Skip to main content

Change the Client-Side Security Mode from UI Level to Integrated in XPO applications

  • 3 minutes to read

This topic describes how to filter secured data using XPO, without the use of a Middle Tier application server. It is recommended that you first review the Client-Side Security (2-Tier Architecture) topic to study the initial client-side security configuration. The approach described here does not support the Entity Framework data model, it is for XPO only. If you want to hide the Protected Content columns and editors using the Conditional Appearance Module, you can also use the How to: Hide the Protected Content Columns in a List View and Property Editors in a Detail View example.


The Solution Wizard generates the code shown in this help topic when you create an application. Follow this article if you want to implement the demonstrated functionality in an existing XAF solution.

The XafApplication class descendant that is added to the application project template overrides the CreateDefaultObjectSpaceProvider method. Edit WinApplication.cs (WinApplication.vb) and WebApplication.cs (WebApplication.vb) files and modify the CreateDefaultObjectSpaceProvider method code in the following manner:

using DevExpress.ExpressApp.Security;
using DevExpress.ExpressApp.Security.ClientServer;
// ...
protected override void CreateDefaultObjectSpaceProvider(
    CreateCustomObjectSpaceProviderEventArgs args) {
    args.ObjectSpaceProvider = new SecuredObjectSpaceProvider(
        (SecurityStrategyComplex)Security, args.ConnectionString, args.Connection);


A complete sample project is available in the DevExpress Code Examples database at

The SecuredObjectSpaceProvider creates secured Object Spaces that respect security permissions and filter out protected data.

You cannot modify protected data in code when the SecuredObjectSpaceProvider is used. To modify certain business objects in code, instantiate an XPObjectSpaceProvider object and pass the connection string to the constructor. Then, call the XPObjectSpaceProvider.CreateObjectSpace method to create an IObjectSpace object. Use methods of the created Object Space to access data bypassing the security.

Although the secured data is now filtered, the database is still exposed to a client workstation. An end-user can see the connection string in the application’s configuration file and can use it to directly access the database tables, bypassing the security engine implemented within your application. To further enhance the security, you can inject a Middle Tier application server between your application and the database server. Proceed to the Middle Tier Security topic to learn how to do this.


The following combination of features is not supported when used together.

In this configuration, your application loads information on custom persistent fields from the database and then updates the database schema. However, a thread-safe data layer does not support altering the data model after the database connection is established.

See Also