You can write an HttpModule. Such a module acts as a filter triggered whenever an HTTP request is received, processed, and a response is sent back.
Microsoft has written an example here.
In the module, you can do whatever you like including role-based access control or even attribute-based access control for advanced authorization use cases.