Dan Gilleland posted on October 11, 2006 06:01
In this article, Scott Guthrie blogs about using decorations (code attributes) to apply security restrictions to code. There are some especially helpful comments on the blog that are worth reading too, such as the one about adding a level of indirection based on "capabilities" that can be mapped/assigned to roles.
I also bought a book (Hacking the Code) about building security into your web apps, that I hope to read over the next few months.