Through the use of the JSON APIs, KonaKart may be used to power a JavaScript storefront running in a browser. An example of this is the KonaKart Tiles storefront demo where all of the tiles are grouped together to create a complete storefront application.
For a production environment, some extra steps must be taken in order to ensure that the application is secure, since unlike the standard Struts2 storefront application, the engine APIs are now visible directly to the storefront and to any JSON client that connects itself to the KonaKart engine.
This is very important and quite easy to achieve by adding the API calls to the web.xml.
For the included interfaces (highlighted above) you simply specify a comma separated list of KKEngIf interfaces that are to be allowed. All other interfaces will by default be excluded.
It’s good practice to have your own service layer for transactional API calls such as writeReview(). registerCustomer() and saveOrder(). The two main reasons are:
It’s more secure not to expose the transactional engine API calls onto the internet. A malicious user can quite easily build a JSON client in order to attempt to introduce insecure data or just incorrect data like fake orders. In your own layer, you can escape any input data to remove dangerous characters and perform any other checks that may be necessary.
Many transactions require multiple API calls so it’s more efficient and reliable to make server to server calls rather than many round trips from the browser. For example when registering a customer, you need to call registerCustomer(), then send the welcome email, followed by logging the customer in and setting some customer tags.
There are many ways of building your own service layer. KonaKart provides a way allowing you to create a custom store service. This is explained in CustomStoreService_CustomAdminService.pdf in the doc directory after a standard installation. An example is also provided allowing you to register a customer through a custom service call.