Custom authentication with service layer?

I have an app with 3 "layers", first "datalayer", 2nd "businesslayer" and 3rd is the asp.net mvc site. And I'm trying to add forms authentication in the proper way.

Should I somehow configure it to use the business layer? That gets/adds/updates user that is a part of 开发者_如何学Pythonthe authentication to be?

And in which project shall I add the user validation at?

/M

Authentication is something that should always happen at the application boundary, because different applications using the same Domain Model may have different authentication needs. If you ever decide to expose your Domain Model as, say, a web service, Forms Authentication is not likely to be the best authentication mechanism.

In ASP.NET MVC you can easily implement UserName/Password authentication using the default project template from Visual Studio, but once the user is authenticated, you should set Thread.CurrentPrincipal.

In general, IPrincipal is the standard basis for modeling user context in .NET. For example, HttpContext.User is an IPrincipal.

In your Domain Model and Data Access modules, you can use Thread.CurrentPrincipal to implement Authorization logic. This allows you to vary Authentication and Authorization independently of each other.

If you need to work with a richer User concept in your Domain Model, you can have your User class implement IPrincipal.