Skip to main content
.NET Framework 4.5.2+

Change the Client-Side Security Mode from UI Level to Integrated in XPO applications (.NET Framework)

  • 3 minutes to read

This topic describes how to filter secure data using XPO without a Middle Tier application server in an XAF .NET Framework application. We recommend that you review the Client-Side Security (2-Tier Architecture) topic first for the initial client-side security configuration.

You cannot use this technique with an Entity Framework data model.

If you want to hide columns and editors with Protected Content using the Conditional Appearance Module, see the following topic: How to: Hide the Protected Content Columns in a List View and Property Editors in a Detail View.


In a .NET 6+ XAF application configured to use the security system, integrated mode is used by default.


The Solution Wizard generates the code shown in this help topic when you create an application. Follow this article if you want to implement the demonstrated functionality in an existing XAF solution.

The XafApplication class descendant added to the application project template overrides the CreateDefaultObjectSpaceProvider method.

For Windows Forms, navigate to the YourApplicationName.Win\YourApplicationNameWinApplication.cs (WinApplication.vb) file.

For ASP.NET Web Forms, navigate to the YourApplicationName.Web\YourApplicationNameWebApplication.cs (WebApplication.vb) file.

Modify the CreateDefaultObjectSpaceProvider method code in the following manner:

using DevExpress.ExpressApp.Security;
using DevExpress.ExpressApp.Security.ClientServer;
// ...
protected override void CreateDefaultObjectSpaceProvider(
    CreateCustomObjectSpaceProviderEventArgs args) {
    args.ObjectSpaceProvider = new SecuredObjectSpaceProvider(
        (SecurityStrategyComplex)Security, args.ConnectionString, args.Connection);


A complete sample project is available in the DevExpress Code Examples database at

SecuredObjectSpaceProvider creates secured Object Spaces that respect security permissions and filter out protected data.

You cannot modify protected data in code if you use SecuredObjectSpaceProvider. To modify business objects in code, instantiate an XPObjectSpaceProvider object and pass the connection string to the constructor. Call the XPObjectSpaceProvider.CreateObjectSpace method to create an IObjectSpace object. Use methods of the created Object Space to access data bypassing the security.

Although secure data is now filtered out, database information is still exposed to a client workstation. A user can see the connection string in the application’s configuration file and use it to directly access the database tables, bypassing the security engine implemented within your application. To further enhance security, use a Middle Tier application server between your application and the database server. For more information, refer to the following topic: Middle Tier Security.


Thread-safe data layers have limitations. If you create a SecuredObjectSpaceProvider or an XPObjectSpaceProvider and set threadSafe to true in the constructor, the following features are unavailable:

These capabilities require your application to load information about custom persistent fields and then update the database schema. However, thread-safe data layer does not support data model modifications after a database connection is established.

See Also