Skip to main content
A newer version of this page is available. .

How to: Change the Client-Side Security Mode from UI Level to Integrated in XPO applications

  • 3 minutes to read

This topic describes how to filter secured data using XPO, without the use of a Middle Tier application server. It is recommended that you first review the Client-Side Security (2-Tier Architecture) topic to study the initial client-side security configuration. The approach described here does not support the Entity Framework data model, it is for XPO only. If you want to hide the ‘Protected Content’ columns and editors using the Conditional Appearance Module, you can also use the How to: Hide the ‘Protected Content’ Columns in a List View and Property Editors in a Detail View example.


This topic demonstrates the code that can be generated automatically by the Solution Wizard. Proceed, if you want to implement the demonstrated functionality in the existing XAF solution. If you are creating a new XAF solution, use the wizard instead.

The XafApplication class descendant that is added to the application project template overrides the CreateDefaultObjectSpaceProvider method. Edit WinApplication.cs (WinApplication.vb), WebApplication.cs (WebApplication.vb) and MobileApplication.cs (MobileApplication.vb) files and modify the CreateDefaultObjectSpaceProvider method code in the following manner:

using DevExpress.ExpressApp.Security;
using DevExpress.ExpressApp.Security.ClientServer;
// ...
protected override void CreateDefaultObjectSpaceProvider(
    CreateCustomObjectSpaceProviderEventArgs args) {
    args.ObjectSpaceProvider = new SecuredObjectSpaceProvider(
        (SecurityStrategyComplex)Security, args.ConnectionString, args.Connection);


A complete sample project is available in the DevExpress Code Examples database at

The SecuredObjectSpaceProvider creates secured Object Spaces that respect security permissions and filter out protected data.

You cannot modify protected data in code when the SecuredObjectSpaceProvider is used. To modify certain business objects in code, instantiate an XPObjectSpaceProvider object and pass the connection string to the constructor. Then, call the XPObjectSpaceProvider.CreateObjectSpace method to create an IObjectSpace object. Use methods of the created Object Space to access data bypassing the security.

Although the secured data is now filtered, the database is still exposed to a client workstation. An end-user can see the connection string in the application’s configuration file and can use it to directly access the database tables, bypassing the security engine implemented within your application. To further enhance the security, you can inject a Middle Tier application server between your application and the database server. Proceed to the Middle Tier Security - WCF Service topic to learn how to do this.


The following combination of features is not supported when used together.

In this configuration, your application loads information on custom persistent fields from the database and then updates the database schema. However, a thread-safe data layer does not support altering the data model after the database connection is established.

See Also