User authentication and authorisation in ASP.NET MVC [closed]

Question

What is the best method for user authorisation/authentication in ASP.NET MVC?

I see there are really two approaches:

• Use the built-in ASP.NET authorisation system.
• Use a custom system with my own User, Permission, UserGroup tables etc.

I'd prefer the second option, because User is part of my domain model (and I have zero experience with ASP.NET's built-in stuff), but I'd really like to hear what people have been doing in this area.

Answer 1

There is actually a third approach. The asp.net membership functionality is based on the provider model. You can write a custom provider, thus being able to provide your own implementation for how the data is stored, but retaining much of the benefit of asp.net membership.

Some articles on the subject:

http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx

http://www.asp.net/learn/videos/video-189.aspx

http://www.15seconds.com/issue/050216.htm

http://davidhayden.com/blog/dave/archive/2007/10/11/CreateCustomMembershipProviderASPNETWebsiteSecurity.aspx

Answer 2

Go with custom. MembershipProvider is way too heavy for my tastes. Yes it's possible to implement it in a simplified way, but then you get a really bad smell of NotSupportedException or NotImplementedException.

With a totally custom implementation you can still use IPrincipal, IIdentity and FormsAuth. And really how hard is it do your own login page and such?