Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Data Security and Safety > Security (Access Control & Authentication) > Security Tiers > Middle Tier Security (XPO Only) > Call Direct SQL Queries in Integrated Mode, through the Middle Tier Application Server, and Middle Tier Web API
A newer version of this page is available. .
All docs
V22.1
.NET Framework 4.5.2+
Cross-Platform .NET App UI (XAF)
Getting Started
Installation, Upgrade, Version History
Backend Web API Service
UI Shell and Base Infrastructure
Storage, ORM, and Business Model Design
Data Manipulation and Business Logic
User Interface and Behavior Customization
Data Filtering
Data Security and Safety
Security (Access Control & Authentication)
Security Tiers
2-Tier Security (Integrated Mode and UI Level)
Middle Tier Security (XPO Only)
Create a WinForms Application (.NET 6) with the Middle Tier Security (ASP.NET Core Web API)
Add the Middle Tier Server (ASP.NET Core Web API) to an existing WinForms Application (.NET 6)
Run the Application Server as a Windows Service (.NET Framework)
Call Direct SQL Queries in Integrated Mode, through the Middle Tier Application Server, and Middle Tier Web API
Connect to the Web API Application Server from Non-XAF Applications (.NET 6)
Connect to the WCF Application Server from Non-XAF Applications (.NET Framework)
Authentication
Predefined Users, Roles and Permissions
Security Permissions Caching
Permissions for Associated Objects
Merging of Permissions Defined in Different Roles
Permission Policy
Use the Security (Access Control & Authentication) API in Non-XAF Applications - Free Offer
Task-Based Help
Audit Trail (History of Data Changes)
Validation (Prevent Data Errors)
Conditional Appearance (Manage State of UI Elements)
Reporting (Shape, Export & Print Data)
Analytics (Extract Data Insights)
Document Management
Business Process Management
Event Planning
Localization
Debugging, Testing and Error Handling
Deployment
Support, QA & Troubleshooting
API Reference
Download CHM

Call Direct SQL Queries in Integrated Mode, through the Middle Tier Application Server, and Middle Tier Web API

  • 3 minutes to read

By default, you cannot execute Direct SQL Queries and Stored Procedures in Integrated Mode of the Security System, or when the Middle Tier Application Server is used. The “Transferring requests via ICommandChannel is prohibited within the security engine“ exception occurs when you execute the corresponding methods of the Session.

Note

Do not use this approach to handle a database update when the application version changes. Instead, use the protected methods of the ModuleUpdater class.

Enable Direct SQL Queries

In Integrated Mode

To enable direct queries and stored procedure execution in these configurations, set the SecuredObjectSpaceProvider.AllowICommandChannelDoWithSecurityContext property to true after instantiating the SecuredObjectSpaceProvider object. By default, this object is created in the XafApplication.CreateDefaultObjectSpaceProvider method overridden in the WinApplication.cs (WinApplication.vb), WebApplication.cs (WebApplication.vb) and BlazorApplication.cs files.

protected override void CreateDefaultObjectSpaceProvider(CreateCustomObjectSpaceProviderEventArgs args) {
    // ...
    ((SecuredObjectSpaceProvider)args.ObjectSpaceProviders[0]).AllowICommandChannelDoWithSecurityContext = true;    
}

In the Middle-Tier Server (WCF, .NET Framework)

If you are using the middle-tier application server, do the following:

  1. Set the SecuredObjectSpaceProvider.AllowICommandChannelDoWithSecurityContext property to true after instantiating the SecuredObjectSpaceProvider object in the XafApplication.CreateDefaultObjectSpaceProvider method overridden in the WinApplication.cs (WinApplication.vb) or WebApplication.cs (WebApplication.vb) files.

    protected override void CreateDefaultObjectSpaceProvider(CreateCustomObjectSpaceProviderEventArgs args) {
    // ...
    ((SecuredObjectSpaceProvider)args.ObjectSpaceProviders[0]).AllowICommandChannelDoWithSecurityContext = true;    
}

  2. Modify the Program.cs (Program.vb) file located in the application server project. Change the code that creates the ServiceHost object as follows:

    IDataStore dataStore = XpoDefault.GetConnectionProvider(connectionString, AutoCreateOption.SchemaAlreadyExists);
Func<IDataLayer> dataLayerProvider = () => new ThreadSafeDataLayer(XpoTypesInfoHelper.GetXpoTypeInfoSource().XPDictionary, dataStore);
ServiceHost serviceHost = new WcfXafServiceHost(dataLayerProvider, dataServerSecurityProvider, true);

If you run the Application Server as a windows service, you can use the same code in the ApplicationServerService.cs (ApplicationServerService.vb) file.

In the Middle-Tier Server (ASP.NET Core Web API, .NET 6+)

To enable direct queries and stored procedures execution, set the AllowICommandChannelDoWithSecurityContext property to true in the Startup.cs file in the Web API project as follows:

// ...
.AddXafMiddleTier(options => {
    options.UseConnectionString(Configuration.GetConnectionString("ConnectionString"));
    options.UseDataStorePool(true);
    // Enable direct queries and stored procedures execution.
    options.AllowICommandChannelDoWithSecurityContext = true;
});
// ...

Run Direct SQL Queries

After you enable the direct SQL queries, you can access the Object Space, cast it to the XPObjectSpace type, get the Session object using the XPObjectSpace.Session property, and call Session.ExecuteQuery, Session.ExecuteSproc or other suitable methods.