Search code examples
asp.net-mvcauthenticationauthorizationdb4oturbine

Am I wrong in wanting to roll my own Authenticate / Authorize system given the following requirements?

In my pet project I want to have a user system with the following requirements:

  • It needs to work with Db4o as a persistance model
  • I want to use DI (by means of Turbine) to deliver the needed dependencies to my user model
  • It needs to be easy to plug in to asp.net-mvc
  • It needs to be testable without much hassle
  • It needs to support anonymous users much like SO does
  • I want Authentication and Authorization separated (the first can live without the second)
  • It needs to be safe

I'm aware I'm putting a few technologies before functionalities here, but as it is a pet project and I want to learn some new stuff I think it is reasonable to include them as requirements.

Halfway in rolling my own I realized I am probably suffering some NIH syndrome.
As I don't really like how needlessly complex the existing user framework in asp.net is, it is actually mostly only all the more complicated stuff regarding security that's now giving me some doubts. Would it be defendable to go on and roll my own? If not how would you go about fulfilling all the above requirements with the existing IPrinciple based framework?

Solution

  • It sounds to me like what you want to do is roll your own Custom .NET Membership Provider.

    It will allow you to use the built-in ASP.NET Authentication/Authorization attributes on your Controller Actions while giving you complete control over the implementation inside the provider (which will allow you to code it to meet the requirements stated above).

    Direct from MSDN...

    Implementing a Membership Provider