We want to authorize users and if they are authorized we want to add their roles and permissions to the user and add that to the IPrinciple
We have 2 ways of doing this one is to do it in global.asax Application_AuthenticateRequest the other is to create an attribute that inherits from AuthorizeAttribute
Is there any gleaming good choice here?
In ASP.NET MVC you should prefer a custom authorize attribute. If on the other hand you want this code to be reusable with classic ASP.NET applications then you could use
Application_AuthenticateRequest
or write a custom HttpModule and use the AuthenticateRequest event.