Developing a Secure Solution using Commerce Server 2002 and .NET

Contents

• Executive Overview
  • Background
    • What is Authentication?
    • Authentication Service Objects: AuthManager and AuthFilter
    • Authentication Tickets
    • MSCSAuth Tickets
    • MSCSProfile Tickets
• Creating a Commerce Web Application
• Enabling AuthFilter
  • About Commerce Project
  • Configuring Login.aspx to use a GUID based URL Authentication
  • Configuring Commerce Server Global Resource
  • Configuring Commerce Site Resource
    • Custom Authentication
    • Enabling Custom Authentication using AuthFilter
  • Restarting IIS Services
    • Restarting IIS
• Developer Bottlenecks
  • Real Problems and Remedies
• Summary
• For more information

Executive Overview

This paper explains how to build a highly secured site using Authentication Tickets provided by Commerce Server 2002 and with Visual Studio .NET as well. It details challenges faced while creating a secure Commerce site, common configurations for employing Authentication methods and explains ways to implement these to maximize user experience and site security. Additionally, I will brief some of the bottlenecks incurred during the development.

Background

What is Authentication?

Authentication is the process for determining a user�s identity on any computer. A user is allowed to access site, network, or computer resources depending on policies established by a system, network, or computer administrator. For the purposes of this paper, the computer that requires authentication is a Web server, and the user is a typical customer of a web site hosted on that server.

Commerce Server contains two objects for user authentication � AuthManager and AuthFilter. Each object offers multiple services that can be customized to serve your security and user-based needs. You can use more than one authentication service at a time. If different regions of your site have different security needs, you can employ separate authentication methods for each region.

Authentication Service Objects: AuthManager and AuthFilter

Developers using Commerce Server have access to two authentication service objects:

• An Internet Information Services (IIS) COM+ component provided by an object called AuthManager.
• An ISAPI filter for IIS that is provided by Commerce Server 2002, called AuthFilter. I will be dealing with AuthFilter in this paper which is a very powerful authentication mechanism available today in Commerce Server.

You can refer for more information under section �For More Information�.

Authentication Tickets

Commerce Server uses authentication tickets to authenticate users visiting your site. An authentication ticket is a mechanism used to authenticate users. It is made up of a property/value pair such as a userID and the value of the userID, or even may be a URL based value pair which will be discussed in more detail. For example, userID/joeuser is a property/value pair that would be in an authentication ticket.

A Commerce Server ticket contains information about a user visiting your site, such as a logon ID, the time when the user last visited your site, and a time window that indicates how long the ticket is valid. Commerce Server uses tickets to identify and authenticate users, and to associate user IDs with the profile information it collects about them.

Commerce Server uses two kinds of authentication tickets: MSCSProfile tickets and MSCSAuth tickets. When a user first accesses your site, Commerce Server creates an MSCSProfile ticket for that user, and writes it to the HTTP header. When a registered user is authenticated, Commerce Server creates an MSCSAuth ticket, and writes it to the HTTP header. Both tickets can be stored in the cookie or encoded in the URL query string.

MSCSAuth Tickets

Commerce Server uses MSCSAuth tickets to identify and track registered and authenticated users.

MSCSAuth tickets can be stored in session cookies, or encoded in the URL. When a session ends, the browser automatically deletes session cookies, and the user must re-authenticate when revisiting the site. We will be using these tickets for authenticated users in our application.

MSCSProfile Tickets

Commerce Server uses MSCSProfile tickets to identify and track anonymous users who visit your site. MSCSProfile tickets are stored in persistent cookies for users who allow persistent cookies. If users do not allow persistent cookies, the MSCSProfile ticket is encoded in the URL.

Creating a Commerce Web Application

This section explains about creating a Commerce C# ASP.NET Web Application. Once Commerce Server 2002 is installed on your server, commerce projects will be added to the Visual Studio .NET project library. Although, one could create choice of application using Visual Basic .NET as well. The following steps guide you through creating a Commerce project.

1. Start Visual Studio .NET and click the [New Project] to open New Commerce Project.

   

2. Select Commerce Projects and under templates, you can choose either of the listed templates. For demo purpose, I have chosen [Commerce C# ASP.NET Web Application] and location as default web server [http://<your server>/CommerceWebAppDemo] and then click [OK].

   

3. A Commerce Application Project wizard will be displayed, click [Next].

   

4. Commerce Server Site Packager Quick Unpack dialog box will be displayed. Briefly about dialog box, you could retain the site same or type the new site, select the name of the Internet Information Services (IIS) 5.0 Web site where the applications will be installed by default, I will be selecting [Default Web site]. Type the name of the SQL Server computer on which you want the site databases to be created or keep the default one. Select the option for MS SQL Server logon. When you use Windows integrated security, user names and passwords are not stored in the SQL Server connection string, and are not affected by SQL Server password resets. Confirm your information and then click [Next].

   

5. Unpacking of the web application starts. In the [Data Warehouse] dialog box, type the name for the global Data Warehouse resource server, type the name of the SQL Analysis Services computer that the Data Warehouse will use as well. Type the name of the Analysis Services database and click [OK].

   

6. In the Profiling System dialog box, accept the default .xml files, and then click [Next].

   Briefly, Profile Schema Definition (*.xml) - when you pack a site, Site Packager extracts the profile schema from your Profiles database and stores it in an XML file. Specify that XML file here, so it is unpacked.

   When you unpack a Solution Site, accept the default XML file, ProfileDefinition. This file contains the following profile definitions: Address, BlanketPOs, Organization, Targeting Context, and User Object.

   Site Terms Definition (*.xml) - when you pack a site, Site Packager extracts the site terms definition from your database and stores it in an XML file. Specify that XML file here, so it is unpacked.

   When you unpack a Solution Site, accept the default XML file, SiteTerms. This file contains the predefined site terms for your use.

   Expression Definition (*xml) - When you pack a site, Site Packager extracts the definitions for expressions that you defined using Business Desk, and stores them in an XML file. Specify that XML file here, so it is unpacked.

   When you unpack a Solution Site, a default XML file is provided, ExpressionDefinition. This file does not contain any predefined expressions for the Solution Sites.

   

7. In the Profiling System dialog box, accept the default .xml files, and then click [OK].

   Accept the default connection string to the Profiles database, or click Modify to configure a new connection string.

   Schema definition scripts - To pack the profile definitions, use SQL Server Enterprise Manager to export the definitions (schema) from the SQL database to a .sql file, and then specify the name of that file here.

   When you unpack your site, you will specify this file, so the definitions will be unpacked into the runtime data stores (the SQL tables that store the data for the user, address, organization, and so forth).

   Data population scripts - If you have extracted the profile data from a Profiles database, you can specify data population scripts, so when you unpack, the profile data is imported into the runtime data stores (the SQL tables that store the data for the user, address, organization, and so forth).

   

8. Click [OK]. A new C# ASP.NET Commerce Server project is created.

   

Enabling AuthFilter

This section details you on the configuration mechanisms and steps involved in enabling a site (or in other words Commerce Web application) with AuthFilter.

About Commerce Project

By default, there will be an AuthFilter folder which enables web applications to have secure authentication mechanism, individual ones can go for its own AuthFilter folder with different names as well. One can navigate to Commerce Server Manager as shown below:

Configuring Login.aspx to use a GUID based URL Authentication

This sample code snippet shows you to write code in code-behind of a Login.aspx Web Form which will be used for authenticating users on different URLs with Logon name and password as usual. Briefly coding goes like this, one could place this code in two sections, first part in under Page_Load function and secondly under Button_Click event. This code ensures that the user will be authenticated based on his official (corporation) URL. Other than the current URL, he can navigate to a different corporation's URL in this scenario.

Part 1:

Part 2:

Configuring Commerce Server Global Resource

You can change the properties and the database connection strings used by the global resource at any time.

To configure a global resource:

• Expand Commerce Server Manager, and then expand Global Resources.
• Right-click the global resource to be configured, and then click Properties.
• In the <global resource> Properties dialog box, on the Properties tab, configure the properties for the global resource. For each property you want to configure, select the property, and then type the value in the Selected Property Value box.
• And in same way, you can change the AuthFilter folder name and other properties as shown below.

When you change the properties or AuthFilter folder name for a global resource using Commerce Server Manager, changes may not be reflected immediately in Commerce Server Business Desk or in the web pages of the applications using the global resource. To refresh these changes, restart all services that use those values. For instructions, refer section below �Restarting IIS Services'.

Configuring Commerce Site Resource

You can change the properties used by the site resource at any time. All site resources used by a site expose an object at the site level. After you change a property in Commerce Server Manager, you must restart all services that use those values. For instructions, refer section below �Restarting IIS Services'.

Custom Authentication

When you use Custom Authentication, login access is required for every ASPX or ASP page and directory in the Commerce Server site. AuthFilter checks against the virtual directory for the Commerce Server site, and it checks the Commerce Server Administration database to determine whether Custom Authentication is enabled for that site.

If the MSCSAuth ticket the user submitted is not valid when requesting access to an ASPX page or directory, AuthFilter requires the user to enter login information. When a user submits credentials to the login page, the login page obtains verification of the credentials from a SQL Server database, or other types of databases.

After the user has been authenticated, the Login.aspx page issues an MSCSAuth ticket. The MSCSAuth ticket is what is checked when the AuthFilter authenticates the request to determine whether or not to allow the request to be fulfilled.

In this mode, AuthFilter allows the site designer to provide a custom authentication process to control access to the site while still using the basic services of AuthFilter.

Enabling Custom Authentication using AuthFilter

For Custom Authentication implementation, use AuthFilter to integrate it into your site. If you select Custom Authentication, AuthFilter checks for a valid MSCSAuth ticket. If the valid MSCSAuth ticket is not found, the user is redirected to a login page, where you can do your own Custom Authentication by validating credentials and setting MSCSAuth ticket upon success.

To enable the Custom Authentication mode:

• Expand Commerce Server Manager, expand Commerce Sites, and then click the site you want to administer.
• Expand Applications, right-click the name of the application that you want to work with, and then click Properties.
• In the Properties dialog box, on the General tab, in the Authentication filter box, select Custom Authentication, and then click OK.
• AuthFilter redirects the user request to the Login.aspx page, which validates the user login and password against a SQL Server database or other types of data stores.
• Do refer the figure below to get insight of authentication filter.

After you change a property value in Commerce Server Manager, you must unload the application from memory on each Web server for the change to take effect. For instructions, refer section below: �Restarting IIS Services'.

Restarting IIS Services

Restarting IIS

When you make changes to the properties used by the CS Authentication resource, you must stop and then restart IIS. Restarting IIS unloads all Web applications from memory, restarts the IIS service and refreshes the cache. Therefore, when restarting IIS, it is not necessary to also unload an application from memory.

You must restart IIS when you perform any of the following tasks in the CS Authentication resource:

• Configure CS Authentication resource properties
• Enable cookie sharing across domains/applications
• Enable AuthFilter
• Disable AuthFilter

Note: Do not use the IISReset command to restart IIS. Although IISReset will stop and then restart IIS, under certain conditions, it does not stop and then start Inetinfo.exe (W3SVC service). For example, if the W3SVC service has been configured for manual start instead of automatic, it will not be restarted.

To restart IIS :

• Click Start, and then click Run.
• In the Run dialog box, in the Open text box, type net stop iisadmin and then click OK.
• At the prompt, "Do you want to continue this operation?" type Y and press [Enter].
• IIS stops. Note that both the iisadmin and W3SVC services are stopped using the command from the above step.

Developer Bottlenecks

This section details on live problems faced during development while working with Commerce Server 2002 and Visual Studio .NET.

Real Problems and Remedies

1. One cannot debug the application once AuthFilter is enabled. The following message will be displayed �

   

   Remedies:-

   • One should disable AuthFilter to �No Filter� mode
   • Restart IIS Services
   • Alternatively, one can use System.Diagnostics.Debugger.Break() for debugging purpose.
2. One cannot re-open the project again; the following dialog box will be displayed. When you are developing a site using Visual Studio .NET, and you have AuthFilter enabled, when Visual Studio .NET tries to connect to the site, AuthFilter does a redirect so Visual Studio .NET cannot open the project.

   

   Remedies:-

   • One should disable AuthFilter to �No Filter� mode. Disabling AuthFilter does not unload it from IIS process space until IIS is restarted; it only removes the AuthFilter entry from the metabase.
   • Hence restart IIS Services as well.
3. It�s not easy to develop a Commerce Server site using VS.NET, since system will be much slower in debugging and will affect developer productivity time.

   Remedies:-

   • One should try to minimize debugging Commerce server applications, and try to write code in the regular ASP.NET applications and finally try to integrate.

Summary

The paper briefed about the creating and configuring the Secured Commerce Server ASP.NET Web Application. And further, it shows enabling the Commerce Server site to use an AuthFilter and ensure secured access to users. The following points summarizes in brief:

• Basic functionality of Authentication and usage of AuthFilter
• Requirement and challenges
• Creating a secured Commerce Server project and enabling custom authentication using a AuthFilter
• Bottlenecks during development

For more information

• Microsoft Commerce Server Homepage
• Product Documentation
• Developer Resource - MSDN
  • Link 1
  • Link 2
• Microsoft Commerce Server Solution Sites