.NET Framework 4.5.2+
.NET Framework 4.5.2+
.NET Standard 2.0+
.NET Core 3.0+

How to: Use the Integrated Mode of the Security System in Non-XAF Applications

  • 4 minutes to read

This topic demonstrates how to access data protected by the Security System (Integrated Mode) from a console application.


A complete sample project is available at https://github.com/DevExpress-Examples/XAF_how-to-use-the-integrated-mode-of-the-security-system-in-non-xaf-applications-e4908.

Refer to the following tutorials for more .NET Framework and .NET Core examples:

eXpress Persistent Objects

Entity Framework Core


  1. You have an XAF solution (for example, XafSolution) with the platform-agnostic module and WinForms or ASP.NET application projects.
  2. This solution uses XPO as an ORM system.
  3. The WinForms or ASP.NET application uses the Integrated Mode of the Security System and Standard authentication.
  4. There is an active user with the "User" name and an empty password.
  5. Business objects are defined in the XafSolution.Module project (for example, Employee and Department).
  6. A database (XafSolution) is generated for these business objects.

Create and Configure a Non-XAF Application

  1. Create a console application.

  2. Add the following code to the application's configuration file (App.config) to set a connection string.

    <?xml version="1.0" encoding="utf-8" ?>
        <add name="ConnectionString" connectionString="Data Source=DBSERVER;Initial Catalog=XafSolution;Integrated Security=True"/>
      <!-- ... -->

    Replace DBSERVER with a database server name or its IP address. For example, use localhost or (local) for a local database server.

  3. Reference the following assemblies:

    • XafSolution.Module.dll
    • System.Configuration.dll
    • DevExpress.ExpressApp.v20.2.dll
    • DevExpress.ExpressApp.Security.v20.2.dll
    • DevExpress.ExpressApp.Security.Xpo.v20.2.dll
    • DevExpress.ExpressApp.Xpo.v20.2.dll
    • DevExpress.Persistent.BaseImpl.v20.2.dll

Access Secured Data

Perform the following steps in the console application's Program.cs (Program.vb) file.

  1. Initialize the Types Info System and use the RegisterEntity(Type) method to register the business objects that should be accessible in this application.

    using DevExpress.ExpressApp;
    using DevExpress.ExpressApp.Xpo;
    using DevExpress.Persistent.BaseImpl.PermissionPolicy;
    using XafSolution.Module.BusinessObjects;
    static void Main(string[] args) {
        // ...
    private static void RegisterEntities()        {
  2. Initialize the Security System.

    using DevExpress.ExpressApp.Security;
    // ...
    AuthenticationStandard authentication = new AuthenticationStandard();
    SecurityStrategyComplex security = new SecurityStrategyComplex(typeof(PermissionPolicyUser), typeof(PermissionPolicyRole), authentication);
  3. Create the SecuredObjectSpaceProvider object. It allows you to logon and create SecuredObjectSpace to access secured data.

    using System.Configuration;
    using DevExpress.ExpressApp.Security.ClientServer;
    // ...
    string connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
    SecuredObjectSpaceProvider objectSpaceProvider = new SecuredObjectSpaceProvider(security, connectionString, null);
  4. Perform a logon.

    string userName = "User";
    string password = string.Empty;
    authentication.SetLogonParameters(new AuthenticationStandardLogonParameters(userName, password));
    IObjectSpace loginObjectSpace = objectSpaceProvider.CreateObjectSpace();
  5. Create the SecuredObjectSpace object to operate with secured data.

    using System.Text;
    // ...
    StringBuilder stringBuilder = new StringBuilder();
    stringBuilder.Append("List of the 'Employee' objects:\n");
    using(IObjectSpace securedObjectSpace = objectSpaceProvider.CreateObjectSpace()) {
        foreach(Employee employee in securedObjectSpace.GetObjects<Employee>()) {
            stringBuilder.Append(string.Format("Full name: {0}\n", employee.FullName));
            if(security.IsGranted(new PermissionRequest(securedObjectSpace, typeof(Employee), SecurityOperations.Read, employee, "Department"))) {
                stringBuilder.Append(string.Format("Department: {0}\n", employee.Department.Title));
            else {
                stringBuilder.Append("Department: [Protected content]\n");

    If a user was not allowed to read a property, the Secured Object Space returns the property default value. Use the IsGranted(IPermissionRequest) method to display the "Protected content" placeholder instead of this value.


Ensure that the static EnableRfc2898 and SupportLegacySha512 properties in your non-XAF application have the same values as those in the XAF application where the password was set. Otherwise, you will not be able to log in.

See Also