.commerce.order/wc-admin-component.xml file. The default values are shown in the following code snippet:
<_config:extendedconfiguration>
  <_config:configgrouping name="ShoppingCartThreshold">
    <_config:property name="size" value="10000" />
    <_config:property name="quantity" value="10000" />
    <_config:property name="defaultPageSize" value="100" />
    <_config:property name="maximumPageSize" value="100" />
  </_config:configgrouping>
  <_config:configgrouping name="RequisitionListThreshold">
    <_config:property name="size" value="10000" />
    <_config:property name="quantity" value="10000" />
  </_config:configgrouping>
  <_config:configgrouping name="RMAThreshold">
    <_config:property name="size" value="2000" />
    <_config:property name="quantity" value="2000" />
  </_config:configgrouping>
  <_config:configgrouping name="OrderHistoryThreshold">
    <_config:property name="defaultPageSize" value="100" />
    <_config:property name="maximumPageSize" value="100" />
  </_config:configgrouping>
  <_config:configgrouping name="RMAHistoryThreshold">
    <_config:property name="defaultPageSize" value="100" />
    <_config:property name="maximumPageSize" value="100" />
  </_config:configgrouping>
</_config:extendedconfiguration>
Where:
ShoppingCartThreshold
size
The maximum number of order items that can be added to the shopping cart.
quantity
The maximum amount of one specific order item that can be added to the shopping cart (related to UOM, default UOM: C62.).
You can specify multiple quantity thresholds for different UOMs. For example:
<_config:property name="quantity_C1" value="100" />
<_config:property name="quantity_C2" value="1000" />
<_config:property name="quantity_C3" value="10000" />
defaultPageSize
The number of order items that are displayed on the shopping cart page when no paging parameters are passed.
maximumPageSize
The maximum number of order items that are displayed on the shopping cart page.
RequisitionListThreshold
size
The maximum number of order items that can be added to a requisition list.
quantity
The maximum amount of one specific order item that can be added to a requisition list.
You can specify multiple quantity thresholds for different UOMs. For example:
<_config:property name="quantity_C1" value="100" />
<_config:property name="quantity_C2" value="1000" />
<_config:property name="quantity_C3" value="10000" />
RMAThreshold
size
The maximum number of items to be returned.
quantity
The maximum amount of one specific order item to be returned.
OrderHistoryThreshold
defaultPageSize
The number of orders that are displayed on the order history page when no paging parameters are passed.
maximumPageSize
The maximum number of orders that are displayed on the order history page.
RMAHistoryThreshold
defaultPageSize
The number of RMA displayed on the return history page when no paging parameters are passed.
maximumPageSize
The maximum number of orders that are displayed on the return history page.
Save and close the file.

Refer : Set limits to the shopping cart in ibm wcs
Posted by at No comments:
Labels:

Thursday, December 3, 2015

Display Espot data and fetch Espot content in command

Espot display through JSP :
<c:import url="../../include/eMarketingSpotDisplay.jsp">
   <c:param name="emsName" value="EspotName" />
   <c:param name="catalogId" value="${WCParam.catalogId}" />  
</c:import>


Getting content of Espot in command:

String triggerParameters = MarketingUtilClient.createTriggerParametersString(ESPOT_NAME, "", "", "", null); // ESPOT_NAME <-- name of ESPOT
List marketingSpotData = client.getMarketingSpotData(triggerParameters);
MarketingSpotDataTypeImpl mkt = (MarketingSpotDataTypeImpl) marketingSpotData.get(0);


Here Client is: com.ibm.commerce.marketing.facade.client.MarketingFacadeClient
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)