After reading this document:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/odc_SP2003_ta/html/ODC_WritingCustomWebServicesforSPPT.asp
I implemented a web service to be used by my sharepoint users. the first thing came to my mind was how to apply my own custom authorization to this web service, so it could be called by only an specific user and denied for all other users. I went ahead and changed the web.config of ISAPI folder to load ASP.NET URLAuthorization http module (by default Sharepoint removes urlAuthorization module from web.config of wwwroot):
<location allowOverride="false">
<system.web>
<httpModules>
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"/>
</httpModules>
</system.web>
</location>
I created the folder "MyCustomWebService" in ISAPI folder and moved all of my web service related files to that folder. I created a web.config file in the new folder and added the following lines to it:
<authorization>
<allow users="win2003-dv\administrator" />
<deny users="win2003-dv\sp_reader" />
</authorization>
Now when I call my web service (uploadfile.asmx) through Internet Explorer (http://portal/_vti_bin/MyCustomWebService/uploadfile.asmx), I will receive access denied for sp_reader and not for administrator (as I expected)