Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Application Security and Data Safety > Security (Access Control & Authentication) > ORM Object Model, Policy Configuration and Storage > Implement Custom User, Role and Permission Objects > Implement a Security System User (ApplicationUser) Based on XAF Business Classes
All docs
V23.2
.NET 6.0+
XAF: Cross-Platform .NET App UI & Web API
Getting Started
Installation, Upgrade, Version History
Backend Web API Service
UI Shell and Base Infrastructure
Storage, ORM, and Business Model Design
Data Manipulation and Business Logic
User Interface and Behavior Customization
Data Filtering
Application Security and Data Safety
Security (Access Control & Authentication)
Security Tiers
User Logon and Authentication
ORM Object Model, Policy Configuration and Storage
Type, Object and Member Permissions
Create Predefined Users, Roles and Permissions in the Database
Change the Current User Role in Code
Roles and Permission Policy
Implement Custom User, Role and Permission Objects
Implement a Custom Security System User Based on an Existing Business Class
Implement a Security System User (ApplicationUser) Based on XAF Business Classes
Implement Custom Security Objects (Users, Roles, Operation Permissions)
Add a Security Operation that Can be Permitted or Denied for a Specific Type
Assign an Image to a User
Authorization and Data Protection
Non-XAF UI Scenarios
Security Considerations
Audit Trail (History of Data Changes)
Multi-Tenancy (Data per Tenant)
Validation (Prevent Data Errors)
Conditional Appearance (Manage State of UI Elements)
Reporting (Shape, Export & Print Data)
Analytics (Extract Data Insights)
Document Management
Business Process Management
Event Planning
Localization
Accessibility Support
Debugging, Testing and Error Handling
Deployment
Support, QA & Troubleshooting
API Reference
Download CHM

Implement a Security System User (ApplicationUser) Based on XAF Business Classes

  • 4 minutes to read

XAF has a built-in PermissionPolicyUser class for XPO and EF Core-based applications. This class implements basic functionality required to store Security System user data. The major limitation of the PermissionPolicyUser class is that it can be used directly only in applications with a single authentication method: either password-based or Windows Active Directory-based.

When a user has multiple ways to log in, you need to store information for all authentication types and associate this information with the user. To do this, use the ISecurityUserWithLoginInfo (a descendant of ISecurityUser and IOAuthSecurityUser) and ISecurityUserLoginInfo interfaces.

Additionally, if you want to support the user lockout feature (the capability to lock out users who fail to enter the correct password several times in a row), implement the ISecurityUserLockout interface in your security system user class.

Note

The XAF Solution Wizard generates classes that implement these interfaces automatically for projects created with v21.1 and later. You can find these implementations in the following files within your solution:

  • SolutionName.Module\BusinessObjects\ApplicationUser.cs
  • SolutionName.Module\BusinessObjects\ApplicationUserLoginInfo.cs

Follow the steps below to implement the required classes from scratch.

  1. Add a class to store user login information. In this class, implement the ISecurityUserLoginInfo interface. You can use the following code as a reference implementation (XAF Solution Wizard generates equivalent code).

    using DevExpress.ExpressApp.ConditionalAppearance;
using DevExpress.ExpressApp.Security;
using System.ComponentModel;
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
// ...
[Table("PermissionPolicyUserLoginInfo")]
public class ApplicationUserLoginInfo : ISecurityUserLoginInfo {

    public ApplicationUserLoginInfo() { }

    [Browsable(false)]
    public virtual Guid ID { get; protected set; }

    [Appearance("PasswordProvider", 
        Enabled = false, 
        Criteria = "!(IsNewObject(this)) and LoginProviderName == '" 
            + SecurityDefaults.PasswordAuthentication 
            + "'", 
        Context = "DetailView")]
    public virtual string LoginProviderName { get; set; }

    [Appearance("PasswordProviderUserKey", 
        Enabled = false, 
        Criteria = "!(IsNewObject(this)) and LoginProviderName == '" 
            + SecurityDefaults.PasswordAuthentication 
            + "'", 
        Context = "DetailView")]
    public virtual string ProviderUserKey { get; set; }

    [Browsable(false)]
    public virtual Guid UserForeignKey { get; set; }

    [Required]
    [ForeignKey(nameof(UserForeignKey))]
    public virtual ApplicationUser User { get; set; }

    object ISecurityUserLoginInfo.User => User;
}

  2. Add an application user class that extends PermissionPolicyUser and implements the ISecurityUserWithLoginInfo interface required to associate multiple authentication methods with a user and the ISecurityUserLockout interface to support the user lockout feature. You can use the following code as a reference implementation (XAF Solution Wizard generates equivalent code).

    using DevExpress.ExpressApp;
using DevExpress.ExpressApp.Security;
using DevExpress.Persistent.BaseImpl.EF.PermissionPolicy;
using System.Collections.ObjectModel;
using System.ComponentModel;
// ...
[DefaultProperty(nameof(UserName))]
public class ApplicationUser : PermissionPolicyUser, ISecurityUserWithLoginInfo, ISecurityUserLockout {
    [Browsable(false)]
    public virtual int AccessFailedCount { get; set; }

    [Browsable(false)]
    public virtual DateTime LockoutEnd { get; set; }

    [Browsable(false)]
    [DevExpress.ExpressApp.DC.Aggregated]
    public virtual IList<ApplicationUserLoginInfo> UserLogins { get; set; } 
        = new ObservableCollection<ApplicationUserLoginInfo>();

    IEnumerable<ISecurityUserLoginInfo> IOAuthSecurityUser.UserLogins 
        => UserLogins.OfType<ISecurityUserLoginInfo>();

    ISecurityUserLoginInfo ISecurityUserWithLoginInfo.CreateUserLoginInfo(string loginProviderName, string providerUserKey) {
        ApplicationUserLoginInfo result = ((IObjectSpaceLink)this).ObjectSpace.CreateObject<ApplicationUserLoginInfo>();
        result.LoginProviderName = loginProviderName;
        result.ProviderUserKey = providerUserKey;
        result.User = this;
        return result;
    }
}

  3. Modify the Application Builder code as shown below so that XAF uses your custom classes to store security data:

    File: MySolution.Blazor.Server\Startup.cs, MySolution.Win\Startup.cs, MySolution.WebApi\Startup.cs

    // ...
builder.Security
    .UseIntegratedMode(options => {
        // ...
        options.UserType = typeof(MySolution.Module.BusinessObjects.ApplicationUser);
        options.UserLoginInfoType = typeof(MySolution.Module.BusinessObjects.ApplicationUserLoginInfo);
// ...
See Also