Comparison of AuthFilter and AuthManager
Commerce Server provides two tools used to manage user authentication and identification:
AuthManager. A Component Object Model (COM) object that exposes methods for identifying users and controlling access to dynamically generated content. For example, a site developer can invoke the GetUserID method of AuthManager to identify a user based on the ticket contained in a cookie or query string. AuthManager is used on every secured ASP page on your site, to check whether the user is allowed to view the page using the IsAuthenticated method.
AuthManager supports cookieless shopping. An Authentication Ticket must be appended to every URL query string created on the site to ensure that the authentication ticket is passed on for all requests. This is done through the GetUrl method. Note that only one ticket can be appended to the URL, with the MSCSAuth ticket having precedence over the MSCSProfile ticket.
AuthManager is not dependent on any of the configuration settings that are applied during the unpacking process.
AuthFilter. An Internet Server API (ISAPI) filter used and configured at the Commerce Server application level. AuthFilter can be applied to all users visiting your site. You configure AuthFilter after unpacking a site. AuthFilter does not support cookieless shopping.
Summary of Differences Between AuthFilter and AuthManager
The following table summarizes the differences among the features supported by AuthFilter and the AuthManager object.
Features and functionality |
AuthFilter: Windows Authentication |
AuthFilter: Custom Authentication |
AuthFilter: AutoCookie |
AuthManager |
---|---|---|---|---|
Checks whether session (non-persistent) cookies are supported | Yes | Yes | Yes | No |
Supports cookieless shopping | No | No | No | Yes |
Provides granular access control using access control lists (ACLs) | Yes | No | No | No |
Supports custom login pages | Yes | Yes | No | No
If the ticket is not validated using AuthManager, you can reroute the user request to a custom login page. |
Supports URL case correction | Yes | Yes | Yes | No |
Supports Web farm environments | Yes, with some limitations on Post requests | Yes | Yes | Yes |
Uses ASP-intrinsics | No | No | No | Yes |
Supports using Active Directory for storing user profiles | Yes | No | Yes (*mixed mode) | No |
Supports using SQL Server for storing user profiles | Yes (Active Directory + SQL Server) | Yes | Yes (*mixed mode) | Yes |
Impersonates user | Yes | No (Anonymous) |
No (Anonymous) | No (Anonymous) |
Access Control Lists (ACLs) | Virtual directory level and dynamic page level | Virtual directory level | Anonymous-only | Dynamic page level |
Supports security credentials provided by the user | Yes | Custom (Anonymous) | Anonymous | No |
Requires a cookie from the client | Yes | Yes | Yes | No |
* Mixed mode is the use of Autocookie Generation mode with either Custom Authentication mode or Windows Authentication mode.
Commerce Server authentication does not support heterogeneous scenarios, for example, a mixed environment of Windows 2000 and Unix servers.
See Also
Copyright © 2005 Microsoft Corporation.
All rights reserved.