Is the default authorization system in an ASP.NET application good enough?

Question

I'm learning ASP.NET MVC 3 to build a web application. I've followed a couple tutorials teaching the Entity framework, Razor, MVC, etc. One thing I can't find much about though is how to do authentication and authorization. In the tutorials I can find, it basically goes

Create an "Internet Application" project. The authorization system is already there so you don't need any code. Now use an ASP.NET settings panel to set up user roles and slap [Authorize] everywhere.

I understand the system it starts you off with is called ASP.NET Membership. Is it common to just stick with that for your authorization?

I've been using Code First to do models and databases -- is there a way I can create my own user models, have ASP.NET create the database, and use that for membership? How tough is it to customize user models (for example, if I want some user roles to have some information stored with their membership, but not others)?

Are there any tutorials that go through ASP.NET Membership in detail rather than just starting with whatever the project template spits out? For example, implementing it in an empty project?

Answer 1

You can extend the default membership behavior by adding a role provider which allows you to group users into one or more roles.

Furthermore you can extend the user's profile information to store additional information (although not specific to a role, so all profiles will have a slot for role-specific information). See this article by ScottGu for how to extend a profile: http://weblogs.asp.net/scottgu/archive/2005/10/18/427754.aspx.

Answer 2

It depends on the needs of your application. You will find the provided model has some limitations, but if you only need basic user/role management then it might suffice. Personally, I've always found it a bit too inflexible for my liking, but if it does what you need for the application your building, don't waste your time reinventing it.

Hope this helps.