Yes, you got it right (IMO it’s safer and simpler to implement a custom membership provider, but it’s your choice)
- Yes, it’s correct
- You do it right
- You inherit the
roles
property from theAuthorizeAttribute
base class and you check in your implementation if the user is in the role.
Edit: a little more on the roles thing
if you have
[SharweAuthorize(Roles="MyRole")]
then you can check the Roles property in the AuthorizeCore method
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (SessionManager.CheckSession(SessionKeys.User) == true) {
if (SessionManager.CheckUserIsInRole( Roles )) // where Roles == "MyRole"
return true;
}
return false;
}