How to handle authentication/authorisation in a web application

Question

I am building an intranet website. And I am still unsure of how to implement the security of the website. I am using ASP.NET MVC 3.

Anyone in the company can access the website. It is a recognition system where you can nominate an employee for an award. Currently I am not using any type of authentication. I have a roles table that contains roles and an association table that specifies which user contain what roles, these roles are mainly administrator-type roles. If a user does belong in these roles then he/she can still access various parts of the website.

Would I need to use the built-in membership for this? Or would I need to create a custom membership for this? We don't use a login page. If the user does not have roles to access a view then he/she is redirected to another page.

We use IIS to do our authentication. Is this the same as Windows authentication? I have the roles table used for authorisation.

I'm just a little confused at the moment, I am hoping someone can give me some more clarity.

Answer 1

You can very well use ASP.Net MembershipProvider and RoleProvider for this

For tutorials on how to use them you should look at Videos at asp.net .

Here's a walk-through at MSDN

Answer 2

This blog post by Scott Guthrie might help:

Recipe: Enabling Windows Authentication within an Intranet ASP.NET Web application

For Intranet web applications, the most common authentication scenario to use is called Windows Authentication. Windows Authentication avoids the need to create a login form within an application, and does not require end-users to manually enter their username/password credentials to login to the application. Instead, ASP.NET and IIS can automatically retrieve and validate the Windows username of the end-user visiting the site in a secure way