Skip to main content
BuyLog In
Business Intelligence Dashboard
Search in…
Docs > WPF Dashboard Viewer > Security Considerations
All docs
V23.2
Business Intelligence Dashboard
Get Started
.NET Support
Basic Concepts and Terminology
Common Features
WinForms Dashboard
Web Dashboard
WPF Dashboard Viewer
Prerequisites
Add the Dashboard Viewer
Create and Load a Dashboard
Create Dashboards in the Visual Studio Designer
Providing Data
Underlying and Displayed Data
Manage Data Inspector
Title and Item Captions
Printing and Exporting
Security Considerations
Manage Interactivity Capabilities
Manage Dashboard Layout
Manage Dashboard Parameters
Manage Dashboard State
Localization
Customization
A List of Styles and Templates
Version Compatibility: Default Property Values
Visual Studio Integration
Redistribution and Deployment
Video Tutorials
Migration Guides
Examples
End-User Documentation
.NET Framework API Reference
.NET API Reference
HTML JS Control API Reference
ASP.NET Client API Reference
Download CHM

Security Considerations in WPF

  • 3 minutes to read

This document describes how to avoid possible security risks when you deploy a WPF application that contains the DashboardControl.

Data Connection Security

The DashboardControl can use different data source types to supply dashboards with data. You can add predefined data sources in code. You should specify connection parameters to get data from certain data sources. For example, DashboardSqlDataSource and DashboardOlapDataSource can require a user name and password. To avoid data leaks, use one of the following techniques to pass connection parameters safely:

  • Add the connection string to the connectionStrings section in the application’s configuration file when you work in a development environment.
  • Handle the DashboardControl.ConfigureDataConnection event to specify connection parameters at runtime.

Data Source Security

SQL Data Source - Validate Custom SQL Queries

Handle the following events to specify validation logic before custom SQL query execution:

Please make sure to apply a secure SQL validation that prevents harmful request execution. We recommend that you utilize the access control functionality of your database management system to achieve the highest level of database security.

Entity Framework Data Source - Restrict Access to Unauthorized Assemblies

You cannot load custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) (the default setting).

To permit a user to load a specific assembly, handle the DashboardControl.CustomAssemblyLoading event. An unauthorized attempt to load a custom assembly results in a CustomAssemblyLoadingProhibitedException.

Object Data Source - Validate Data

If a user opens a dashboard that contains the DashboardObjectDataSource, the following message displays before data loading:

WPF Dashboard - Security Considerations - Warning

This dialog allows users to select whether to trust the object data sources available in the application. You can use the DashboardControl.ObjectDataSourceLoadingBehavior property to change this default logic. For instance, you can allow the application to load any object data sources, or you can load object data sources in safe mode when their data member and data source settings are cleared.

You can also handle the ObjectDataSource.BeforeFill event to execute custom validation for the specified data source. The corresponding static ObjectDataSource.BeforeFillGlobal event allows you to validate all object data sources in your application.

Excel, Extract, and JSON Data Sources - Restrict Access to External Data Resources

The Dashboard Viewer gets data from resources stored on the disk or on the Internet. We recommend that you specify access settings for data resources (Excel, Extract, and JSON data sources).

You can read files from any directory by default. To protect your application, use the AccessSettings class to explicitly specify where data sources can be read from. To accomplish this, configure rules in the DataResources property to restrict file system access to specified folders. You can call the SetRules(IAccessRule[]) method when your application starts to specify rules before a dashboard control sets its rules. The SetRules(IAccessRule[]) method can be called only once at application startup. Otherwise, the method will raise an exception. Alternatively, you can use the TrySetRules(IAccessRule[]) method, which does not raise an exception.

Clipboard Access Policy

The DevExpress.Data.Utils.ClipboardAccessPolicy allows you to control/manage clipboard-related operations when using the WPF Dashboard Viewer.

Refer to the following help topic for more information: Clipboard Access Policy.

See Also