Authorization and Authentication in DDD (c#)

I am going to deal with architecture with regard to authentication and authorization.

I'd like to know if someone wants to share its experience gained in the field of DDD.

Same questions... are both crosscutting issues? we need Ioc to manage them? what about WIF?

Tha开发者_开发知识库nks to share!

In my experience, authentication and authorization work best at the controller level (if you're doing an MVC web app). You don't want these things polluting your domain objects/services/command handlers/whatever, much less the tests for these things.

In short, I consider authentication and authorization a querying-type issue so do stuff like this (example is C#/ASP.NET MVC):

[HttpPost]
public void SomeRestrictedAction(SomeViewModel model) {
    if (!User.IsInRole("SomeRole"))
        throw new SecurityException("I don't think so, dude!");

    // perform business logic
}