OK. First I strongly suggest that you don't hand-roll this. Getting security right is very hard, even for an experienced hand.
You can continue to use the default providers that were available in ASP.NET (forms) applications. The main difference is that in MVC3 it is better to secure the action methods in code rather than paths in the Web.config (for instance the action can be called from very different URLs, depending on your
schemerschema).
.Net comes with a default provider for Sql (and many other backing-stores). The database can be registered with aspnet_regsql, so you don't need to create your own schema. You can also subclass the default providers (or write your own) if you want something other than the default behaviour.
Here are some resources for "classic" asp.net:
http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx[
^]
ASP.NET Membership and Role Provider[
^]
You config the membership and roles providers up just as yuo would for a vanilla ASp.NET, except for securing the paths. To secure an Action Method you decorate with authorize attributes:
[Authorize(Roles="RoleNameHere")]
public ActionResult Foo()
{
....
}
Note that the
Authorize
can also take
Users="Usernamehere"
and complex role trees can be built up if needed. Also your Razor
if (User.IsInRole("delete role"))
will work.
If you need to try this quickly, create an new MVC3
Internet application. Run ASPNET_regsql against your database and configure you system to use that database. Detailed instructions can be found
here[
^]
[Edit]
Fixed a spelling mistake that was too egregious to ignore. I now need to check the word egregious in the dictionary.