I don't like the base page approach. To me it's too late for check the security stuff.
You can create your own HttpModule to check that, either storing the authorization information in a database/xml/... or reading it using reflection on the page.
The context.Handler will hold the class Page you are executing. Thus you can do something like this:
I copy a part of the code I use, it checks roles, public pages, skips the check for images and scripts (but you could do it as well):
// In the HttpModule:
public void context_PreRequestHandlerExecute(object sender, EventArgs e)
{
HttpContext context = HttpContext.Current;
// Don´t validate permissions if the user wasn´t allowed by the asp.net security
// Neighter the advanced (custom) permissions are validated for non ASPX files.
if (!context.Request.FilePath.EndsWith(".aspx") || !context.User.Identity.IsAuthenticated)
return;
// Give full access to the unathorized error page, and logins, and so on...
string pageClass = context.Handler.GetType().BaseType.FullName;
string param = context.Request["p"];
if (!string.IsNullOrEmpty(param))
pageClass += "@" + param;
if (SecurityService.IsFullTrustClass(pageClass))
return;
if (SecurityService.Context.CurrentPerson == null)
{
LogOff();
return;
}
// Verify access permissions for the current page
IList<Role> roles = SecurityService.Context.CurrentPerson.Roles;
bool allow = SecurityService.HasAccessPermission(pageClass, roles);
if (!allow)
{
LogOff();
}
}