Comparison of AuthFilter and AuthManager

Commerce Server provides two tools used to manage user authentication and identification:

  • AuthManager. A Component Object Model (COM) object that exposes methods for identifying users and controlling access to dynamically generated content. For example, a site developer can invoke the GetUserID method of AuthManager to identify a user based on the ticket contained in a cookie or query string. AuthManager is used on every secured ASP page on your site, to check whether the user is allowed to view the page using the IsAuthenticated method.

    AuthManager supports cookieless shopping. An Authentication Ticket must be appended to every URL query string created on the site to ensure that the authentication ticket is passed on for all requests. This is done through the GetUrl method. Note that only one ticket can be appended to the URL, with the MSCSAuth ticket having precedence over the MSCSProfile ticket.

    AuthManager is not dependent on any of the configuration settings that are applied during the unpacking process.

  • AuthFilter. An Internet Server API (ISAPI) filter used and configured at the Commerce Server application level. AuthFilter can be applied to all users visiting your site. You configure AuthFilter after unpacking a site. AuthFilter does not support cookieless shopping.

Summary of Differences Between AuthFilter and AuthManager

The following table summarizes the differences among the features supported by AuthFilter and the AuthManager object.

Features and
functionality
AuthFilter:
Windows
Authentication
AuthFilter:
Custom Authentication
AuthFilter:
AutoCookie
AuthManager
Checks whether session (non-persistent) cookies are supported Yes Yes Yes No
Supports cookieless shopping No No No Yes
Provides granular access control using access control lists (ACLs) Yes No No No
Supports custom login pages Yes Yes No No

If the ticket is not validated using AuthManager, you can reroute the user request to a custom login page.

Supports URL case correction Yes Yes Yes No
Supports Web farm environments Yes, with some limitations on Post requests Yes Yes Yes
Uses ASP-intrinsics No No No Yes
Supports using Active Directory for storing user profiles Yes No Yes (*mixed mode) No
Supports using SQL Server for storing user profiles Yes (Active Directory + SQL Server) Yes Yes (*mixed mode) Yes
Impersonates user Yes No
(Anonymous)
No (Anonymous) No (Anonymous)
Access Control Lists (ACLs) Virtual directory level and dynamic page level Virtual directory level Anonymous-only Dynamic page level
Supports security credentials provided by the user Yes Custom (Anonymous) Anonymous No
Requires a cookie from the client Yes Yes Yes No

* Mixed mode is the use of Autocookie Generation mode with either Custom Authentication mode or Windows Authentication mode.

Commerce Server authentication does not support heterogeneous scenarios, for example, a mixed environment of Windows 2000 and Unix servers.

See Also

Authentication Tickets

AuthFilter

AuthManager

Copyright © 2005 Microsoft Corporation.
All rights reserved.