XAF - User Authentication and Group Authorization API in WinForms Apps (powered by XPO)

XAF Team Blog
29 August 2019

I hope this bit of news was not buried beneath our EAP announcements last week.

Please check our new WinForms CRUD demo and tutorial to learn about our most popular configuration (based on hundreds of blog comments and survey responses).


This represents existing functionality - is available right now in XAF v19.1 (and older versions). The new v19.2 release adds .NET Standard 2.0 support - helpful for developers who create cross-platform non-XAF .NET apps and libraries.  

If you are interested in XAF's cross-platform Security System APIs, please answer 3 short survey questions.

Our next example will be for ASP.NET WebForms. Though mature technology, WebForms remains highly popular and will likely remain relevant over the coming years. As always, we look forward to your questions or suggestions. 

Manuel Grundner [DevExpress MVP]
Manuel Grundner [DevExpress MVP]
Great job! 
29 August, 2019
Bjoern Hack
Bjoern Hack

Nice, we will wait for the WebForms sample.

Best Regards

30 August, 2019
Dennis (DevExpress)
Dennis (DevExpress)
Thank you for your interest, Guys!
30 August, 2019
Dennis (DevExpress)
Dennis (DevExpress)

@Bjoern Hack: Here we go: https://www.devexpress.com/go/XAF_Security_NonXAF_Series_4_WebForms.aspx. We look forward to hearing your feedback.

15 October, 2019
Bjoern Hack
Bjoern Hack

@Dennis Very cool, we implemented our own SecureObjectSpaceProvider for backend systems following this and other examples. 

However, there are two behaviors that still confuse us.

First, when creating an instance of SecuredObjectSpaceProvider, you can specify ITypesInfo and XpoTypesInfoSource in an overload of the constructor. Nervertheless, the permissions only work if the passed types are additionally registered via XafTypesInfo.Instance.RegisterEntity(Type t).

Secondly, the concrete instance of an IObjectSpace takes over the permissions of the user who is logged into the ISelectDataSecurityProvider at the time of creation. So you can call ISelectDataSecurityProviders.Logoff() while keeping the permissions for the previously created instance of IObjectSpace, which is very convenient. However, SecuritySystem.IsGranted(PermissionRequest(secureSpace, x ...)) returns the permissions of the user currently logged into the ISelectDataSecurityProvider instance, even if you pass an IObjectSpace instance with different permissions as a parameter. 

This kind of forces you to create a separate instance of SecuredObjectSpaceProvider for each user if you want to work under the context of different users in parallel. Additionally you have to save the used instance of ISelectDataSecurtiyProvider in a variable in case you want to use security.IsGranted().


Are there any resources that dive into the internals and explain these behaviours? 
23 October, 2019
Dennis (DevExpress)
Dennis (DevExpress)
@Bjoern Hack: Thank you very much for testing these examples and interesting questions!
We will answer you in https://supportcenter.devexpress.com/ticket/details/t826065/questions-on-secureobjectspaceprovider-in-non-xaf-apps-type-registration-and-context-of.
23 October, 2019

Please login or register to post comments.