How to block certain URLs access for some user type in Hybris?

Scenario:

How to block certain URLs access for some user type in Hybris?

Solution:

In general, we should maintain spring Authorities/group for such users so that it can be blocked from spring-security. But in my case, I don't have that choice. There are already many userType which can be identified when the user logged in and stored it in session. Here I have to use same. So I have decided to use Spring AOP to serve my aspect around the point-cut(custom annotation). In this post, I am not going to cover AOP in detail. If you don't know anything about Spring AOP. You should first explore it first.
1. Create Annotation AllowUsers and BlockUsers
package com.hybris.storefront.annotations;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;


@Retention(RetentionPolicy.RUNTIME)
@Target(
{ ElementType.METHOD })
public @interface AllowUsers
{
    String[] roles();
}
Like the way, you can create BlockUsers annotation. We want this annotation on method level so you can see @Target as ElementType.METHOD.
2. Create Aspect
package com.hybris.storefront.handler;

import javax.annotation.Resource;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.reflect.MethodSignature;
import com.hybris.extended.service.HybrisB2BUnitService;
import com.hybris.extended.util.StaticStringUtils;
import com.hybris.storefront.annotations.AllowUsers;
import com.hybris.storefront.annotations.BlockUsers;

public class UsersRoleValidationHandler
{

    public static final String REDIRECT_TO_HOME = "redirect:/";

    @Resource
    private HybrisB2BUnitService hybrisB2BUnitService;

    public Object validateUserAccess(final ProceedingJoinPoint pjp) throws Throwable
    {
        final MethodSignature methodSignature = (MethodSignature) pjp.getSignature();
        final AllowUsers allowUsersAnnotation = methodSignature.getMethod().getAnnotation(AllowUsers.class);
        if (allowUsersAnnotation != null)
        {
            String[] roles = allowUsersAnnotation.roles();
            if (roles != null && roles.length > 0 && !isUserMatchWithRole(roles))
            {
                return REDIRECT_TO_HOME;
            }
        }

        final BlockUsers blockUsersAnnotation = methodSignature.getMethod().getAnnotation(BlockUsers.class);
        if (blockUsersAnnotation != null)
        {
            String[] roles = blockUsersAnnotation.roles();
            if (roles != null && roles.length > 0 && isUserMatchWithRole(roles))
            {
                return REDIRECT_TO_HOME;
            }
        }

        return pjp.proceed();
    }

    private boolean isUserMatchWithRole(String[] roles)
    {
        for (String role : roles)
        {
            switch (role)
            {
                case StaticStringUtils.TYPE1_CUSTOMER:
                    if (hybrisB2BUnitService.isType1Customer())
                    {
                        return true;
                    }
                    break;
                case StaticStringUtils.TYPE2_CUSTOMER:
                    if (hybrisB2BUnitService.isType2Customer())
                    {
                        return true;
                    }
            }
        }
        return false;
    }
}
This class is an aspect, in which we first fetch define roles from annotation and cross check with the current user role. If match we will allow the method to proceed pjp.proceed() otherwise redirect to home.
3. configure AOP and bean in spring-mvc-config.xml
<alias name="defaultUsersRoleValidationHandler" alias="usersRoleValidationHandler" />
<bean id='defaultUsersRoleValidationHandler' class="com.hybris.storefront.handler.UsersRoleValidationHandler" />


<aop:config proxy-target-class="true">
    <aop:pointcut id="usersRoleValidationPoint"  expression="@annotation(com.hybris.storefront.annotations.AllowUsers) || @annotation(com.hybris.storefront.annotations.BlockUsers)" />
    <aop:aspect ref="defaultUsersRoleValidationHandler">
        <aop:around pointcut-ref="usersRoleValidationPoint" method="validateUserAccess" />
    </aop:aspect>
</aop:config>
Here point-cut match if calling method has AllowUser or BlockUsers annotation. If match, our bean/aspect method will be triggered.
4. Add Annotation at request matching method.
@AllowUsers(roles = { StaticStringUtils.TYPE1_CUSTOMER, StaticStringUtils.TYPE1_CUSTOMER})

@BlockUsers(roles = { StaticStringUtils.TYPE2_CUSTOMER, StaticStringUtils.TYPE3_CUSTOMER})
Author Image

Ankitkumar Patel

Sr. SAP Hybris consultant, having 15+ years experience in SAP Commerce Cloud (Hybris), SAP Spartacus. Extensive experience in SAP Hybris development, third-party integrations, project architecture and design... Read more

Comments

Post a Comment

Popular posts from this blog

Hybris flexible search query examples

Use of Enum in the query Find all running Solr Index jobs select {cj.code},{enum:code},{cj.startTime},{cj.endTime} from { SolrIndexerCronJob! as cj join EnumerationValue as enum on {cj.status}={enum.pk} } where {enum:code} = 'RUNNING' Compare Date in the flexiblesearch query Find all running Solr Index jobs from the given date select {cj.code},{enum:code},{cj.startTime},{cj.endTime} from { SolrIndexerCronJob! as cj join EnumerationValue as enum on {cj.status}={enum.pk} } where {enum:code} = 'RUNNING' and {cj.startTime} >= TO_DATE('2021/12/25','YYYY/MM/DD') Basic  JOIN  and  IN  query Get the most recent order for each customer using flexible search. select {o.code} as orderCode, {c.name} as name, {a.cellphone} as cellphone from {order as o join Customer as c on {c.pk} = {o.user} join Address as a on {o.deliveryaddress} = {a.pk} } where {o.code} in ({{select max({cod
Read more

How to remove or update all data records in Hybris?

Scenario 1: I want to remove all the data from the Hybris ItemType. Solution: If you want to remove all records for particular itemType. Then you can do it using HAC Impex import. Open HAC (/hac) Go to console > ImpEx Import Run the below Impex (Change MyItemType with the ItemType for which you want to remove the data) $targetType=MyItemType REMOVE $targetType[batchmode=true];itemtype(code)[unique=true] ;$targetType Scenario 2: Sometimes, you want to remove selected data based on some condition or probably want to run complex SQL query. Then we wish if we could do it by writing SQL query, as many of developers are aware of syntax and its resources are easily available. Solution: Yes, you can do it in Hybris HAC also. Only thing is you should know the appropriate table and attribute/fields names in DB. If you don't, you can always run the select flexible search query and can see generated SQL query. Open HAC (/hac) Go to console > FlexibleSearch Se
Read more

How to Install temporary Hybris license?

LICENSE VERIFICATION HAS FAILED! Your demo/develop license has expired, it is valid only for 30 days. How to install temp SAP Hybris license? Don't worry, you can install a temporary license. To install a temporary license 1) Remove  installedSaplicenses.properties  from the license folder \hybris\config\licence 2) Go to the Platform directory and run the  ./license.sh -temp CPS_SQL  or  license.bat -temp CPS_SQL . If you are using DB other than HSQL you can choose the right command based on your DB.   Windows run  license.bat  instead of  ./license.sh OOTB HSQL DB ./license.sh -temp CPS_SQL MySQL DB ./license.sh -temp CPS_MYS Oracle DB ./license.sh -temp CPS_ORA SQL Server DB ./license.sh -temp CPS_MSS SAP Hana DB ./license.sh -temp CPS_HDB Once you install using the above command, You will get a message like First temporary license key installed. 3) Verify your license by running  ./license.sh -show , which will give you System, Hardwar
Read more