Do I have to use "ASP.net Configuration" tool to manage users?

I was just going through the new MVC Music Store tutorial at asp.net. One of the l开发者_开发知识库ast steps is to add "Membership and authorization". The tutorial has me launch a configuration tool that doesn't seem to have anything to do with my site.

2 things:

1. Where do the users I create using that tool get stored?
2. Can I bypass that tool and implement my own thing?

3. If I am able to do 2 above and bypass the tool am I still allowed to use the annotations such as:

   [Authorize(Roles = "Administrator")]

Tool may be ambiguous. I am referring to the ASP.Net Web Application Administration Tool. It's a blue and white web page with some tabs across the top (Home, Security, Application, Provider).

It works the same way as ASP.NET Membership and Roles have always worked, and in fact uses the same system. There are already tons and tons of questions here on the subject, and a quick google will also find tons of articles.

To be specific, the asp.net tool stores users in the database in the aspnet_* tables. Yes, you can bypass it and implement your own, though that isn't typically necessary. The asp.net tool is just a quick and easy tool to manage this process, and you will likely have to implement your own.

Yes, you can still use the AuthorizeAttribute.. again, it's all part of the generic Membership and Roles system provided by asp.net (which there is tons of information about).

I would suggest building your own user configuration as part of your application, look into building a custom Membership Provider (and custom role provider) that maps to your own database, this will be useful going forward when you need to do things that the Configuration tool cannot do. ASP.NET authentication is based around these and will allow you to use all the built-in authorisation.

You do not have to use it, nor would you want to if your users have more than just a name and email address. If you use it at all, it's a starting point to add your initial roles or key users. Because there are a number of provider options that have different implications you'll likely have to do a lot of custom programming. For example, your settings for enablePasswordRetrieval, enablePasswordReset, or requiresQuestionAndAnswer would start to shape what sort of actions you would need to accommodate.

A search for ASP.NET Membership paired with MVC should lead you to what will work best in your project. I've recently gone through adding and modifying the base ASP.NET MVC Account Controller actions for users to manage their account (including email verification, resetting forgotten passwords, and changing security questions/answers) and--equally important--creating a Users Controller with Actions that help administrators perform maintenance on users (assigning to roles, unlocking accounts, or resetting passwords).

I would recommend looking at Web Profile Builder to gain strongly-typed access to profile data if you intend to store more information about your users (like first and last name, etc). It is a bit surprising how much is left up to the developer to implement in this particular regard.