1. Using Oracle Commerce
  2. Manage SEO
  3. Control access to storefront servers

Control access to storefront servers

In addition to the servers running your production storefront, you may have various other storefront servers used for development, testing, and staging purposes.

To prevent unwanted access to your storefront servers by web crawlers and other processes, Commerce provides a basic authentication system. (This system does not apply to administrative servers, as these servers already require OAuth 2.0 authentication to access any content.) The basic authentication system checks various values associated with an incoming request, such as the hostname, client IP address, and headers. If any of these values is specifically whitelisted, the request is accepted without a challenge, but if not, a dialog is displayed for entering a username and password. For example, your production server is typically configured to bypass authentication if the request is sent to the official site URL (such as www.example.com), but the dialog is displayed if the request is sent to the internal hostname (such as ccstore-xxxx-xxxx.oracleoutsourcing.com).

The primary purpose for the basic authentication system is not security, but rather to prevent accessing the servers in an unexpected way. For example, if a web crawler accesses a test server, the authentication system prevents it from indexing pages, so that web search results do not direct shoppers to that server. On the production server, web crawlers are permitted to index pages, but only when the pages are accessed via the official site URL.

Note that the basic authentication system is completely separate from any shopper login. On your production server, shoppers should never see the authentication dialog unless something is misconfigured.

Your servers are configured by default to display the authentication dialog only when appropriate. You should typically not need to make any changes to the configuration. However, the Admin API does include endpoints you can use to make changes to the configuration, including the username and password, whitelisted headers, IP addresses, and hostnames:

  • To see your current settings, use the getBasicAuthConfiguration endpoint.
  • To change your settings, use the updateBasicAuthConfiguration endpoint.

For more information about these endpoints, see the Oracle Commerce REST API documentation in the Oracle Help Center:

http://docs.oracle.com/cloud/latest/commercecs_gs/CXOCC/