Commerce Server Security

Commerce Server 2000

Commerce Server provides two tools to manage user authentication and identification: the AuthManager object and the AuthFilter.

  • AuthManager is a Component Object Model (COM) object that exposes methods for identifying users and controlling access to dynamically generated content. For example, a site developer could invoke the GetUserID method of AuthManager object to identify a user based on a cookie or a query string.

  • AuthFilter is an Internet Server API (ISAPI) filter that is used at the Internet Information Services (IIS) Commerce Server application level. It can be applied to all users visiting the application. You configure properties used by AuthFilter at the global CS Authentication level. You configure the authentication mode at the application level. You can choose the following authentication modes: Windows Authentication, Custom Authentication, and Autocookie.

When you configure the AuthManager object and AuthFilter, the authentication properties are stored in the Administration database. The CS Authentication resource interacts with the Config objects to store and retrieve the properties from the Administration database.

The Solution Sites do not use AuthFilter because they are designed to support cookieless shopping.

The following table summarizes the differences among the features supported by AuthFilter, the AuthManager object, and the Solution Sites.

FeatureAuthFilterAuthManagerSolution Sites
Checks whether session cookies (non-persistent cookies) are supportedYesNoYes
Supports cookieless shoppingNoYesYes
Provides granular access control using access control lists (ACLs)YesNoNo
Supports custom login pages for retrieving Windows credentialsYesYesNo
URL case correctionYesNoYes

This section contains:

See Also

Planning for Security

Working with Site Security and Filters

Site Security Objects

Managing the CS Authentication Resource

Commerce Server Security Checklist

Securing Your Site

All rights reserved.