Security Objects Programming Concepts
This section describes the BizDeskSecurity object and the AuthManager object provided by Microsoft Commerce Server 2000 for site security.
BizDeskSecurity Object
The Commerce Server Business Desk security infrastructure allows individual Business Desk modules to be displayed or hidden, depending on the credentials of the user. The CanUserAccess method of the BizDeskSecurity object returns True if the current user has read access rights for a specified Business Desk module. This method retrieves the access rights for the user from the access control list (ACL) for the file. For more information, see BizDeskSecurity Object.
The Active Server Pages (ASP) file corresponding to a Business Desk module is found in the id attribute of the module element of the XML file for the module. The XML file for each module is found in the Config folder located under the Business Desk application folder. For more information about the XML format, see Module Configuration Files.
AuthManager Object
The AuthManager object identifies users and gathers information used for user authentication. The methods and properties of this object control and access the contents of cookies and encoded URL strings. For more information, see AuthManager Object.
Authentication uses tickets, a string of property/value pairs, to provide information about the user. Two types of tickets are supported, an MSCSAuth ticket and an MSCSProfile ticket. Their differences are summarized in the following table.
| Characteristics | MSCSAuth | MSCSProfile |
| Storage | Session cookie/encoded URL string | Persistent cookie/encoded URL string |
| User Type | Registered | Anonymous |
| Contents | Unique user ID, last login time, time window | Unique user ID |
In this context, registered refers to a user who has successfully completed a registration process for the relevant site.
The AuthManager object provides methods to place the ticket into a cookie, if cookies are enabled on the client, or, if cookies are not enabled, into an encoded URL string. When used with the AuthFilter ISAPI filter, cookies must be enabled.
For an MSCSAuth ticket, the AuthManager object can check the validity of the ticket using the IsAuthenticated method. This method checks whether the request from the user contains an MSCSAuth ticket. If it does, the method checks the current time against the last login time set on the ticket to see if it is within the time window specified in the ticket. If it is, the method returns True, indicating a valid MSCSAuth ticket. If the current time is within five minutes of the last login time plus the time window, the last login time on the ticket is changed to the current time so the active user can remain browsing.
A user may have both types of tickets. In this case, the MSCSAuth ticket takes precedence.
If the user does not allow cookies, the ticket is placed in an encoded URL string. The URL string may be used to pass user information between pages and Web sites, provided all the URLs and query strings are generated by the AuthManager object.
The AuthManager object provides a transparent interface to the tickets, whether they are stored in cookies or in URL query strings, and handles encryption and decryption of the tickets to ensure security.
The AuthManager object must be used with ASP since it depends on ASP intrinsic objects. Do not create the AuthManager object in application scope as it has dependencies on individual user sessions. The AuthManager object should be created and destroyed on each ASP page.