Configure Authentication in an Application With EF Core Middle Tier Security

• Jun 05, 2023
• 3 minutes to read

Configure Authentication on the Server Side

Authentication in the EF Core Middle Tier Security server is implemented similarly to that of the Backend Web API Service. The Middle Tier Security supports the same authentication methods and uses the same configuration options. For more information on how to configure authentication on the server side, refer to the following article: Authenticate Web API.

Configure Authentication in the Client WinForms Application

The XAF Solution Wizard can generate code for the following authentication methods:

• Standard authentication (login/password authentication based on JWT)
• Windows authentication

In an existing WinForms application, you can enable these authentication methods as follows.

Standard authentication

Edit the client WinForms application’s Startup.cs file to configure the security system as shown below.

public class ApplicationBuilder : IDesignTimeApplicationFactory { 
    public static WinApplication BuildApplication(string connectionString) { 
        var builder = WinApplication.CreateBuilder(); 
        // ... 
        builder.Security 
            .UseMiddleTierMode(options => { 
                options.BaseAddress = new Uri(...); 
                options.Events.OnHttpClientCreated = client => client.DefaultRequestHeaders.Add("Accept", "application/json"); 
                options.Events.OnCustomAuthenticate = (sender, security, args) => { 
                    args.Handled = true; 
                    HttpResponseMessage msg = args.HttpClient.PostAsJsonAsync("api/Authentication/Authenticate", (AuthenticationStandardLogonParameters)args.LogonParameters).GetAwaiter().GetResult(); 
                    string token = (string)msg.Content.ReadFromJsonAsync(typeof(string)).GetAwaiter().GetResult(); 
                    if(msg.StatusCode == HttpStatusCode.Unauthorized) { 
                        throw new UserFriendlyException(token); 
                    } 
                    msg.EnsureSuccessStatusCode(); 
                    args.HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("bearer", token); 
                }; 
            }) 
            .UsePasswordAuthentication(); 
        // ... 
     } 
} 

In the above code sample, the api/Authentication/Authenticate URL is the path to the authentication endpoint. See the following article for more information: Configure the JWT Authentication for the Web API.

Windows authentication

Edit the client WinForms application’s Startup.cs file to configure the security system as shown below.

public class ApplicationBuilder : IDesignTimeApplicationFactory { 
    public static WinApplication BuildApplication(string connectionString) { 
        var builder = WinApplication.CreateBuilder(); 
        // ... 
        builder.Security 
            .UseMiddleTierMode(options => { 
                options.BaseAddress = new Uri(...); 
            }) 
            .UseWindowsAuthentication(); 
        // ... 
     } 
} 

Use Custom Authentication Methods

If you need to implement a custom authentication method in your application, follow the general steps below:

1. Configure the Middle Tier Security project to use the required authentication method.

2. Implement a corresponding endpoint on the Middle Tier Security server side.

3. On the WinForms client application side, all the necessary settings are made at the stage when the HTTP client is configured. To do this, handle the following events available through the ApplicationBuilder extension methods:

• MiddleTierSecurityEvents.OnCustomCreateHttpClient

• MiddleTierSecurityEvents.OnHttpClientCreated

All interactions between the client application and the Middle Tier Security server are done through the HTTP/HTTPS protocol with an HTTP client. You can configure the HTTP client’s settings (timeouts, base URL and so on) in handlers for the events described above.

Grant Anonymous Access to Types

The Middle Tier Security can be configured to allow a client to read business objects of the specified types without authentication/authorization. In such instances, all read operations are performed regardless of the Security System’s restrictions.

To allow anonymous read operations on business objects of the specified types, add the following code to the Startup.ConfigureServices method call in the Middle Tier Security project’s Startup.cs file.

public class Startup { 
    public void ConfigureServices(IServiceCollection services) { 
        //...
        services.AddXafMiddleTier(Configuration, builder => {
            //...
            builder.Security
                .UseIntegratedMode(options => {
                    //...
                    options.Events.OnSecurityStrategyCreated = securityStrategy => {
                        ((SecurityStrategy)securityStrategy).AnonymousAllowedTypes.Add(typeof(ObjectType));
                    };
                })
                .AddPasswordAuthentication(options => options.IsSupportChangePassword = true);
            //...
        });
    }
} 

Implement Additional Functionality

Similar to the Backend Web API Service, the Middle Tier Service allows you to implement custom API endpoints that you can use to add functionality to the service. Refer to the following article for more information on how to do this: Create Custom Endpoints.