This chapter covered a great deal of information regarding the new membership and profiling features introduced in ASP.NET 2.0. The "Solution" section contains surprisingly little code yet produces a complete membership system! We even managed to re-implement and extend the Security area of the ASP.NET Web Administration Tool. In addition, much of the code we've written is for HTML layout, which gives the pages a good appearance, but the code-behind code we've written is just over a hundred lines. I don't know about you, but I find this fact truly impressive! This was one of the primary goals of ASP.NET 2.0 — to dramatically reduce the amount of code developers need to write, and to add more functionality "out of the box."
One thing that can be improved upon is the fact that the membership module only supports users and roles, and not individual permissions as well. It might be useful in some cases to define a list of permissions, associate them to a role, add users to the role, and then check for the presence of a permission from code, instead of just checking whether the user belongs to a role. This would give a much finer granularity to the security settings and is something that we did in the custom security module developed in the first edition of this book. However, while that level of security control is almost always required in large browser-based applications, it is overkill for many small-to-medium size web sites and unnecessarily complicates the code. By sticking with simple built-in role security we are able to completely meet our requirements, and we can do so with simpler code that is easier to test and deploy. If you decide that your particular application requires a fine amount of control that can be enumerated in a list of permissions, you can extend the membership support by writing your own permissions module that links to the current users and roles.