I have a small web site I was looking into converting to ASP.NET 2.0 for various reasons *cough resume cough couh* however due to environmental restrictions (corporate politics, not EPA) I have to use MySQL as the data store, and there is an existing schema which is absolutely nothing like the schema the default ASP providers use.  This provided the perfect excuse to dig into some internals and see about providing some Providers. 

Why would one go through the trouble of implementing these interfaces?  First, as you'll see, its pretty easy.  Second, by doing this you can still use all the great plumbing for role-based security and the "Login" and "User" family of controls that ship with ASP 2.  By looking through my machine.config I can see that I'll need to create and configure instances of two abstract classes: System.Web.Security.MembershipProvider and System.Web.Security.RoleProvider.   There are some intermediate classes you could choose to inherit from like SqlMembershipProvider that might save you some time but in my case it seemed quick enough to start at the base class.  Intellisense and the compiler will tell you what methods you need to override.  For example, MembershipProvider requires an implementation for ValidateUser such as:

public override bool ValidateUser(string username, string password)
{
bool valid = false;
EmployeeDataAccess dao = new EmployeeDataAccess();
Employee e = dao.FindByLoginAndPassword(username, password);
...

Simple enough.  If you decide to do this, you may wish to set some breakpoints in methods like RoleProvider.GetRolesForUser and run through your app. 

public override string[] GetRolesForUser(string username)
{
SecurityDataAccess dao = new SecurityDataAccess();
List<string> roles = dao.GetRolesForUser(username);
return roles.ToArray();
}

In my case there is a small performance hit for running this method.  ASP calls this method to validate your access to pages, proces any LoginView controls trim asp:Menu items if you have securityTrimming enabled, and user code could always call Page.User.IsUserInRole("");   sliding expiration in the ASP.NET cache is a good idea here.  Finally, you just need to tell your web application to use your custom providers.  Supposing my security data store is called "IDMS" and my classes are named accordingly, here are my web.config settings:

<membership defaultProvider="IDMSMembershipProvider">

<providers>

<add name="IDMSMembershipProvider"

type="IDMSMembershipProvider"

requiresQuestionAndAnswer="false"/>

</providers>

</membership>

<roleManager enabled="true" defaultProvider="IDMSRoleProvider">

<providers >

<clear/>

<add name="IDMSRoleProvider" type="IDMSRoleProvider" />

</providers>

</roleManager>

So, as you can see, its easy to implement classes to plug into Asp.NET security.