Setting up authentication is only part of the job. We also have to implement authorization so that ASP.NET knows what a user can do once they have been authenticated. The technique required for this differs between the MVC framework and other ASP.NET applications. I describe both in the sections that follow.
To make demonstrating authorization simpler, I have created some credentials in the
Web.config file of the MVC framework and Web Forms triathlon applications (both follow the same format for this because both rely on the same core ASP.NET authentication feature). Listing 34-4 shows the additions I have made.
Listing 34-4. Defining credentials in Web.config
<authentication mode="Forms"> <forms ...