Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Task-Based Help > Security > How to: Change the Client-Side Security Mode from UI Level to Integrated in XPO applications
A newer version of this page is available. .
All docs
V20.2
.NET Framework 4.5.2+
eXpressApp Framework
Fundamentals
.NET Core 3.0+ Support in XAF WinForms Applications
.NET Standard 2.0 Support for Platform-Agnostic Modules
ASP.NET Core Blazor UI - Official Release
Getting Started
Concepts
Design-Time Features
Deployment
Task-Based Help
Business Model Design
Application Model
Actions
Navigation
Views
List Editors
Property Editors
Templates
Filtering
Reporting
Dashboards
Office
Scheduler and Notifications
Maps Module
Security
How to: Assign the Same Permissions for All Users of an Active Directory Group
How to: Call Direct SQL Queries in Integrated Mode or through the Middle Tier Application Server
How to: Change the Client-Side Security Mode from UI Level to Integrated in XPO applications
How to: Connect to the WCF Application Server from Non-XAF Applications
How to: Get the Current User in Code
How to: Hide the Protected Content Columns in a List View and Property Editors in a Detail View
How to: Implement a Custom Security Operation that Can be Permitted at the Type Level
How to: Implement a Custom Security System User Based on an Existing Business Class
How to: Implement Custom Security Objects (Users, Roles, Operation Permissions)
How to: Use Active Directory and OAuth2 Authentication Providers in Blazor Applications
How to: Manually Configure Permissions for Associated Collections and Reference Properties
How to: Prevent Users from Deleting and Updating Administrative User and Role Objects
How to: Show a List of Users Allowed to Read an Object
How to: Use Custom Logon Parameters and Authentication
How to: Use the Integrated Mode of the Security System in Non-XAF Applications
Workflow
Localization
Miscellaneous UI Customizations
Frequently Asked Questions (FAQ)
API Reference
Download CHM

How to: Change the Client-Side Security Mode from UI Level to Integrated in XPO applications

  • 3 minutes to read

This topic describes how to filter secured data using XPO, without the use of a Middle Tier application server. It is recommended that you first review the Client-Side Security (2-Tier Architecture) topic to study the initial client-side security configuration. The approach described here does not support the Entity Framework data model, it is for XPO only. If you want to hide the Protected Content columns and editors using the Conditional Appearance Module, you can also use the How to: Hide the Protected Content Columns in a List View and Property Editors in a Detail View example.

Note

The Solution Wizard generates the code shown in this help topic when you create an application. Follow this article if you want to implement the demonstrated functionality in an existing XAF solution.

The XafApplication class descendant that is added to the application project template overrides the CreateDefaultObjectSpaceProvider method. Edit WinApplication.cs (WinApplication.vb) and WebApplication.cs (WebApplication.vb) files and modify the CreateDefaultObjectSpaceProvider method code in the following manner:

using DevExpress.ExpressApp.Security;
using DevExpress.ExpressApp.Security.ClientServer;
// ...
protected override void CreateDefaultObjectSpaceProvider(
    CreateCustomObjectSpaceProviderEventArgs args) {
    args.ObjectSpaceProvider = new SecuredObjectSpaceProvider(
        (SecurityStrategyComplex)Security, args.ConnectionString, args.Connection);
}

Tip

A complete sample project is available in the DevExpress Code Examples database at https://supportcenter.devexpress.com/ticket/details/e4034/how-to-hide-the-protected-content-rows-in-list-views.

The SecuredObjectSpaceProvider creates secured Object Spaces that respect security permissions and filter out protected data.

You cannot modify protected data in code when the SecuredObjectSpaceProvider is used. To modify certain business objects in code, instantiate an XPObjectSpaceProvider object and pass the connection string to the constructor. Then, call the XPObjectSpaceProvider.CreateObjectSpace method to create an IObjectSpace object. Use methods of the created Object Space to access data bypassing the security.

Although the secured data is now filtered, the database is still exposed to a client workstation. An end-user can see the connection string in the application’s configuration file and can use it to directly access the database tables, bypassing the security engine implemented within your application. To further enhance the security, you can inject a Middle Tier application server between your application and the database server. Proceed to the Middle Tier Security topic to learn how to do this.

Important

The following combination of features is not supported when used together.

In this configuration, your application loads information on custom persistent fields from the database and then updates the database schema. However, a thread-safe data layer does not support altering the data model after the database connection is established.

See Also