I have an external website that uses Active Directory for Authentication. The propsed design would have all Athorization done by the application database server. For example the user would login with username and password and the corperate people Authenticate against AD. I would then get that username and query that database for what they are allowed to see/do in my app(one small part of the whole site)

If anyone sees security flaws stop me here.

Users are allowed to access some stuff on my pages without being authenticated.(Don’t like it but it’s a buisness requirment) However when people do come to my page without being authenticated I would like to nicely ask them to authenticate with a JQuery popup. Somethinglike $.load(coperatelogon.aspx, #logondiv).dialog() after loading my page for people who are not logged on. If they click the X and donot login thats fine. They just see the page for people notloged in.

If they do authenticate through this dialog I want to change the content of the page to something else via client code. I want to do soemthing like make a webservice call (via JQuery ajax) based on the authentication they just provided. This webservice call would see what they are authorized to see and display some content based on that.

Is there a seciruty flaw here? Something I should do slightly differently to avoid a securty flaw?

My goal is to postback as little as possable and use as much jquery and javascript as possable; and postback as close to zero times as possable to provide the user with a smooth and enjoyable experience.

I am in the early design stage of this and am very open to ideas segestions recomondations or just people yelling at me and telling me it’s a bad idea… etc.

Thanks!

Edit:
So it boils down to one main question:
How does a webservice call through $.ajax(…) know who the user has been authenticated as? Does the client pass this information? Can it be meddled with by a hacker?
And is using $.load(…) to show the security login box secure?