RolesProvider

Authorization settings in ASP 2.0 is simplified with the ASP.NET Web Site Administration Tool feature.
The RoleProvider class is the base class for all role providers. RoleProvider class defines the contract for all ASP.NET 2.0 role providers. The class includes method to create and delete roles, to add and remove users in a role, and to check the role membership for a given user.
If you want to programmatically interact with the role provider, use the Roles class from the System.Web.Security namespace. The static Roles class provides methods and properties that will forward calls to the currently configured role provider
Each role provider retrieves and stores role information from a different data source.
The role providers packaged in System.Web.dll include the SqlRoleProvider, stores roles in a SQL Server database.
The WindowsTokenRoleProvider retrieves role information from a user’s group membership in Windows.
The role manager in ASP.NET is off by default. You can turn on the role manager on the security tab of the web administration tool, which will add the following to the applications’s web.config file.
We can restrict locations of the web application to specific roles using settings in web.config.

Whats in a MembershipProvider

The SqlMembershipProvider supports three formats for storing passwords: Hashed (the default and most secure format), Encrypted, and Clear. The passwordFormat property specifies how the provider will store passwords, and will impact a number of other membership features.
The enablePasswordRetrieval option determines if the provider will return a user’s password with the GetPassword method.
The enablePasswordReset property controls the ResetPassword API. ResetPassword will assign a new, generated password to a user. The PasswordRecovery control can automatically email the new password to a user. It’s a good practise to set the requiresQuestionAndAnswer property to true to prevent a malicious user from resetting someone else’s password, A value of true means the user has to provide the answer to a security question before resetting their password.
The minRequiredPasswordLength and minRequiredNonalphanumericCharacters prevent users from choosing a password like “abc”. If you have additional requirements, you can use the passwordStrengthRegularExpression property to force the password to pass a regular expression test.
The SqlMembershipProvider offers a number of features not shown in the configuration above. I suggest you to explore other properties yourself.
If you want to interact directly with the Membership API, one approach is to use the Membership class from System.Web.Security. The Membership class contains only static members and properties, but these static members map to properties and methods on the MembershipProvider, and the component will forward calls to the configured provider when appropriate. Here is an example using hard coded values for a user's attributes.
An even easier interface to the membership provider is to use the ASP.NET 2.0 Login controls: Login, LoginView, PasswordRecovery, LoginStatus, LoginName, CreateUserWizard, and ChangePassword. The Login control, for example, will ultimately call the ValidateUser method of the current membership provider when a user enter their username and password and clicks the Login button. There is no need to write any code if the built-in controls provide all the functionality you need. All of the controls allow customization various levels of customization through styles and templates. You can find the controls in the Visual Studio toolbox under the “Login” category.

Membership and Roles - An Overview

As .net developers we are familiar writing code to accept user’s name and password, the code to verify passwords, and the code to create and manage users. Thanks to ASP.NET 2.0, web developers will no longer need to write and re-write the code to store and validate credentials. Instead, you have membership and role provider implementations for managing roles and membership in our web applications.
The membership and role providers exist to provide authentication and authorization services to our applications. ASP.NET 2.0 provides login controls we can drop on web forms to perform authentication with no code required. The controls talk directly to the membership provider. ASP.NET 2.0 also offers controls to support the ongoing maintenance of users, including changing passwords and resetting passwords. The role providers in 2.0 allow us to create roles, and map users into the roles. Of course, your application might have special needs. Perhaps your database is not Microsoft SQL Server. Fortunately, Microsoft implemented both membership and role management using an extensible provider model.
The provider model in ASP.NET 2.0 helps developers to plug their own implementation of a feature into the runtime. The provider model in ASP.NET 2.0 includes an infrastructure for the configuration and initialization of providers.
The provider model begins with the abstract class ProviderBase. ProviderBase exists to enforce the contract that all providers need public Name and Description properties, as well as a public Initialize method. Inheriting from ProviderBase are the MembershipProvider and RoleProvider abstract classes. These classes add additional properties and methods to define the interface for their specific areas of functionality.
The beauty of the provider model is this: higher-level application services can build upon a provider and not need to know the details of what happens behind the interface.
Now, let's take the membership controls, which include a Login control, a CreateUser control, a LoginStatus control, and more. All of these controls program against the MembershipProvider contract. At some point, the login control will need to invoke the ValidateUser method on the configured provider. The login control doesn’t care if the call travels to a SQL Server database or an XML file. All the login control cares about is passing in a username and a password and receiving a true or false value in return.