what is the best way to restrict services for certain users

Question

EDIT: reworded and simplified question to be consise...

In my service layer I have something like

GetAllMessages(string userid); 

I could have various types of users on my system like Clients / Supplier etc...

This service is only available to all types of users, however what is the best way to implement services only available to selected users e.g.

DeleteAllMessages(string userid); //client only
NewSupplierMessages(string userid); //supplier

Typically these methods will be in one class called MessagesService

NOTE: just to clarify, the user is loggedon and authenticated, however I am wondering if I should write my methods as such:

DeleteAllMessages(ClientUser user); //client only
NewSupplierMessages(SupplierUser userid); //supplier

Basically get the details of the user for every action and call methods in a more strongly typed manner...

EDIT 2:

Note my domain layer is in a seperate class library from my web app, a "client user" will be part of a "client", similarly a "supplier user" will be part of "supplier" - so if I wanted to query my service layer and call the correct code (i.e. retrieve the correct details) - I MUST pass in the user id or a strongly typed class of the user, I cannot see how having a contraint on a DTO object that represents who can access the service as incorrect/ brittle?

Other wise I will have something like this:

GetClientDetails();

The user is handled by asp.net so we know this action can be accessed by the user, however what if there are multiple clients? Surely then we must pass in some some of client id/ if I was to pass in user id I could get the client id from it...

Rather I would say my domain layer is incorrect seeing something like the above signature...

EDIT 3: The only other alternative I could think off is, when the user authenticates, store the use in a class called UserSession inside the asp.net mvc application as a global state, then inject this using DI (ninject) into my domain service layer, therefore when my signatures can be

GetClientDetails();

The domain service class implementing this interface could be:

public class ClientService : IClientWorkerService
{

    private ISession _session;
    private IGenericRepo = _repo;
    public ClientService(IUserSession _session, IGenericRepo _repo)
    {
      this._session = _session;
      this._repo = _repo;
    }

    public ClientDetails GetClientDetails()
    {
      var loggedonuser = _session.GetUser();

      if(!loggedonuser.isClient())
        throw new NoAccessException()

      return _repo.Single<Client>(x=> x.ClientID == loggedonuser.ClientID);
    }

}

Answer 1

See MSDN: ASP.NET Authorization

Authorization determines whether an identity should be granted access to a specific resource. In ASP.NET, there are two ways to authorize access to a given resource:

File authorization

File authorization is performed by the FileAuthorizationModule. It checks the access control list (ACL) of the .aspx or .asmx handler file to determine whether a user should have access to the file. ACL permissions are verified for the user's Windows identity (if Windows authentication is enabled) or for the Windows identity of the ASP.NET process. For more information, see ASP.NET Impersonation.

URL authorization

URL authorization is performed by the UrlAuthorizationModule, which maps users and roles to URLs in ASP.NET applications. This module can be used to selectively allow or deny access to arbitrary parts of an application (typically directories) for specific users or roles.

• An Overview of Authentication and Authorization Options in ASP.NET
• Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
• Role-based access control
• Custom role based Web Service access