A bit late with this post,…but
Check out the "Take a tour of DXv2: XAF” webinar as well as the "XAF - Application Server & Improved Security System" tutorial videos to get started with the newest version of the eXpressApp Framework (XAF).
And don’t forget to check out the What’s New pages for both XAF and XPO:
Finally, do not miss the new and updated help articles for these products located in the What’s New in Help document.
I also wanted to answer a few of the more interesting questions left unanswered from our last webinar. So, here we go:
Q: What are the main advantages of your application server and the improved security system? Why would one want to use them?
A: In our opinion, every serious application for a medium or large enterprise requires a stable and solid security system that will ensure that clients only access data and perform operations they have permissions to. In the most cases, secure data filtering is done in the middle tier, thus preventing the client application from direct database connections. The client application usually connects to the middle tier server via Remoting, WCF or other popular data transport technologies. The middle tier application itself can be run as a console, Windows service application or be hosted as part of a web application on IIS.
As you know, implementing, testing and maintaining even the core of such a system yourself will require enormous resources. Implementing GUI for it will also cost you a lot of time and money. In addition, if you Google the term, you will quickly find that it will require learning both a large number of technologies and numerous patterns & best practices available in papers created by Microsoft and many third-parties…
With XAF you get all of this out-of-the-box and as a result you have a ready GUI + Core that is based on existing DevExpress technologies (we use DevExpress visual components for the UI and XPO for the application server and security core). Finally, note that the XAF security system supports defining permissions on the object type, object instance and member levels, as well as custom permissions.
Q: What are the main difference between the old and new XAF security systems?
A: The new XAF security system prevents client applications from retrieving sensitive data. All permission requests are redirected to the security service located on the application server. Your secure data is much safer now as it will not leave the server. Refer to this help article explaining these differences in greater detail. In addition, the new security system is accompanied with a more effective UI for editing security permissions – you now have a permissions matrix that I believe will be welcomed by your clients.
Q: I am interested in the new application server & security system and just wanted to verify that if a user does not have permissions to an object / field, the respective information will not be displayed in reports, analysis, etc.
A: Of course, it works as you would expect and these features were specially designed for these scenario. Security does restrict data on the server side so that it never appears in reports, analysis and elsewhere on the client side. For more information, check out the work schema. Note that to obtain all these benefits, you will need to configure security in the middle tier. Simply using the new security system (without implementing it in the middle tier) will not provide data filtering on the server side, because this is done by the middle tier service.
Q: Does your new security system allow creating and plugging custom security permissions, i.e. not only permissions for business objects and their members? How do I implement a custom permission?
A: Sure, much like the previous version, our new security system allows for this. A good example of a custom permission is “Edit Model" permission. Refer to the following Support Center ticket for a detailed description and a small sample project that demonstrates its implementation: http://www.devexpress.com/issue=Q358567
Q: Is it necessary to host the application server on a separate machine as part of a console, Windows service application or a web application on IIS?
A: No, it is absolutely unnecessary. The application server is a pure NET code that can be run anywhere you need, even on the client application. For instance, in our SecurityDemo, the application server is hosted in the same client application, but in a different AppDomain (check the ApplicationServerStarter class for the details). By default, we provide a Visual Studio Project Template that hosts the application server in a Windows service. We plan to provide additional templates based on the customer feedback. If you cannot wait, it is not difficult to make these templates yourself based on the defaults we provide – it is simply a matter of creating a corresponding application type (refer to MSDN for more details) and copying the required application server code.
Q: Is there a way to encrypt or compress data between the application server and the client?
A: There is no special XAF encrypting code because everything is already supported by underlying data transport technologies. For instance, refer to the http://msdn.microsoft.com/en-US/library/k62k71x0(v=VS.80).aspx and http://msdn.microsoft.com/en-us/library/ms735093.aspx help articles to learn more.
Q: Is Application server completely stateless?
A: Yes, the application server is stateless. However, the server caches a database session and access rights for a particular client. It's not a long-living cache and this is not a state for the client application.
Q: I heard that you are also planning to move some standard XAF functionality (audit trail, validation, etc.) to the server side, what if I also want to execute my business rules on the server? How do I proceed?
A: Yes, you are right, we have such plans for the future. In the meantime, if you want to delegate business logic from the client to the server, you can implement a solution similar to that demonstrated in the following Support Center ticket: http://www.devexpress.com/issue=Q356933
Q: Is there an easy and fast way to replace the old security system with new member-level security?
A: Yes, we'll provide a sample converter that can be used to convert old permissions to new permissions for our built-in security objects (User, Role, SecuritySimple, SecurityComplex, etc.). I suggest you check out this discussion in the Support Center for more information.
Q: I noticed there were still some postbacks during my Web application operation. Is it a bug?
A: No, some tasks can be performed only via postback (e.g. file download, theme changes, etc.). However, we plan enhance our Web UI and you can see our plans in this blog post.
Q: I like the new AJAX Web UI, but previously I used some custom user and third-party controls that operate via postbacks. Is it possible to force them to use AJAX as well?
A: If a third-party control operates via postbacks and does not support AJAX itself, it's unlikely to switch it into AJAX. However, it will continue to operate via postbacks as before. As for your custom user controls, it is possible to convert them to AJAX-like controls. Please contact our Support Team for further instructions.
Q: What is the best way to convert my existing Web application to 11.2 to use the improved AJAX functionality?
A: As always, we recommend that you follow the instructions given in the Upgrade Notes help article. From this article you can also find links to the list of breaking changes and implemented features. Finally, we suggest you check out the eXpressApp Framework v11.2 ASP.NET Application Migration Guidelines we've prepared. If you experience any difficulties with the upgrade, feel free to contact our Support Team.
Q: Do you provide any converter for rules created using obsolete ConditionalEditorState and ConditionalFormatting modules?
A: Sure, we do. Please refer to the following KB Article: http://www.devexpress.com/kb=K18547.
Q: What are your plans for the old security system? I also noticed that not all XAF demos migrated to the new security system.
A: Yes, that is true about the demos. You might also notice that the old security is still described in docs. We decided not to migrate all demos to the new security system in this release because there are a lot of people who are using the old security and might even use it in the future as it is effective, even though it works at the UI level. However, migrating all our demos to the new security system is planned as well as complete replacement of the old security system. People who are using Domain Components can also track this suggestion – a DC-based demo based on the new security system.
As always, we will also try to keep new videos, blogs and other training materials coming. If you have specific suggestions or just want to share your feedback on how we are doing, please drop us a line or simply email me at dennis@devexpress.com.
Happy XAFing
Free DevExpress Products - Get Your Copy Today
The following free DevExpress product offers remain available. Should you have any questions about the free offers below, please submit a ticket via the
DevExpress Support Center at your convenience. We'll be happy to follow-up.