(draft)
One of the major questions I see time and time again in various newsgroups is how to limit access of parts of websites to only certain users. These could be administrators, paid users, advertisers--whatever. ASP.NET makes this easy with Roles-Based Authorization (RBA).
RBA is very simple in an Intranet environment, and only slightly more complicted in an Internet environment. In an Intranet that is secured with Windows Authentication, a Windows Principal will be part of every HTTP Request. Included in this principal are the user's Active Directory groups, and these translate directly to roles.
Role-Based Authorization With Forms Authentication
source: http://aspnet.4guysfromrolla.com/articles/082703-1.aspx
In Web applications, typically there exist certain parts of the site that only certain individuals, or groups of individuals, can access. For example, imagine an intranet Web site used to administer the content on a company's public Internet Web site, where the public Web site lists products sold by the company. From the administrative site, all company employees might be able to make minor changes to the products' descriptions, quantity, and other such non-essential information. However, perhaps only a subset of trusted employees might be able to change the products' prices. And even a smaller subset of employees would be able to add new products or delete existing products from the database.
To handle such a hierarchy of capabilities, a traditional security model to use is to divide users into roles, and then to assign permissions to various resources on a role-by-role basis. For example, our fictional company's administrative Web site might be setup so that the President, CEO, and CIO are made "Administrators" of the product database, and have access to change the product database via the online interface in any way they desire. The top-level managers might be added to the Price Changer role, meaning they can change the prices of existing products, while all other company employees were inserted into the Minor Updates role. Such a security model is typically referred to a role-based authorization model, as the authorization users enjoy is based upon the role they play within the system.
Implementing Role Based Security in ASP.NET (DotNetBips.com)
source: http://www.dotnetbips.com/displayarticle.aspx?id=196
Authentication involves validating that the user is what he claims to be. In many applications this is not just enough. You also need to grant access rights to the user based on his category. This process is referred to as authorization. The category I just mentioned is nothing but the role of the user. In this article we will see how to use Windows as well as Custom roles to authorize users of your application.
You will sometimes see examples where the roles information is loaded from the database with each request. That's not such a good thing for performance. Instead, I store my roles information in the FormsAuthenticationTicket (if you're using Windows Authentication, and you have custom roles not defined in the Windows Principal, you can use an encrypted cookie, or even make a FormsAuthenticationTicket--it won't hurt anything). A C# example of storing roles information in the FormsAuthenticationTicket is found at Forms authentication and role-based security: improving performance (http://weblogs.asp.net/cazzu/archive/2004/07/21/FormsAuthRoles.aspx).
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication (Microsoft Patterns & Practices)
Click here to download free PDF from Microsoft
Click here to buy nice printed copy from Amazon
This guide from the Microsoft Patterns & Practices group discusses not only Forms Authentication, but Windows and Passport Authentication, and Roles Based Authorization in all scenarios. There are copious examples, and a number of “How To“ examples, including integrating Forms Authentication with Active Directory. This an essential guide. The PDF is over 600 pages long, so buying the book isn't a crazy idea.
This guide presents a practical, scenario driven approach to designing and building secure ASP.NET applications for Windows 2000 and version 1.0 of the .NET Framework. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications. (This roadmap: 6 printed pages; the entire guide: 608 printed pages)