Security Considerations

  • 2 minutes to read

This document describes how to avoid possible security risks when you deploy a WPF application that contains the DashboardControl.

Data Connection Security

Handle the DashboardControl.ConfigureDataConnection event to specify connection parameters at runtime.

Data Source Security

Entity Framework Data Source - Restrict Access to Unauthorized Assemblies

You cannot load custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) (the default setting).

To permit a user to load a specific assembly, handle the DashboardControl.CustomAssemblyLoading event. An unauthorized attempt to load a custom assembly results in a CustomAssemblyLoadingProhibitedException.

Object Data Source - Validate Data

If an user opens the dashboard that contains the DashboardObjectDataSource, the following message displays before data loading:

This dialog allows users to select whether to trust the object data sources available in the application. You can use the DashboardControl.ObjectDataSourceLoadingBehavior property to change this default logic. For instance, you can allow the application to load any object data sources, or you can load object data sources in safe mode when their data member and data source settings are cleared.

You can also handle the ObjectDataSource.BeforeFill event to execute custom validation for the specified data source. The corresponding static ObjectDataSource.BeforeFillGlobal event allows you to validate all object data sources in your application.

Excel, Extract, and JSON Data Sources - Restrict Access to External Data Resources

The Dashboard Viewer gets data from resources stored on the disk or on the Internet. We recommend that you specify access settings for data resources (Excel, Extract, and JSON data sources).

Use the AccessSettings class to explicitly allow the path to the data file. To accomplish this, configure rules in the DataResources property to restrict file system access to the specified folders. You can call the SetRules(IAccessRule[]) method when the application starts to specify rules before a dashboard control sets its rules. The SetRules(IAccessRule[]) method can be called only once at the application startup. Otherwise, the method will raise an exception. Alternatively, you can use the TrySetRules(IAccessRule[]) method, which does not raise an exception.

See Also