Role-management provider using web.config?

I'm building a tiny web application with a simple user autentication scheme. I register the users in web.config, like this:

<authentication mode="Forms">
  <forms loginUrl="~/login.aspx" defaultUrl="default.aspx" ...>
    <credentials passwordFormat="SHA1">
      <user name="UserA" password="B60D121B438A380C343D5EC3C2037564B82FFEF3"/>
      <user name="UserB" password="B60D121B438A380C343D5EC3C2037564B82FFEF3"/>
    </credentials>
  </forms>
</authentication>

It's working pretty good, and I like to not having to rely on a datab开发者_StackOverflow社区ase for this in this particular application. However, I'm surprised to find that you apparently can't configure Roles in web.config in the same manor - or am I missing something really obvious here??

Do I really have to implement a custom Role-management provider to be able to configure my roles in web.config? If yes, do you happen to know of any available implementations?

I've created a basic implementation of the iRoleProvider which uses web.config for storage. Check it out on Codeplex, Web.Config Role Provider .

This appears to have been addressed previously: Adding Role to User Created in Web.config

However, if you are intent on doing it solely in the web.config, it would not be impossible for you to create a section in the web.config that you would use for your own role settings.

<configuration>
    <configSections>
        <section name="UserRoles" type="System.Configuration.AppSettingsSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="true" requirePermission="false"/>
    </configSections>

    <UserRoles>
        <add key="UserA" value="Group1,Group2,Group3" />
        <add key="UserB" value="Group1,Group3" />
    </UserRoles>
<configuration>

Then you could use the global.asax to configure roles in your user object using the Application_AuthenticationRequest method. I've never attempted it, but I'd imagine if you were wanting to use these roles in the authorization elements of the web.config, you'd need to use a custom Principal object to cover the roles.