Just a quick note to those who are testing the waters in the new .NET 2.0 framework. My initial reaction is that it is GREAT. Many new features exist and many old features have been reworked slightly so that the programmer can be more efficient. On great new feature is the ability to use an existing security schema provided by Microsoft. This can save you countless hours.
Previous to .NET, you had to roll your own authorization/authentication solution (generally using session variables). Starting with the first incarnation of .NET, Microsoft gave us the ability to plug in our own authentication code and mark a user object as logged in and populate the roles (groups) that the user belonged to. From that point, you could setup your config files or your code to automate authorization to different areas. This simplified the process greatly. The only down side was finer grained control (to specific records) was often required. This worked great to keep non admin users out of the admin section, but if you wanted admins with varying rights, you were still stuck writing a large amount of code to facilitate this.
With the new release of .NET, you can use a pre-defined database schema as a starting point for your applications security. I don’t know if SQL Express comes with these tables and such already defined, but if you want to add these features to your application, you will probly need to run the aspnet_regsql.exe program (located in C:\Windows\Microsoft.Net\Framework\v2.0.50727 on my machine). When you run this command, you can point to the database you would like to setup. Note that you can use one data base for ALL users for ALL applications if you so choose. Personally, I like to keep different apps seperate as it makes the distribution easier (I write code for many clients and push the final products to their servers at a later date).
The aspnet_regsql.exe program adds many tables and stored procedures to your database which allow you to keep a list of users, their roles (groups), and other custom listings to be added later by you. With this, you have a great staring point for a secure permission based application. Just remember to run aspnet_regsql.exe.
I found this out the hard way after downloading one of the new starter kits for ASP.NET 2.0. The starter kit uses the integrated security and kept complaining about not being able to find aspnet_??? stored procedure. My first guess was that the app was built for SQLExpress (2k5) and I was using SQL 2000, but it turns out that it works just fine with 2000, you just have run the aspnet_regsql.exe program.
Computer Magic And Software Design