Dynamic Controller and Action Authentication in ASP.NET MVC 2 by Ryan Wright
My friend and colleague Ryan Wright has posted a fantastic article about dynamic controller and action authentication in ASP.NET MVC 2. His techniques describe an architecture without hard-coding roles into the Authorize attribute – which makes it possible to add roles to application functionality strictly through configuration – no application rebuild required.
He also provides his code samples, which additionally use Windows Identity Foundation (WIF) and a custom STS. It’s a great starter project for anyone who’s looking into seeing how these tools work.
http://www.ryanmwright.com/2010/04/25/dynamic-controlleraction-authorization-in-asp-net-mvc/