5.4 The Product Catalog

Products or services that are being sold on your site are all stored in the product catalog. The catalog will normally reside on a Microsoft SQL Server and in practice will build a fairly complex database structure with something like 120 tables (see Figure 5.7)!

Figure 5.7: The product catalog.

The basic catalog will contain categories and products, but no specific pricing rules, only the base product prices. Commerce Server allows you to build custom catalogs that are derived from base catalogs on a site. Prices in the custom catalog override those given in the base catalog and are used to offer special pricing deals to particular partners or customers. They are also useful in a traditional retail site since product pricing can be adapted based, for example, on the membership level of a site visitor.

Catalog sets are used to determine which catalog a user will see when visiting a site. A catalog set is a group of one or more catalogs that can be displayed to specific users or organizations.

5.4.1 Catalog Searching

The catalog can be searched in three ways:

1. Free text

2. Query based

3. Specification

Free text allows you to search catalogs using words or phrases. In practice, this uses the free-text search engine within Microsoft SQL Server since the catalogs reside there. With a SQL Server free-text search, a broader range of search predicates can be used, such as CONTAINS and FREETEXT, above and beyond the typical SQL WHERE clause.

Query searches are similar to free-text searches, but you do not have the benefit of full-text indexing.

Specification searches are a way of iteratively refining a search until the final results are obtained. A good example would be searching for a laptop PC, where you would specify the amount of RAM you needed, then the size of hard disk, and then, if it were important to you, the color of the carry bag!

5.4.2 Commerce Server Security

By their very nature most Commerce Server installations will be available on the Internet for anyone to browse and purchase products.

Unfortunately, there is a minority of people who will treat this as an opportunity to probe your site and see how secure it is. To counter this, Commerce Server comes with a number of tools and options to help secure the site from attack.

Secure Sockets Layer (SSL) is generally accepted as one of the best security practices for protecting sensitive pages on your site. Typically any page that collects or serves financial data, such as credit-card information, needs to be managed through SSL. This is configured through Internet Information Server (IIS) and through the purchase of a server certificate.

The site itself will need to be locked down with full control on all services, pages, and applications via Access Control Lists (ACL) on an NTFSbased system. In addition, site visitors, or certainly those doing more than initial browsing, will need to be authenticated. The site will need to be protected via firewalls, and depending on the budget available, this may be a one-, two-, or three-firewall solution. Single firewall solutions are easier to manage, but only provide a single hurdle to climb; a three-firewall solution can be extremely expensive, so a compromise two-firewall solution is normally chosen.

Commerce Server supports up to seven authentication modes, four of which are provided by IIS (anonymous, basic, integrated, and certificates) and three that it provides itself (Windows authentication, custom authentication, and autocookie). These are as follows:

• Windows authentication . The user login and password are checked against Active Directory or the Security Access Manager (SAM). Access control with Windows authentication can be down to individual site pages and directories.

• Custom authentication . Login credentials are checked against a database (normally SQL Server). Login access is required for every page and directory on the site.

• Autocookie . Cookies can automatically be generated for guest users so that you can track which areas of your site they are visiting. It is possible to use autocookie and either Windows authentication or custom authentication together in a mixed mode, so that profile data can be gathered about site visitors.