XAF - Role-based Access Control & User Authentication API for .NET Apps Powered by the XPO and EF Core ORM

XAF Team Blog
17 July 2019

UPDATED: .NET App Security API (Role-based Access Control) is available free-of-charge (versions 21.2.x and 22.1.x).

We recently began a series of posts designed to explain XAF’s security system and how it can be used in non-XAF .NET apps powered by DevExpress eXpress Persistent Objects (XPO) and Microsoft Entity Framework Core (EF Core) object-relational mapping libraries.

    Demo Apps / Tutorials for different UI Platforms

      Before we do, however, we wanted to summarize some of the reasons we think you should consider XAF’s security system in your next .NET application. If you are interested in these cross-platform APIs, please answer 3 short survey questions below. 



      Target Audience & Common Usage Scenarios 

      • XAF developers who create non-XAF .NET apps and want to reuse existing data models and Security System settings (users, roles and permissions) stored in an XAF application database. Based on experience, XAF customers often create custom Web and mobile UI clients with ASP.NET MVC, DevExtreme; backend servers with ASP.NET Web API/OData or Console, Windows Service, WCF apps for various administrative tasks (data modifications, report generation, scheduled workflows).
      • Non-XAF developers who create standard line-of-business (LOB) apps with login, logout forms and security related functionality for any .NET UI technologies like WinForms, WPF, ASP.NET (WebForms, MVC 5, MVC Core, Razor Pages) and .NET server technologies like ASP.NET Web API/OData, WCF, etc. Yet more use-cases with Blazor & Xamarin.Forms (Android, iOS, UWP) UI technologies may come when XAF v19.2 supports .NET Standard 2.0. 

      App Security Made Easy

      • Getting security right (safe, fast, up-to-date, flexible, and database agnostic) is complicated. Pre-built middleware libraries like ASP.NET Core Identity or Identity Server can be difficult to configure or offer unnecessary functionality. Our User Authentication & Group Authorization API for .NET allows you to integrate a proven, database agnostic security sub-system in the shortest possible time.

      • LOB app developers want to save time and do not want to implement complex security memberships and authentication/authorization algorithms from scratch (for instance, apps that can filter protected data against a user's access rights or check whether the current user is allowed to delete records). Our User Authentication & Group Authorization API for .NET allows you to incorporate advanced security-related capabilities with minimal effort.

      • While certain platforms like ASP.NET simplify authentication and basic authorization with a built-in design time APIs, it is difficult to build a flexible and customizable security system (allowing users to customize the system once the app is deployed). Our User Authentication & Group Authorization API for .NET allows you to incorporate a highly flexible/customizable security system in your next .NET app.

      Feature Overview

      The primary XAF security system features used in line-of-business applications across supported platforms include:

      1. Role-based access control with multi-database permission storage.

      1.1. Access control permissions linked to roles and users that can be stored in more than a dozen popular data stores powered by the XPO ORM (including popular RDBMS like SQL Server, Oracle, PostgreSQL, MySql, Firebird, XML and "in-memory" stores).

      • Type permissions grant Read, Write, Create, and Delete access to all objects that belong to a particular type.
      • Object Permissions work in conjunction with Type Permissions and grant access to object instances that fit a specified criterion.
      • Member Permissions grant access to specific members unconditionally or based on a criterion.

      1.2. Powerful and easy-to-use APIs to configure users, roles and permissions in code or visually in XAF apps.

      1.3. Support for extensions or replacement with fully custom user, role, and permission objects to meet the needs of your business domain or address various integration scenarios.

      2. Authentication.

      2.1. Built-in authentication types: Forms (user name/password), Active Directory (Windows user) and Mixed (several authentication providers).

      2.2. A modern and secure algorithm for password generation and validation.

      2.3. Support for extension or replacement with custom authentication strategies and logon parameters. For instance, our popular example shows how to use OAuth2 with Google, Facebook or Microsoft authentication providers.

      3. Authorization.

      3.1. Just two code lines to read secure records filtered against a logged user (role and permission based). When you set up SecuredObjectSpaceProvider, you can create an unlimited number of secure data contexts - your data query and modification APIs will remain unchanged. A bit more code is required to connect a non-XAF client to the Middle-Tier application server.

      3.2. Fine-grain access control for base and inherited objects, one to many and many to many object relationships, individual columns with or without criteria (example: can read the Full Name field, but cannot see and modify Salary) and specific object instances only.

      3.3. Straightforward APIs to check CRUD or custom access rights for UI element customizations. With this, you can hide or mask protected grid columns, editors in detail forms, and disable menu toolbar commands like New, Delete, Edit, etc.

      3.4. Security permission caching for the best possible performance. Two built-in Permission Policies determine the security system’s behavior when explicitly specified permissions for a specific type, object, or member do not exist.

      3.5. Proven in production environments. DevExpress Support, comprehensive documentation, examples and a diagnostic tool are at your service to troubleshoot complex security permission configurations.

      Free DevExpress Products – Get Your Copy Today

      The following free DevExpress product offers remain available. Should you have any questions about the free offers below, please submit a ticket via the DevExpress Support Center at your convenience. We’ll be happy to follow-up.
      Yahya
      Yahya
      It would be great to have a Xamarin Forms example.
      18 July 2019
      Sergej Derjabkin
      Sergej Derjabkin

      Hi Dennis, thank You for the post!

      Does DevExpress have any plans to ship a .net standard version of the DevExpress.Persistent.Base and DevExpress.Persistent.BaseImpl assemblies? This would make sharing of Business Objects between XAF and Xamarin Forms applications much easier.


      Thanks,

      Sergej

      18 July 2019
      Dennis (DevExpress)
      Dennis Garavsky (DevExpress)

      @Sergej Derjabkin: Sure, as promised earlier, the DevExpress.ExpressApp, DevExpress.ExpressApp.Xpo, DevExpress.Persistent.* and DevExpress.ExpressApp.Security assemblies already support .NET Standard 2.0 in XAF v19.2. We are now working on the rest non-visual assemblies like Validation, AuditTrail that our users used in non-XAF apps. If you would like to participate in early testing, please describe your current scenario in greater detail.

      @Yahya: Thanks. Please describe the most important security functions and scenarios you would like to see in a non-XAF Xamarin app so that we can prioritize our work.

      18 July 2019
      Sergej Derjabkin
      Sergej Derjabkin
      These are very god news, thank You Dennis!
      18 July 2019
      Manuel Grundner [DevExpress MVP]
      Manuel Grundner

      @Dennis I'd love to experiment with the netstandard2.0 (19.2) assemblies, is there a preview nuget feed I could use? It's for my Console Module.

      18 July 2019
      Dennis (DevExpress)
      Dennis Garavsky (DevExpress)
      @Manuel: Thank you for your interest - we will publish additional info as it becomes available.
      18 July 2019
      Bjoern Hack
      Bjoern Hack

      We're waiting for 19.2 too.

      Are there any plan to provide nugets for these assemblies?


      Regards

      19 July 2019
      Dennis (DevExpress)
      Dennis Garavsky (DevExpress)
      @Bjoern Hack: Absolutely. Please clarify how do you plan to use these .NET Standard 2.0 XAF assemblies in v19.2 or for which scenarios it is important. With that, we will consider including you into the early testing. Thanks.
      19 July 2019
      Bjoern Hack
      Bjoern Hack

      We have backend services (e.g. NServiceBus) that will access our xaf-database with an shared entity assembly. Currently we have two options

      1) Use full framework for our services

      2) creating plain xpo entites (free nuget version) with a database first approach. So we have to maintain two entities but can use .net core services

      Regards

      19 July 2019
      renejdm
      renejdm
      I would like to see a non-XAF, WinForms application, including a tutorial.
      19 July 2019
      Dennis (DevExpress)
      Dennis Garavsky (DevExpress)
      @Bjoern Hack: Very interesting, thank you for describing this case - we also had similar requests in the past and this is one of our motivations behind this decision.

      @renejdm: Thank you for your feedback!
      19 July 2019
      Peter Hillaert
      Peter Hillaert
      +1 for a non-XAF, WinForms application, including a tutorial.
      21 July 2019
      Nikita Grigoryev
      Nikita Grigoryev
      Any chance Security System would be open-sourced like XPO? Currently I have data-access REST backend written on .NET Core with open-source XPO running on Linux. I would like to integrate security system in it. 
      24 July 2019
      Dennis (DevExpress)
      Dennis Garavsky (DevExpress)
      @Peter Hillaert: Thank you - noted. Would you please also clarify which authentication, permission types you want to use in your WinForms app and for which scenarios? This will help make a more useful tutorial for you and others.

      @Nikita Grigoryev: No chance:-) - this rich functionality requires the Universal license. BTW, XPO is free to use, but is not open-source. We are eager to learn more about your .NET Core app and how you would like to use the security system in it. I would also appreciate it if you answer the same questions as Peter above. Thanks.

      24 July 2019
      Nikita Grigoryev
      Nikita Grigoryev

      @Dennis: I'm interested in OAuth authentication, all kinds of permissions.

      My ASP.NET Core backend is somehow similar to your DevExtreme.AspNet.Library and is designed to provide data to SPA React client, which is also similar to your new XAF SPA client, but we started to build ours half year earlier than you are. Apart from your architecture we have SOA and buisiness logic is written in Python/Comunda (for complex logic) and Javascript for some critical parts. That gives are more throughput than classic XAF.  

      Also backend doesn't use real classes and takes all metadata from file (currently XML) and feed it to XPDictionary. So that we could switch to different database without any recompilation.

      So I would like to add security to it.. You've mentioned ExpressApp library is now Standard. I would look into it.

      24 July 2019
      Dennis (DevExpress)
      Dennis Garavsky (DevExpress)
      @Nikita: Thank you for describing your scenario in greater detail. The security module expects real classes, so it will not be useful for your case. As for the .NET Standard version, I will post a link to early access Nuget feedback here once v19.2 testing is open.
      24 July 2019
      Nikita Grigoryev
      Nikita Grigoryev
      @Dennis. I do have real classes. I create them with TypeBuilder and a little bit ILGenerator. They just created in startup.
      24 July 2019
      Dennis (DevExpress)
      Dennis Garavsky (DevExpress)
      @Nikita: Got it, thanks.
      25 July 2019
      Dennis (DevExpress)
      Dennis Garavsky (DevExpress)

      @Bjoern Hack, Manuel Grundner, Sergej Derjabkin, Nikita Grigoryev: You can test XAF's .NET Standard 2.0 assemblies once you download our Early Access Preview v19.2 from the DevExpress Download Manager.

      @Peter Hillaert, renejdm: Please check our new WinForms CRUD demo with XAF's Security System and tutorial.

      22 August 2019
      Noufal Aboobacker 1
      Noufal Aboobacker 1
      Is it possible to use this app security system with prism Wpf applications? 
      30 August 2019
      Dennis (DevExpress)
      Dennis Garavsky (DevExpress)
      @Noufal Aboobacker:
      Yes, it is possible to use this API in any .NET Framework app that uses XPO ORM for data access, including WPF (for v19.1 and older).
      With the .NET Standard 2.0 and .NET Core 3.0 Desktop SDK support coming in v19.2, it will also be possible to use this API in Xamarin, Blazor, and other .NET Core apps.

      Which authentication & authorization functions do you want and for which scenarios specifically?

      30 August 2019
      Robert Thomas
      Robert Thomas
      Any update on some basic XAF --> Xamarin examples?
      19 November 2019

      Please login or register to post comments.