I'm trying to to figure out the best approach to implement a completely custom membership system in MVC. Before I go any further I should state that I do not want to extend or derive from the existing membership provider models. Their design simply do not fit my needs.
Some quick facts about the architecture I'm working with:
- The main entry point to the application is an MVC 4 web app that acts as a web portal.
- Several seperate Web APIs sit in a service layer for the portal app.
- One of the services willl be dedicated to handling the heavy lifting for authentication.
My first thought was to create a custom controller base class that all controllers requiring authentication would inherit from, which would handle authentication logic (calls to the service, etc). After much consideration and reading, I decided this would be an inappropriate approach as it would add coupling that could be a problem in the future.
After digging around for possible approaches, I'm getting the impression that the better way to do what I need to do would be to create a custom action filter attribute that would handle the authentication calls, etc.
I read that authorization must take place after output caching to ensure that sensitive pages are not cached and I could either inherit from the AuthorizeAttribute so it handles it for me OR make sure that I handle it myself (I snooped through the mvc source code to see how it works in the AuthorizeAttribute class).
Am I on the right path with this idea or is there another way that would suit my needs better?