Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Application Security and Data Safety > Security (Access Control & Authentication) > Security Tiers > Middle Tier Security with XPO
All docs
V25.2
    • XAF: Cross-Platform .NET App UI & Web API
    Migration to .NET from .NET Framework in v25.2+
    Getting Started
    Installation, Upgrade, Version History
    Backend Web API Service
    UI Shell and Base Infrastructure
    Storage, ORM, and Business Model Design
    Data Manipulation and Business Logic
    User Interface and Behavior Customization
    Data Filtering
    Application Security and Data Safety
    Security (Access Control & Authentication)
    Security Tiers
    2-Tier Security (Integrated Mode and UI Level)
    Middle Tier Security with EF Core
    Middle Tier Security with XPO
    Create a .NET Application with the XPO Middle Tier Security
    Add the XPO Middle Tier Server to an Existing WinForms Application (.NET)
    Run the XPO Application Server as a Windows Service (.NET Framework)
    Execute Direct SQL Queries in Integrated Mode and with XPO Middle Tier Security
    User Logon and Authentication
    ORM Object Model, Policy Configuration and Storage
    Authorization and Data Protection
    Non-XAF UI Scenarios
    Security Considerations
    Audit Trail (History of Data Changes)
    Multi-Tenancy (Data per Tenant)
    Validation (Prevent Data Errors)
    Conditional Appearance (Manage State of UI Elements)
    Reporting (Shape, Export & Print Data)
    Analytics (Extract Data Insights)
    Document Management
    Business Process Management
    Event Planning
    Localization
    Accessibility Support
    Debugging, Testing and Error Handling
    Deployment
    Support, QA & Troubleshooting
    API Reference

    Middle Tier Security with XPO

    • 5 minutes to read

    Keeping security logic in the client application is not safe or flexible since users can bypass the security system and access the database directly. To prevent this, you can implement the Middle Tier application server that is an ASP.NET Core service between the client application and the database server. This Middle Tier Server filters out the secured data. In this case, clients cannot access the database server directly. The diagram below illustrates this configuration.

    A Diagram of an XAF Application with Middle Tier Security

    Application Architecture Basics: Middle-Tier Security

    The following images demonstrate how Blazor and WinForms applications with Middle Tier Security interacts with the database:

    Blazor application with the Middle Tier Application Server

    Blazor application with the Middle Tier Application Server

    WinForms application with the Middle Tier Application Server

    WinForms application with the Middle Tier Application Server

    Application without the Security System

    Application without the Security System

    Load Data from the Database

    1. The unsecure server-side Session loads data from the database according to the criteria based on Security permissions.
    2. The secure server-side Session copies objects from the unsecure server-side Session. If a field value does not meet the permission criterion, it is replaced with the default value in the copied objects. The copied objects are serialized and passed to the client-side Session.
    3. The client-side Session deserializes these objects. The deserialized objects are available to users.

    Save Data to the Database

    1. The client-side Session serializes objects and passes them to the secure server-side Session.
    2. The secure server-side Session deserializes objects and copies their values that meet the Security permissions to the unsecure server-side Session.
    3. The unsecure server-side Session saves the passed values into original objects in the database.

    Important Notes

    • When you create a new .NET project with DevExpress CLI templates or the Template Kit and enable Middle-Tier Security, HTTPS is enabled by default with an ASP.NET Core HTTPS development certificate. This certificate cannot be used in non-development environments. For production, configure a proper TLS certificate for the application. For more information, refer to the documentation: Configure HTTPS.

    • ASP.NET Core Blazor applications use the client-server model. You do not need to implement the additional Middle Tier server in these applications.
    • The Middle Tier service and database can be installed on the same server. The application server can also be installed on a user workstation with the application, but this configuration does not improve security.
    • Blazor application with Middle Tier security does not support Windows authentication.
    • Integrated WebAPI services and Middle Tier security cannot be used simultaneously.
    • If you use custom permission requests, custom logon parameters, or other types that should be serialized (for example, non-persistent objects), use the static WebApiDataServerHelper.AddKnownType method to register them before a data server is initialized. Register these types on the server and client. Do not use this method to register business classes.
    • The Security System displays the default property value instead of its actual value if access to a property is denied. These values may match. Use the SecuritySystem.IsGranted method to determine which value is displayed.
    • The OnSaving and OnDeleting methods of a business class can be called multiple times because Integrated Mode and Middle Tier Security use more than one Session/DbContext object. If you implement custom logic in these methods, check whether a new value is already assigned to a property. This helps you avoid incorrect results. The following article describes how to do this with XPO: XPO Best Practices.

    • Detail Views do not display changes made to an object within a transaction (for example, an auto-generated sequential number for an XPO business object) even if you saved this object in a View. These changes are made on the server only and are not automatically passed to the client application. To show these changes, reload the object. If you want to reload the object on each Save operation, override the business class’s OnSaved method. The following example demonstrates how to override this method to reload an object on the client: 

      using DevExpress.Persistent.BaseImpl;
// ...
public class DemoObject : BaseObject {
    // ...
    protected override void OnSaved() {
        base.OnSaved();
        // 0 is the default value
        if (Number == 0) {
            Session.Reload(this);
        }
    }
}

    • The Session.DataLayer property is null in the secured Session. Instead of DataLayer, we recommend that you use the View.ObjectSpace property to query and change data from the database. This technique is also recommended for non-secure applications.

      If this recommendation does not apply to your scenario, use the Session.ObjectLayer property instead of DataLayer.

      You can also execute different code on the server and client depending on the DataLayer and ObjectLayer property values. The following example demonstrates how to do it: 

      using DevExpress.ExpressApp.Security.ClientServer;
using DevExpress.Persistent.BaseImpl;
// ...
public class DemoObject : BaseObject {
    // ...
    protected override void OnSaving() { 
        if(Session.DataLayer != null && !(Session.ObjectLayer is SecuredSessionObjectLayer)) { 
            // Server-side code
        } 
        else {  
            // Client-side code 
        } 
        base.OnSaving(); 
    }
}
    See Also