Skip to main content

Security (Access Control & Authentication)

  • 4 minutes to read

This section contains information on various aspects of the XAF Security System that offers you extensive permission management and access control capabilities out-of-the box. See our demos to research the Security System’s functionality.

The Security System supports both XAF UI and non-XAF .NET applications, including Backend Web API Service. As a registered DevExpress.com user, you are entitled to a free copy of .NET Role-based Access Control & Permission Management API powered by Entity Framework Core (EF Core) and DevExpress XPO ORM tools. For more information on this offer, refer to the following pages: .NET App Security API (Role-based Access Control) – Free Offer from DevExpress, GitHub examples, Technical FAQ, or tutorial videos.

Important

In EF Core-based projects, the XAF Security System requires that Change Tracking is enabled when you work with DbContext.

If LINQ Expressions call the AsNoTracking() or AsNoTrackingWithIdentityResolution() method, or if Change Tracking is otherwise disabled, a data request becomes insecure. This may cause data to be retrieved from a database prohibited by the Security System.

Prerequisites

To install the dependencies required to use the XAF Security System either standalone or as a part of an XAF application, use one of the following option:

Option 1: Run the Installation (.NET Framework, .NET)

Download and run our Unified Component Installer for .NET Framework and .NET Core. The installer will copy all required assemblies to “%PROGRAMFILES%\DevExpress XX.X” and register local NuGet package sources. Note: *.BaseImpl.* assemblies are required only if you use built-in PermissionPolicyXXX classes.

Register the DevExpress remote NuGet Feed and install the following DevExpress NuGet packages for .NET.

Please click the NuGet package links above to see specific .NET assemblies.

XAF Security System API Compared to Standard .NET Security Features

The security System’s Authentication APIs can use ASP.NET authentication and other middleware – these simply provide an additional layer of customization and extensibility not tied to any particular framework. You can use the authentication engine in conjunction with built-in OAuth 2 (Microsoft, Google, Facebook, etc.) authentication providers (example) or implement any custom authentication scheme (example).

Authorization APIs are similar to IAsyncAuthorizationFilter and IAuthorizationFilter or AuthorizationHandler, IAuthorizationRequirement and IAuthorizationPolicyProvider APIs offered by Microsoft (you can learn more about Microsoft’s API from StackOverFlow or Microsoft documentation).

Our implementation differs in the following key areas:

  • Our API ships built-in user, role and permission entities that help developers manage authorization configurations at runtime (because they are physically stored in the database using XPO or EF Core ORMs). With a fully dynamic permission policy, your apps can address changes to security requirements without the need for redeployment. If you build an administrative UI, like we did in XAF’s UI, developers can even delegate certain configuration responsibilities to application administrators or power users - these features are favorites among developers.

  • Instead of hard-coded and narrow permissions for specific entities like “See Documents Owned by Me”, our API offers a general purpose Type, Object, Member-level and custom permissions that can be used by developers with any entity type to solve security-related tasks of any complexity

  • Object and Member-level permissions include criteria support - a unique feature for fine-grain access control. You can specify criteria expressions using both string and strongly-typed formats.

    // The following object permission addresses this business requirement: 
    // "allow 'Read' access to departments when title contains the word 'Development'".
    userRole.AddObjectPermissionFromLambda<Department>(
        SecurityOperations.Read, 
        t => t.Title.Contains("Development"), 
        SecurityPermissionState.Allow
    );
    
    // The following member permission addresses this business requirement:
    // "deny 'Write' access to an employee's Last Name property 
    // when his/her department title does not contain the word 'Development'".
    userRole.AddMemberPermissionFromLambda<Employee>(
        SecurityOperations.Write, 
        nameof(Employee.LastName), 
        t => !t.Department.Title.Contains(protectedDepartment), 
        SecurityPermissionState.Deny
    );
    

Architecture

The image below illustrates the XAF Security System architecture:

Security System Architecture

For more information, see this overview video:

See Demos

For code examples on Security System in non-XAF apps, refer to the following GitHub repository: Role-based Access Control, Permission Management, and Web API for .NET App.

For information on Security System in XAF UI apps, research the following demos:

  • MainDemo, SecurityDemo (c:\Users\Public\Documents\DevExpress Demos XX.X\Components\XAF\);
  • DentalClinic (c:\Users\Public\Documents\DevExpress Demos XX.X\Components\WinForms\DevExpress.DentalClinic\CS\); For general information, please review our landing page.