The Client-side security implements the simplest scenario when your application directly connects to the database without the use of the Middle Tier Application Server. There are two modes of the client-side security:
The mode can be selected when creating a new XAF application using the Solution Wizard.
The Integrated mode is the recommended mode for XPO-based applications, and it is enabled by default when you choose XPO in the Solution Wizard. In the Integrated mode, secured data cannot be accessed via Object Space API. The SecuredObjectSpaceProvider creates secured Object Spaces that respect security permissions and filter out protected data at the ORM level. As a result, the secured data is not displayed in application's Views, cannot be accessed by Controllers, report data sources, etc.
You can refer to the How to: Change the Client-Side Security Mode from UI Level to Integrated in XPO applications example to see how to enable the Integrated mode in existing applications.
To modify certain business objects in code, instantiate an XPObjectSpaceProvider object and pass the connection string to the constructor. Then, call the XPObjectSpaceProvider.CreateObjectSpace method to create an IObjectSpace object. Use methods of the created Object Space to access data bypassing the security.
In Entity Framework applications, the UI-Level mode is enabled by default (and is the only supported mode). In this mode, the security restrictions are processed at the UI level - the secured data is hidden by XAF List and Property Editors. However, the client application code (e.g., Controllers) has access to all data via Object Space.
In XPO applications, you can switch to this mode by changing the SecuredObjectSpaceProvider type to XPObjectSpaceProvider in the CreateDefaultObjectSpaceProvider method which is overridden in the WinApplication.cs (WinApplication.vb) or WebApplication.cs (WebApplication.vb) file.
The UI Level mode can be useful in scenarios when you do not need strong data protection and it is convenient to have direct access to the database for modifying protected data. Since, however, all unprotected data is accessible on the client side, you need to take the following aspects into account.
Although the secured data is filtered by ORM (in the Integrated mode) or is hidden from UI (in UI-Level mode), the database itself is exposed to a client workstation. An end-user can see the connection string in the application's configuration file and can use it to directly access the database tables, bypassing the security engine implemented within your application. If you use XPO, you can enhance the security by injecting a Middle Tier application server between your application and the database server. Proceed to the Middle Tier Security - .NET Remoting Service topic to learn how to do this. Middle tier architecture is not supported in Entity Framework based applications.