How can I implement permission-based authorization in ASP.NET?

Question

I'm working an a ASP.NET application (not using MVC) and need a User-Role-Permission based authorization scheeme, where pages and/or methods can demand the specific permission they require (instead of which role the user has). Is there a way to extend Forms Authentication (or building something) to solve this?

If possible I would like to be able to use attributes:

[RequirePermission("UserEdit")]
public partial class EditUser : System.Web.UI.Page
{
}

Perhaps even for methods:

public class MyClass
{
    ...
    [RequirePermission("UserEdit")]
    public void Save()
    {
        ...
    }
}

Is this possible?

I found this page, that suggested using Roles for permissions:

[Authorize(Roles = "UserEdit")]
public partial class EditUser : System.Web.UI.Page
{
}

I am not very fond of this solution, but that would also be a possible way to solve things, but what do I need to do to get it working?

Answer 1

Microsoft's authorization model sucks...and it's widely acknowledged http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/).

That said. It's nice to have cross compatibility by fitting into their IPrincipal.IsInRole API (and thus being able to leverage the Authorize attribute)

So...what I do to compromise is have a full permission model in the DB with Users, Roles, and Permissions...but when my code sets the CurrentPrincipal I flatten the User's Roles and Permissions into the Roles collection of the IPrincipal. It's far from ideal...but IMHO it's a decent compromise. Others (Rockford Lhotka) have also taken this approach: http://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx