Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Backend Web API Service > Authenticate and Authorize Web API Endpoints
All docs
V25.1
    • .NET 8.0+
    XAF: Cross-Platform .NET App UI & Web API
    .NET Support and Migration
    Getting Started
    Installation, Upgrade, Version History
    Backend Web API Service
    Get Started with Web API Service
    Create a Standalone Web API Application
    Integrate the Web API into an Existing XAF Blazor Application
    Add and Protect CRUD Web API Endpoints
    Add Endpoints for Business Object Methods
    Test the Web API with Swagger or Postman
    Consume the Web API from .NET
    Deep Update and Batch Operations
    Authenticate and Authorize Web API Endpoints
    Configure JWT Authentication
    Configure OAuth2 Azure Authentication
    Create Custom Endpoints
    Add Paid/Enterprise Modules
    UI Shell and Base Infrastructure
    Storage, ORM, and Business Model Design
    Data Manipulation and Business Logic
    User Interface and Behavior Customization
    Data Filtering
    Application Security and Data Safety
    Multi-Tenancy (Data per Tenant)
    Validation (Prevent Data Errors)
    Conditional Appearance (Manage State of UI Elements)
    Reporting (Shape, Export & Print Data)
    Analytics (Extract Data Insights)
    Document Management
    Business Process Management
    Event Planning
    Localization
    Accessibility Support
    Debugging, Testing and Error Handling
    Deployment
    Support, QA & Troubleshooting
    API Reference
    Download CHM

    Authenticate and Authorize Web API Endpoints

    • 3 minutes to read

    The Web API supports all standard ASP.NET Core authentication techniques that you can specify in the MySolution.WebApi\Startup.cs (MySolution.Blazor.Server\Startup.cs) file. See the following topic for more information: Authentication.

    If you use the Template Kit to create a Web API project, enable authentication in the Security Options section:

    Select authentication

    Standard (requests login and password)
    The kit generates JWT authentication scaffolding code for the Web API.
    Active Directory (uses Windows account)
    The kit adds the JWT scaffolding code to the MySolution.WebApi\appsettings.json file and the scaffolding code for Windows Active Directory to the MySolution.WebApi\Properties\launchSettings.json file.
    Microsoft Entra ID (formerly Azure Active Directory)
    The kit adds the JWT and Microsoft Entra ID scaffolding code to the MySolution.WebApi\appsettings.json file.
    Middle Tier Security - No direct database access
    The kit adds the MySolution.MiddleTier project to the application. Refer to the following help topic for more information: Middle Tier Security with EF Core.

    See the following topics for information on how to configure the authentication scaffolding code and enable authentication:

    Configure Authorization for Endpoints or Protect Business Object Data

    You must define Security System permissions for business objects and properties you want to expose through a Web API Service (both built-in and custom endpoints). We do not recommend that you expose business object data to all users without security protection.

    You can configure permissions using one of the following methods:

    • In the code of the ModuleUpdater class (look for the Updater.cs file, because there may be different locations depending on your project configuration).
    • In the administrative UI powered by XAF Blazor/WinForms (this feature requires the Universal license).

    For more information, refer to the following concepts and examples:

    Authenticate a User in Code

    XAF supports API that you can use to access and manage application users as well as authenticate users. This API includes the following services:

    UserManager
    Exposes API required to manage user objects in the database.
    SignInManager
    Exposes API required to sign a user into an application.

    The following code snippet demonstrates how to use API that the UserManager and SignInManager services expose to sign in to a nested scope and execute custom endpoint logic on a service user’s behalf (user impersonation):

    using DevExpress.ExpressApp;
using DevExpress.ExpressApp.Security;
using MySolution.WebApi.BusinessObjects;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
// ...
namespace MySolution.WebApi {
    [Route("api/[controller]")]
    [ApiController]
    [Authorize]
    public class CustomEndpointController : ControllerBase {
        private readonly IServiceProvider serviceProvider;
        public CustomEndpointController(IServiceProvider serviceProvider) {
            this.serviceProvider = serviceProvider;
        }

        [HttpPost]
        public void Post([FromBody] string value) {
            // ...
            // Create a nested service scope whithin which to establish a separate login session.
            IServiceScopeFactory serviceScopeFactory = serviceProvider.GetRequiredService<IServiceScopeFactory>();
            using (IServiceScope impersonationScope = serviceScopeFactory.CreateScope()) {
                // Use the UserManager to obtain the "ServiceUser" user object.
                using IObjectSpace nonSecuredObjectSpace = impersonationScope.ServiceProvider
                    .GetRequiredService<INonSecuredObjectSpaceFactory>().CreateNonSecuredObjectSpace<ApplicationUser>();
                ApplicationUser serviceUser = impersonationScope.ServiceProvider
                    .GetRequiredService<UserManager>().FindUserByName<ApplicationUser>(nonSecuredObjectSpace, "ServiceUser");

                // Sign in as "ServiceUser" to the nested scope.
                SignInManager signInManager = impersonationScope.ServiceProvider.GetService<SignInManager>();
                signInManager.SignIn(serviceUser);

                // Obtain an Object Space from the nested scope and use this Object Space
                // to manipulate business objects on the "ServiceUser" user's behalf.
                using IObjectSpace objectSpace = impersonationScope.ServiceProvider
                    .GetRequiredService<IObjectSpaceFactory>().CreateObjectSpace<Employee>();
                Employee newEmployee = objectSpace.CreateObject<Employee>();
                newEmployee.Name = value;
                // ...
                objectSpace.CommitChanges();
                // ...
            }
        }
    }
}
    See Also