Home
Documentation
HCL Commerce is a high-availability, highly scalable and customizable e-commerce platform. Able to support hundreds of thousands of transactions per day, HCL Commerce allows you to do business with consumers (B2C) or directly with businesses (B2B). HCL Commerce uses cloud friendly technology to make deployment and operation both easy and efficient. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels. Business users can also use AI enabled content management capabilities.
Customizing
The topics in the Customizing section describe tasks performed by an application developer to customize HCL Commerce.
Persistence layer
The interaction between the business objects and persistence layer is isolated in an object called the Business Object Mediator. Business object document (BOD) commands interact with the Business Object Mediator to handle the interaction with the logical objects and how they are persisted.
Understanding access control
Access control in an HCL Commerce application is composed of the following elements: users, actions, resources, and relationships.
Implementing access control
This topic describes how to implement access control in customized code. In general, enterprise beans and data beans are resources that you may want to protect. However, not all enterprise beans and data beans should be protected. Within the existing HCL Commerce application, resources that require protection already implement the protectable interface. Typically, the question of what to protect comes into play when you create new enterprise beans and data beans. Deciding which resources to protect depends upon your application.
... in views
Resource-level access control for views is performed by the data bean manager. The data bean manager is invoked in the following cases: When the JSP template includes the <useBean> tag and the data bean is not in the attribute list. When the JSP template includes the following activate method: DataBeanManager.activate(xyzDatabean, request);

Documentation
HCL Commerce is a high-availability, highly scalable and customizable e-commerce platform. Able to support hundreds of thousands of transactions per day, HCL Commerce allows you to do business with consumers (B2C) or directly with businesses (B2B). HCL Commerce uses cloud friendly technology to make deployment and operation both easy and efficient. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels. Business users can also use AI enabled content management capabilities.
- Getting started
  HCL Commerce has different advantages for business users, administrators and developers. HCL Commerce targets each of these roles with a tailored set of offerings so that each of your users can get maximum benefit.
- Installing and deploying
  Learn how to install and deploy HCL Commerce development environments and HCL Commerce production environments.
- Migrating
  Before you migrate to HCL Commerce Version 9.1, review this information to help plan and execute your migration.
- Operating
  Topics in the Operating category highlight tasks that are typically performed by business users, customer support representatives, to complete their day-to-day tasks in the operation of the HCL Commerce site.
- Integrating
  Topics in the Integrating category highlight the tasks that are commonly performed for using HCL Commerce in combination with other products.
- Administering
  Topics in the Administering category highlight tasks that are typically performed by the Site Administrator, to support daily operations of the HCL Commerce site.
- Customizing
  The topics in the Customizing section describe tasks performed by an application developer to customize HCL Commerce.
  - Customizing Management Center for HCL Commerce
    HCL Commerce allows you to pull the GIT bundle of Management Center source code and start the application locally to customize the Management Center.
  - Managed asset deployment
    Managed assets are files that are uploaded by business users to be used for store marketing, or to supplement products. They are added to HCL Commerce through the Assets tool or the Marketing tool in Management Center. By default, managed assets are extracted and deployed through the HCL Commerce EAR. To maintain performance in a large-scale production environment, site administrators must switch to alternative extraction and deployment methods for managed assets.
  - HCL Commerce development environment
    HCL Commerce Developer is the development toolkit for customizing a HCL Commerce application.
  - Functional architecture
    Functional architecture provides both the set of patterns used to implement the business functionality and the frameworks in which these business functions execute.
  - Persistent object model
    HCL Commerce deals with a large amount of persistent data. There are numerous tables defined in the current database schema. Even with this extensive schema, however, you might need to extend or customize the database schema for your particular business needs.
  - Creating your custom store
    After you install and set up your programming environment, you can create your custom store and customize your storefront. You must ensure that the store server is properly configured, and that your store assets are moved to the Store server.
  - Presentation layer
    HCL Commerce uses Java Server Pages (JSP) to implement the view layer of the Model-View-Controller (MVC) design pattern. The view layer is in charge of retrieving data from the database through the use of data beans and formatting it to meet the display requirements. The view layers determines whether the request is sent to a browser or streamed out as XML. JSP files present a clean separation between data content and presentation.
  - Controller layer
    The Controller layer is the conductor of operations for a request. It controls the transaction scope and manages the session related information for the request. The controller first dispatches to a command and then calls the appropriate view processing logic to render the response.
  - Business logic layer
    The business logic layer is the business components that provide OAGIS services to return data or start business processes. The presentation layer uses these OAGIS services to display data, or to invoke a business process. The business logic provides data required by the presentation layer. The business logic layer exists because more than just fetching and updating data is required by an application; there is also additional business logic independent of the presentation layer.
  - Persistence layer
    The interaction between the business objects and persistence layer is isolated in an object called the Business Object Mediator. Business object document (BOD) commands interact with the Business Object Mediator to handle the interaction with the logical objects and how they are persisted.
    - Java Persistence API
      The Enterprise Java Beans (EJB) was commonly used in previous versions of HCL Commerce. Starting with Version 9, the Java Persistence API (JPA) will be the standard.
    - Data assets
      These topics explain each of the store data assets in more detail. The store data assets in this section are organized according to the HCL Commerce store data architecture structure:
    - Creating primary keys for a JPA entity
      Before you use entity manager to make a JPA entity persistent, you must create a primary key for the entity.
    - Finding data using an access bean
      You will be using access beans in your business logic when you want to find data in the HCL Commerce database. Within an access bean, you must select the appropriate database record by using the primary key, or a finder method.
    - Finding data using a JPA entity
      You can use access beans to find data. However, if you have a customized JPA entity, there is no need to wrap it in an access bean. Instead, define a JPA DAO implementation that extends AbstractJPAEntityDaoImpl, which provides some useful methods you can use directly.
    - Updating data using an access bean
      You can update data in your business logic by using an access bean to retrieve and change data, even if the underlying access method is JPA.
    - Updating data using an JPA entity
      You can update default JPA entities in your business logic by using an access bean. If you have customized JPA entities, you do not need to wrap them in an access bean. Instead, define a JPA DAO implementation that extends AbstractJPAEntityDaoImpl.
    - Inserting data using access beans
      You can use access beans to create new data, even though the underlying logic uses the JPA standard.
    - Inserting data using a JPA entity
      You can use access beans to insert new data, as part of your business logic, for default JPA entities.
    - Deleting data using an access bean
      You can delete data from the HCL Commerce database using access beans, even though the underlying logic uses JPA.
    - Deleting data using a JPA entity
      For default JPA entities, you can delete data from the HCL Commerce database using the remove() method on the access bean's interface. If you want to delete your customized JPA entity, define a JPA DAO implementation that extends AbstractJPAEntityDaoImpl.
    - Extending the HCL Commerce object model with session beans
      HCL Commerce has implemented core commerce objects using JPA entities.
    - Creating new session beans
      When creating new session beans, create them in the WebSphereCommerceServerExtensionsData project.
    - Creating a simple data bean
      A data bean is a Java bean that is used in JSP pages to retrieve information from the enterprise bean. A simple data bean extends its corresponding access bean and implements the SmartDataBean interface. By extending an access bean, the data bean provides a simple indirect representation of an entity bean: it encapsulates the properties that can be retrieved from or set within the entity bean. Most code for the data bean is automatically generated by Rational Application Developer. You should store new data beans in the WebSphereCommerceServerExtensionsLogic project.
    - Understanding access control
      Access control in an HCL Commerce application is composed of the following elements: users, actions, resources, and relationships.
      - Protectable interface
        A key factor for having a resource protected by the HCL Commerce access control policies, is that the resource must implement the com.ibm.commerce.security.Protectable interface. This interface is most commonly used with enterprise beans and data beans, but only those particular beans that require protection need to implement the interface.
      - Resource protection in WebSphere Application Server
        The following HCL Commerce resources are protected under access control by WebSphere Application Server:
      - Administrator authority to act for a registered customer
        An administrator can act on behalf of a registered customer for multiple requests in a session by running the RunAsUserSetInSession URL. If an administrator has the required authority to act on behalf of a registered customer, the administrator can assume the identity for that customer for all subsequent requests. By default, the administrator running on behalf of a registered customer can perform all actions that the registered customer can perform. While acting on behalf of a registered customer, the administrator cannot run any administrative commands.
      - Access control interactions
        The access control policy framework controls how access control works in HCL Commerce.
      - Groupable interface
        The application of an access control policy is specific to a group of resources. Resource groupings can be made based upon attributes such as the class name, the state of an order or the storeId value.
      - HCL Commerce access control policies
        This section provides briefly introduced the main components of the HCL Commerce access control framework. It is provided so that some of the access control-related programming tasks are viewed in the correct context.
      - Implementing access control
        This topic describes how to implement access control in customized code. In general, enterprise beans and data beans are resources that you may want to protect. However, not all enterprise beans and data beans should be protected. Within the existing HCL Commerce application, resources that require protection already implement the protectable interface. Typically, the question of what to protect comes into play when you create new enterprise beans and data beans. Deciding which resources to protect depends upon your application.
        Access control in the BOD command framework
        As in previous versions of HCL Commerce, access control checks in the BOD command framework are performed just before the business logic is executed. This framework continues to use the HCL Commerce PolicyManager as its default access control engine. Access control policies are still required to grant users access to commands and resources. However, the action and resource naming convention is different for the BOD command framework.
        ... in enterprise beans
        If you create new enterprise beans that require protection by access control policies, there are several steps you must follow.
        ... in data beans
        If a data bean is to be protected, it can either be directly, or indirectly protected by access control policies. If a data bean is directly protected, then there exists an access control policy that applies to that particular data bean. If a data bean is indirectly protected, it delegates protection to another data bean, for which an access control policy exists.
        ... in controller commands
        When creating a new controller command, the implementation class for the new command should extend the com.ibm.commerce.commands.ControllerCommandImpl class and its interface should extend the com.ibm.commerce.command.ControllerCommand interface.
        ... in views
        Resource-level access control for views is performed by the data bean manager. The data bean manager is invoked in the following cases: When the JSP template includes the <useBean> tag and the data bean is not in the attribute list. When the JSP template includes the following activate method: DataBeanManager.activate(xyzDatabean, request);
      - Modifying access control on existing HCL Commerce resources
        This section guides you through modifying access control on existing HCL Commerce resources. In particular, the following scenarios are reviewed:
      - Controlling access for HCL Commerce Accelerator
        You can update the access control policies for HCL Commerce Accelerator to control access to the tool and grant users access to the tool for a store type.
  - Business model information model
    A business model, a representation of the business processes used throughout the site, provides a sample commerce solution which includes an organization structure, default user roles and access control policies, one or more starter stores, administration tools, and business processes that demonstrate best practices. A business model can be customized to support business requirements and scenarios. HCL Commerce provides sample business models that show some common commerce solutions. These business models are created by setting up an organization hierarchy structure, access control policies, stores, and contracts that help satisfy the necessary business requirements.
  - Business models
    Before starting to develop your site with HCL Commerce, you need to determine the business model supported by HCL Commerce that best represents the purpose of your site. Usually sites created with HCL Commerce will be implemented based on of one of these business models.
  - Store data information model
    Store data is the information that is loaded into the Transaction server database, which allows your store to function. The URL Registry Entries and View Registry Entries packages are included in the diagram, but they are not database assets. These entries are presentation configuration (that is, struts actions and forwards) that must be deployed. URL registry entries are shown in the diagram to illustrate the entire store data information model. To operate properly, a store must have the data in place to support all customer activities. For example, in order for a customer to make a purchase, your store must contain a catalog of goods for sale (catalog data), the data associated with processing orders (tax and shipping data), and the inventory to fulfill the request (inventory and fulfillment data).
  - Customizing HCL Commerce
    You can extend the HCL Commerce product to fit your business needs. This topic describes the prerequisite skills and required knowledge that you need to customize business logic. After you have the required knowledge, use HCL Commerce Developer to take tutorials that guide you step-by-step through various customization scenarios.
  - Run Engine command framework
    The Run Engine command framework provides predefined commands, that you can use to change environment parameters or container configurations. This framework is built into the HCL provided Docker images.
  - GraphQL for HCL Commerce
    The GraphQL markup language is available for any API. It is a server-side interpreter for processing queries using a data type system you design. With GraphQL, your data and code are independent of any database or storage system.
  - Representational State Transfer (REST) services
    HCL Commerce uses Representational State Transfer (REST) services to provide a framework that can be used to develop RESTful applications on several platforms. These platforms can include web, mobile, kiosks, and social applications.
  - Web services
  - Search
    HCL Commerce comes with a powerful and fully integrated search function. The search functions in HCL Commerce provide an enriched customer experience, with features such as automatic search term suggestions and spelling correction. Since it is built on industry standards, HCL Commerce Search is highly flexible and extensible. Starter stores can use the search engine's most sophisticated features without requiring extra customization. Starting with Version 9.1, HCL Commerce Search with Elasticsearch microservices manage indexing and other crucial tasks, with no performance impact on the storefront or transaction server.
- Tutorials
  HCL Commerce provides many tutorials to help you customize and understand your HCL Commerce instance and stores.
- Samples
  Topics in the Samples category highlight the various samples that are provided with HCL Commerce.
- Compliance
  The following section describes how you can leverage HCL Commerce features and functionality to help your site be compliant with different privacy and security standards.
- Securing
  These topics describe the security features of HCL Commerce and how to configure these features.
- Performance
  Topics in the Performance section describe the means by which to plan, implement, test, and re-visit the optimization of HCL Commerce site performance.
- Troubleshooting
  Topics in the Troubleshooting section highlight common issues that are encountered with HCL Commerce, and how they can be addressed or mitigated.
- Reference
  Topics in the Reference section contain all of the HCL Commerce reference documentation.

Implementing access control policies in views

Resource-level access control for views is performed by the data bean manager. The data bean manager is invoked in the following cases: When the JSP template includes the <useBean> tag and the data bean is not in the attribute list. When the JSP template includes the following activate method: DataBeanManager.activate(xyzDatabean, request);

About this task

Any data bean that is to be protected (either directly or indirectly) must implement the Delegator interface. Any data bean that is to be directly protected will delegate to itself, and thus must also implement the Protectable interface. Data beans that are indirectly protected should delegate to a data bean that implements the Protectable interface.

While it is not recommended, a bypass of the access control checks occurs in the following cases:

If the JSP template makes direct calls to access beans, rather than using data beans.
If the JSP template invokes the data bean's populate() method directly.

If the results of a controller command are to be forwarded to a view (using the ForwardViewCommand), then command-level access control is not performed on the views. Furthermore, if the controller command puts the populated data beans (that are used in the view) on the attribute list of the response property and then forwards to a view, the JSP template can access the data without going through the data bean manager. This does require that the <useBean> tags are used in the JSP template. This can be a way to make a JSP template more efficient, since it can bypass any redundant resource-level access control checks on resources (data beans) to which the user has already been granted access via the controller command.