User authentication and authorisation in ASP.NET MVC

Neil Barnwell picture Neil Barnwell · Feb 7, 2009 · Viewed 33.5k times · Source

What is the best method for user authorisation/authentication in ASP.NET MVC?

I see there are really two approaches:

  • Use the built-in ASP.NET authorisation system.
  • Use a custom system with my own User, Permission, UserGroup tables etc.

I'd prefer the second option, because User is part of my domain model (and I have zero experience with ASP.NET's built-in stuff), but I'd really like to hear what people have been doing in this area.

Answer

Jim Petkus picture Jim Petkus · Feb 7, 2009

There is actually a third approach. The asp.net membership functionality is based on the provider model. You can write a custom provider, thus being able to provide your own implementation for how the data is stored, but retaining much of the benefit of asp.net membership.

Some articles on the subject:

http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx

http://www.asp.net/learn/videos/video-189.aspx

http://www.15seconds.com/issue/050216.htm

http://davidhayden.com/blog/dave/archive/2007/10/11/CreateCustomMembershipProviderASPNETWebsiteSecurity.aspx