In most scenarios, application security can be accomplished using 'role based' approach. Microsoft's membership provider model (I am not going describe this here. There is plenty of material online about membership provider) was good in this respect.
Many applications are successfully built using this provider. Recent releases of Microsoft's .NET releases have taken slightly different approach w.r.t what this built in provider offers (see the links below). From my experience with building many applications,
I feel that what is offered in .NET 40/4.5 is not enough.
This project is created to abstract the security requirements for all kinds of applications. In addition to roles, claims are also introduced (without the complexity surrounding it). Effort is made to support multi-tenancy also.
USEFUL LINKS AND BACKGROUND
SimpleMembership, Membership Providers, Universal Providers and the
new ASP.NET 4.5 Web Forms and ASP.NET MVC 4 templates
Think twice about using MembershipProvider (and SimpleMembership)
Solution is built using the following technology and tools:
1. Microsoft .NET 4.0/4.5
2. Microsoft Entity Framework 5.0
3. Microsoft Visual Studio 2012
4. Microsoft ASP.NET MVC 4.0 for management application UI
5. Microsoft ASP.NET MVC 4.0 WebAPI to support REST interface
6. SQL Server 2012 (Express and above)
7. SQL Server Database tools (SSDT) to manage the database objects in VS 2012/TFS 2012
8. Kendo UI Controls (This is not an advertisement for Telerik. I chose it because, I can quickly build what I need. Personally I am a big fan of Telerik controls. The main focus of this project is a good application security design, not this UI).
This is the early draft of our data model. As you can see, I am using Microsoft's Entity Framework. Important thing to notice is the fact that, our new design bridges the best of both worlds. Membership provider pattern is a very useful pattern that has
worked for many years for many applications. Instead of using all the tables that come with ASPNETDB, I have created a table called
EnterpriseUser. This will be used to provide the same provider interface that is being used by many web applications. Things take better turn with the availability of a
more powerful variation of IPrincipal concrete implementation. Now, you will have access to features such as enterprise, claims, etc. in addition to roles.