XAF - .NET App Security API Benchmark for EF Core and XPO ORM

XAF Team Blog
23 March 2021

Hope you are all doing well.

We created this GitHub project to test the performance of XAF's Security System for the two Object-Relational Mapping (ORM) libraries. We tested these libraries with BenchmarkDotNet:

You can run the benchmarks on your computer or review our test results here.


Data access scenarios we tested include the following:

  • Users can view employees info within their own department.
  • Users can view and edit their own tasks and also tasks assigned to employees within their own department.

To help you estimate the overhead of XAF's Security System API, we run tests against multiple record counts (0-5K) and a "No Security" mode.

From our experience, in most real-life scenarios (like here or there) less than a hundred security permission checks are expected during UI form load, so our tests with 5K records may reflect edge/artificial cases. The number of security checks is generally reduced and application performance is improved further with the help of:

  • finite number of unique security permissions or main/navigation menu commands, for which security checks are necessary;
  • grid data paging (Server Mode/Instant Feedback or Web API/IQueryable);
  • permission result and data layer caching;
  • ongoing database maintenance;
  • server side data filtering.

About our .NET App Security API

This role-based access control API ships as an independent non-visual library, a part of our cross-platform .NET application UI framework (XAF). But don't be alarmed: this security API can be used in standard non-XAF .NET Framework and .NET Core apps. For instance, our newest WinForms Dental Clinic demo uses the Security API for basic security related functionality. 

For more information, please review the following documents and do help us spread the word:

Need Faster Support Replies?

Once you create a new XAF ticket in the DevExpress Support Center and select XAF under the Platform/Product field, please review the following help links displayed above the Submit button. These links describe how you can collect callstacks, logs and other important diagnostic information for any .NET error. Once you collect/compile this information, forward it to us along with your support ticket. This information will ensure faster and more accurate replies from support.


Is it possible to extend this schema by adding, for example, PrintState property?

24 March 2021
Dennis (DevExpress)
Dennis Garavsky (DevExpress)
@Neven: Sure, it is possible. For more information, please review the section "Is it possible to implement custom user, role and permission classes?" in our FAQ KB Article.
24 March 2021
Rick Mathers
Rick Mathers
Does it still does not support bearer tokens or api authorization/authentication? 
24 March 2021
Dennis (DevExpress)
Dennis Garavsky (DevExpress)

@Rick Mathers: The primary value of our security API is its powerful authorization (type, object, field-level permissions for data from the two ORM libraries). It supports any authentication method from the very beginning - this implementation part is not different from how you would do it without XAF.

For instance, our GitHub examples use simple password-based authentication, our demos and docs also demonstrate OAuth-based authentication. I remember some users successfully used JWT as well.

Would you please clarify your issues with bearer tokens in a Support Center ticket?

24 March 2021

Please login or register to post comments.