[ic] Interchange & eProcurement Via cXML/Punchout?
Kevin Walsh
interchange-users@icdevgroup.org
Fri Aug 23 13:49:01 2002
>
> One of our major customers is asking us to integrate our
> Interchange web site with their eProcurement system using cXML.
> At this point they just want to automatically login and then receive
> an cXML document when the user checks out. Can anyone point
> me in the right direction on how to approach this? I'm on the
> newest version of Apache & Interchange. Thanks!
>
I looked into this ages ago and it all looked easy enough at the
time.
I never had a reason to implement a cXML-compatible site, so it just
got pushed to the bottom my todo list and has stayed there ever since.
I have a printed version of the cXML 1.2 user's guide (Feb 2001),
which is probably out of date by now.
The automatic login and "PunchOutSetup*" handling can be done with
a custom "setup" page and a custom "entry" page, but be careful to
take security concerns into account; I would restrict the PunchOutSetup
Request and Response to use a secure (SSL) connection only and reject
any requests that come in using an insecure connection. The entry
page relies on the generation of a unique ID, so a MD5 hash supplied
as an argument to the entry page should work there. I find this part
of the cXML spec. to be insecure, as it's impossible to verify that
the person using the (unique) entry page is who they are supposed to
be, before automatically logging them in; they may have guessed the
hash key (unlikely with MD5), or could have used a network sniffer
to spot a previous use of the key.
The checkout document should be easy enough. If the session was
initiated using cXML then the "log_transaction" could call a custom
UserTag to deliver the "PunchOutOrderMessage" to the address specified
in the original "PunchOutSetupRequest" message.
Remember that, in cXML, just because a user has gone through the
checkout, it doesn't mean that they'll buy anything. Your checkout
will provide a "quote" for goods, for comparison against other quotes.
If they decide to buy then they will send a purchase order. They
also have the option of modifying their quote items at any time, and
performing a so-called re-punchout. This is where things start to
get tricky.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/