I'm looking over my security model and is wondering how you handle security (access control) in your projects?
I'm not interested in simple winapps or webapps, but in n-tier applications. How do you control access? Do you do it in each tier, or only in the User/Service frontends? Are you using a homebrewed solution or are there any standard ways? Are you using IPrincipal and IIdentity, in that case: How?
Lot's of questions. Answer those that apply to you. All answers are most welcome.
You can start by learning Forms & Windows Authentication in ASP.net. Everything else follows.
Do you do it in each tier, or only in the User/Service frontends
Authentication (authN) and/or authorization (authZ) should be done "nearest" to the resources which means that you must do authN and authZ on each layer- this is inline with defense in depth strategy. Always assume the "caller" has been compromised so you need to verify and validate the identity of caller.
Are you using a homebrewed solution or are there any standard ways?
It is usually a good idea to follow standard ways, unless you are certain about robustness of your homegrown solution, same applies regarding encryption
Are you using IPrincipal and IIdentity, in that case: How?
If it is totally a Windows environment, yes, using IPrincipal and IIdentity makes sense. The "how" party is tricky - just look at MSDN samples, you can extend the IPrincipal and IIdentity to implement your own authN and authZ in case of non-homogeneous (non-Windows) network.
Good luck!