Skip to main content
A newer version of this page is available. .

Client-Side Security (2-Tier Architecture)

  • 3 minutes to read

The Client-side security implements the simplest scenario when your application directly connects to the database without the use of the Middle Tier Application Server. There are two modes of the client-side security:

The mode can be selected when creating a new XAF application using the Solution Wizard.


Integrated Mode (XPO Only)

The Integrated mode is the recommended mode for XPO-based applications, and it is enabled by default when you choose XPO in the Solution Wizard. In the Integrated mode, secured data cannot be accessed via Object Space API. The SecuredObjectSpaceProvider creates secured Object Spaces that respect security permissions and filter out protected data at the ORM level. As a result, the secured data is not displayed in application’s Views, cannot be accessed by Controllers, report data sources, etc.

You can refer to the How to: Change the Client-Side Security Mode from UI Level to Integrated in XPO applications example to see how to enable the Integrated mode in existing applications.

To modify certain business objects in code, instantiate an XPObjectSpaceProvider object and pass the connection string to the constructor. Then, call the XPObjectSpaceProvider.CreateObjectSpace method to create an IObjectSpace object. Use methods of the created Object Space to access data bypassing the security.

UI Level Mode

In Entity Framework applications, the UI-Level mode is enabled by default (and is the only supported mode). In this mode, the security restrictions are processed at the UI level - the secured data is hidden by XAF List and Property Editors. However, the client application code (e.g., Controllers) has access to all data via Object Space.

In XPO applications, you can switch to this mode by changing the SecuredObjectSpaceProvider type to XPObjectSpaceProvider in the CreateDefaultObjectSpaceProvider method which is overridden in the WinApplication.cs (WinApplication.vb) or WebApplication.cs (WebApplication.vb) file.


The UI Level mode can be useful in scenarios when you do not need strong data protection and it is convenient to have direct access to the database for modifying protected data. Since, however, all unprotected data is accessible on the client side, you need to take the following aspects into account.

  • Mobile applications do not support this mode.
  • In grid List Editors, sorting, filtering and grouping operations rely on real data values, although the ‘Protected content’ text is displayed instead of secured values.
  • In web page markup, secured values are displayed as is.
  • In ASP.NET applications, the display member is always visible in a Detail View caption.
  • A certain object can be modified in order to make it protected (e.g., due to an object-level permission with criteria).
  • Extra Modules have no Security System dependencies and thus have direct access to the database through unsecured Object Spaces. Thus, they may use the entire set of data from the database, including protected records.


Although the secured data is filtered by ORM (in the Integrated mode) or is hidden from UI (in UI-Level mode), the database itself is exposed to a client workstation. An end-user can see the connection string in the application’s configuration file and can use it to directly access the database tables, bypassing the security engine implemented within your application. If you use XPO, you can enhance the security by injecting a Middle Tier application server between your application and the database server. Proceed to the Middle Tier Security - WCF Service topic to learn how to do this. Middle tier architecture is not supported in Entity Framework based applications.