Role-based authentication is nice when you can partition pages based on a role, but you can rarely make this kind of authentication seamless. Suppose, you want to set up pages that can only be run by someone in a manager role. Obviously you can group the pages into a separate Web resource collection and specify a role name of manager in the <auth-config> tag for the collection. The problem is determining where to put the links to the manager-only pages.
If you put them on a page that everyone can access, the nonmanager users might click the link and see an error page. Although this mechanism does secure your application, it doesn't make it pretty.
A user should never see an error page as part of the ...