i created the following ActionFilterAttribute to check if a user is granted access to a page. I also created two custom Exceptions to handle different scenarios: NotLoggedInException and InsufficientPrivilegeException.

ActionFilterAttribute

Public Class ValidateAuthentication : Inherits ActionFilterAttribute
    Private _page As BLL.Page

    Public Sub New(ByVal Page As BLL.Page)
        Me._page = Page
    End Sub
    Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
        Select Case Me._page.IsAccessibleToUser(filterContext.HttpContext.User)
            Case -1
                Throw New NotLoggedInException()
            Case 0
                Throw New InsufficientPrivilegeException()
            Case 1
                //access granted
        End Select
    End Sub
End Class

I also have a custom SiteMapProvider where I implemented my own IsAccessibleToUser() function. So I also have securityTrimming.

SiteMapProvider

Public Overrides Function IsAccessibleToUser(ByVal context As System.Web.HttpContext, ByVal node As System.Web.SiteMapNode) As Boolean
    Dim p As New BLL.Page
    p.LoadFromSiteMapNode(node)


    Select case p.IsAccessibleToUser(context.User)
        Case 1
            Return true
        Case else
            Return false
    End Select
End Function

The questions:

1. Where do I catch the exceptions to for instance redirect users if not authorized?
2. Should I perhaps use the SiteMap authorization somewhere else instead of using the ActionFilterAttribute and throwing Exceptions..?

note: as you can see I’m using a custom class for BLL.Page. This is a ORM page which has Role based security stored in the database. SiteMap is also populated based on this data