In .NET, if your user permissions are simple, you're in luck. Access the IPrincipal for the current user, call IsInRole(), and you're done in about three lines of code. It works great – until it doesn't and then you're hosed. When your application's user permissions model starts getting complicated, you'll instantly run into problems with .NET's role-based security. The good thing is it's not that hard to write your own custom authorization system.

This session will start by discussing role-based security and what its limits are in a typical ASP.NET or WebAPI application. From there, it will cover going "off road" to talk about how to design, build, and test custom authorization schemes that handle more complex authorization scenarios. Along the way, you'll learn how to handle tricky details like user administration, creating arbitrary logical groupings of items and users, load testing your security code, and (most importantly) how to make all this code maintainable in the long term.

You will learn:

• About IIdentity, IPrincipal, and role-based security
• About claims-based authentication
• How to implement a custom IPrincipal
• How to implement a generic maintainable authorization system for an ASP.NET MVC & WebAPI app
• How it all changes with ASP.NET Core