Why would you need to define access policy WebSphere Commerce data beans ?

We -WebSphere Commerce developers- don't pay much attention to security data beans, we put all attention to WebSphere Commerce commands and views because they are supposed to be entry point to any store and they will enforce security, while data beans are only accessible from a JSP which is the last step in the cycle and you can't get it to it unless you go through a command or view first.

That was my belief till a network administrator send me the curl command below which he used to simulate some request parameters, send it over to one of our JSPs (CustomerSearchOutput.jsp) and without providing any credentials, he managed to extract customer sensitive data from the database.

curl -k --data "storeId=10151&qlist=1n2n3n4n5n6n7n8n9n10n11n12n11n12n&useraction=searchclicked&sortclicked=defaultsortclicked&searchOption1=findbylastname&searchOption2=&searchTerm1=Duncan&searchTerm2=&csrLogonId=Rumi&sorttype=desc" https://wcs_testserver/webapp/wcs/csr/servlet/CustomerSearchOutput.jsp ?

As you might imagine, we worked till late the next couple of day to get it sorted out. For better security, you need to make sure no one can access your databeans and use them as a gateway to extract data from your database.

For details on how to get it done, please check my earlier blog Implementing access control in WebSphere commerce data beans