我是 Spartacus 店面开发的新手,但在 Hybris/SAP Commerce 工作了几年,
设置 spartacus 我注意到在 AuthenticationService 中,客户可以从任何基础商店通过 REST API 登录。调用只需使用用户电子邮件/ID 和密码转到 hybris,然后通过商店的身份验证。
是否有可能仅将用户从一个 basestore 限制到特定的 spartacus 店面?或所述用户的组。只是不要将斯巴达克斯店面暴露给所有客户......
谢谢
【问题讨论】:
我们做了一个RequiredRoleMatchingFilter extends AbstractUrlMatchingFilter
检查BaseSite 级别上的自定义角色属性(UserGroupModel)
像这样的
private static final String ROLE_PREFIX = "ROLE_";
private BaseSiteService baseSiteService;
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
final FilterChain filterChain) throws ServletException, IOException {
final Authentication auth = getAuth();
boolean isCustomer = false;
if (hasRole(ROLE_CUSTOMERGROUP, auth) || hasRole(ROLE_CUSTOMERMANAGERGROUP, auth)) {
isCustomer = true;
}
final Optional<BaseSiteModel> currentBaseSite = Optional.ofNullable(getBaseSiteService().getCurrentBaseSite());
if (isCustomer && currentBaseSite.isPresent() && currentBaseSite.get().getRequiredRole() != null) {
final UserGroupModel requiredRole = currentBaseSite.get().getRequiredRole();
final String REQUIRED_ROLE = ROLE_PREFIX + requiredRole.getUid().toUpperCase();
if (hasRole(REQUIRED_ROLE, auth)) {
LOG.debug("Authorized as " + requiredRole.getUid());
} else {
// could not match the authorized role
throw new AccessDeniedException("Access is denied");
}
}
filterChain.doFilter(request, response);
}
【讨论】: