Sunday, July 30, 2017

The user does not have the authority to run this command "com.ibm.commerce.order.beans.OrderDataBean" during cart merge

Problem Statement:

After successful user login, MigrateUserEntriesCmd will be called for user and cart migration. During this process, we encounter below exception in the logs

Caused by: com.ibm.commerce.exception.ECApplicationException: The user does not have the authority to run this command "com.ibm.commerce.order.beans.OrderDataBean".
               at com.ibm.commerce.beans.DataBeanManager.directActivate(DataBeanManager.java:732)
               at com.ibm.commerce.beans.DataBeanManager.activate(DataBeanManager.java:290)
               at com.ibm.commerce.beans.DataBeanManager.activate(DataBeanManager.java:188)
               at com.ibm.commerce.order.facade.server.commands.AbstractFetchOrdersSOICmdImpl.performExecute(AbstractFetchOrdersSOICmdImpl.java:416)
               at com.ibm.commerce.foundation.internal.server.command.impl.CommandTarget.executeCommand(CommandTarget.java:66)
               at com.ibm.ws.cache.command.CommandCache.executeCommand(CommandCache.java:332)
               at com.ibm.websphere.command.CacheableCommandImpl.execute(CacheableCommandImpl.java:166)
               at com.ibm.commerce.order.facade.server.commands.GetOrderCmdImpl.performExpression(GetOrderCmdImpl.java:89)
               at com.ibm.commerce.foundation.server.command.bod.AbstractGetBusinessObjectDocumentCmdImpl.performExecute(AbstractGetBusinessObjectDocumentCmdImpl.java:158)
               at com.ibm.commerce.foundation.server.command.bod.BusinessObjectCommandTargetImpl.executeCommand(BusinessObjectCommandTargetImpl.java:112)


Root cause of the issue:

When MigrateUserEntriesCmd calling OrderItemMoveCmd->OrderCopyCmd->OrderItemUpdateCmd->DoInventoryCmd, it cloned a command context with the new user(registered user) and pass this cloned context to the commands. It works for the commands(controller or task cmd), but  it current case, AbstractOrderFacadeClient is called to invoke component service.

Component service doesn't respect cloned command context, and it retrieves user Id from active session, in which the user is still old user(guest user), so there is the access control issue


Resolving this problem:

APAR JR56905 has been created to address the issue.  Install the APAR to resolve the issue. Available as a part of Fix pax 9




Posted by at 1 comment:
Subscribe to: Posts (Atom)