I am trying to find a good pattern to use for user access validation.

Basically on a webforms application I had a framework which used user roles to define access, ie, users were assigned into roles, and "pages" were granted access to a page. I had a table in the database with all the pages listed in it. Pages could have child pages that got their access inherited from the parent.

When defining access, I assigned the roles access to the pages. Users in the role then had access to the pages. It is fairly simple to manage as well. The way I implemented this was on a base class that every page inherited. On pageload/init I would check the page url and validate access and act appropriately.

However I am now working on a MVC application and need to implement something similar, however I can't find a good way to make my previous solution work. Purely because I don't have static pages as url paths. Also I am not sure how best to approach this as I now have controllers rather then aspx pages.

I have looked at the MVCSitemapprovider, but that does not work off a database, it needs a sitemap file. I need control of changing user persmissions on the fly.

Any thoughts/suggestions/pointers would be greatly appreciated.

+1  A: 

When you create an MVC application, not the blank website, there is a basic ASP.NET Membership provider included. That will do everything you are looking for, with little to no coding.

Here is MSDN:

Here is a CodePlex project that expands the functionality more than what was built in:

Dustin Laine
Thanks, but it does not give me dynamic ability to access/deny permissions at a more lower level such as actions within controllers. Unless i am not understanding it correctly.

Your technique is easily accomplished by creating your own ActionFilter:

You can then apply this attribute to controllers or action methods and roll your own page security very easily.

public class MinmalSecurity : ActionFilterAttribute
    private string _roles;
    public MinmalSecurity(string roles)
        _roles = roles;

    public override void OnActionExecuting(ActionExecutingContext filterContext)
        //go to database,find permissions, redirect or proceed as nescessary

Thanks, i came across this today and did think it could help. Definitely something I will explore further.