While my primary goal in this appendix is to show you how to unify Windows Forms and ASP.NET 2.0 security, I also want to provide a general-purpose custom authentication and authorization infrastructure for Windows Forms. Such an infrastructure should not necessarily be coupled to ASP.NET 2.0 and should easily use any custom credentials store, such as an Access or LDAP database. The first step is to decouple the infrastructure from the actual credentials store by defining the IUserManager interface:

    public interface IUserManager
    {
       bool Authenticate(string applicationName,string userName,string password);
       bool IsInRole(string applicationName,string userName,string role);
       string[] GetRoles(string applicationName,string userName);
    }

The Authenticate() method is used to authenticate the specified user credentials against the credentials store. IsInRole() is used to authorize the user when using role-based security. IUserManager also provides the GetRoles() method, which returns all the roles a specified user is a member of. GetRoles() is useful when caching role membership, discussed later.

Authenticate() is used by an abstract Windows Forms custom control called LoginControl. LoginControl is used similarly to its ASP.NET cousin—you add it (or rather, a subclass of it) to your Windows Forms application, and the LoginControl authenticates the caller. LoginControl obtains an implementation of IUserManager and authenticates using the Authenticate() method. If the user ...