The corporate library has a block of security applications.
It provides two interfaces that you can get in your code:
An authorization provider interface that provides a single method named Authorize that accepts an instance of an IPrincipal object that contains information about the user ID and roles. Depending on how the unit is configured, authorization can be performed either through the Windowsยฎ authorization manager (AzMan) or through Active Directory, an XML file or a database; or using custom rules that you define and store as XML in the application configuration file. A security caching provider interface that provides methods for storing and retrieving a user identifier or security context as an IIdentity instance, IPrincipal instance, or ASP.NET profile instance. Each cached identifier or security context is identified by a token (the default GUID, although you can create and use your own implementation of the IToken interface). A block stores this information in a database or in isolated storage using a block of caching applications. You can also create a custom provider for the caching application block and use it to cache information in the location and use the methods that you implement in your provider.
Then you can also reference the ASP.NET 2.0 provider model: http://msdn.microsoft.com/zh-cn/library/aa479030.aspx