Ticket T859569

Visible to All Users

How to use XAF Security System in a non-XAF WinForms application

Radim Literak

created 5 years ago

Hello,

I have found now, that you have implemented some security system in your libraries:

https://docs.devexpress.com/eXpressAppFramework/113366/concepts/security-system

There is mentioned several times that this system should be used in XAF. I'm not sure, if I understand, what XAF exactly means, but I would like to ask you, if it is possible to use this security system in WinForms?

Currently in our company we are using some our co-worker's extensions to the DX XPO, which adds e.g. some users management etc. There are ale some other extensions, so, I would like to switch back to some clean DX XPO. And the security system seems to me interesting from first point of view.

I need probably something like this:

* Users management.
* Permissions managements.

Both seems to be implemented in your security system. Is it really usable in WinForms? We have built several WinForms applications, so, I would like to preserve it as is with minimal changes. I expect to use some users and grant them permissions according tou current rquirments (e.g. allow/deny access to several parts of the applications, XPO objects etc.). Can I use it?

Best Regards,

Radim

Comments (1)

Dennis Garavsky (DevExpress) 5 years ago

Hi Radim,

I need probably something like this:

Users management.
Permissions managements.

I wanted to clarify whether you mainly want the UI part like in screenshots from https://docs.devexpress.com/eXpressAppFramework/113366/concepts/security-system or you want non-visual security APIs only? This is important and different solutions will apply.

Answers approved by DevExpress Support

Anatol (DevExpress)

created 5 years ago

Hello Radim,

XAF is an abbreviation of eXpressApp Framework - The Ultimate Business Application Framework. Although the Security System is a part of this Framework, it can also be used as a standalone. Please see a detailed guidance and examples for major platforms, including WinForms, at User Authentication and Group Authorization API for .NET Apps Powered by the XPO ORM - App Security Made Easy. Note that it requires the Universal subscription.
Please feel free to contact us if you have any other questions. We would be happy to help you get started.

Show previous comments (6)

Radim Literak 5 years ago

Hello,

Thank you for your answers. I try to orientate in this issue… Currently I am trying to run WinForms example, however I can't build it. I am using DX 16.1.15 and it seems there is probably missing some functionality. E.g. methods like SecurityStrategyComplex.CanRead, SecurityStrategyComplex.CanDelete or PasswordCryptographer.EnableRfc2898 field etc.

Maybe something is not so important for testing, but methods like CanRead are important. I don't know if it is some XAF extension or what…

Best Regards,

Radim

Dennis Garavsky (DevExpress) 5 years ago

Hello Radim,

While you can easily replace CanXXX with SecuritySystem.IsGranted as shown in previous versions (example), it will be more difficult to deal with PasswordCryptographer.EnableRfc2898 (added in v16.2) and other things that did not exist or were incomplete in v16.1.

For instance, the permission policy was in beta in v16.1. It is technically possible to use the old and production-ready SecuritySystemXXX classes instead of the PermissionPolicyXXX ones in v16.1 (it is technically possible with little changes), but I would not recommend that. The product has evolved dramatically within 4 years (including bug fixes) and there must be very strong reasons to stay on v16.1. Finally, we do not provide trial support for old versions of our components.

Let me know if I can assist you further. It is still interesting to know your answer to my question whether you want to use the UI or non-visual security APIs, because this may shorten your evaluation yet more.

Radim Literak 5 years ago

Hi Dennis,

Thank you for your tips (IsGranted) and older demo link. I look only at what elements of the framework are contained and how it probably works. And if possible, use it as a substitute for our proprietary system (which I don't like and brings several problems).

I expect the use of both the visual and non-visual APIs (if I understand it ;-)). My idea is to authorize access to visual components for specific users as well as for XPOs.

My main goal now is to understand the basic principles ;-). Don't worry about it. In a few words, now I have to understand something like this:

How to log on.
How to set up permission for specific objects.
How to check the permissions.
How it works in general.

For example, for the first time, I thought that navigation permissions were checked "automatically" (enabling / disabling of the components based on the user currently logged on). Now I see that this is set up "manually" inside the code. That's what I'm researching now…

Best Regards,

Radim

Dennis Garavsky (DevExpress) 5 years ago

Radim,

Thank you for your interest. If you are evaluating it, I recommend you install the latest v19.2 trial and continue with it to get most of the latest goodies. Then you can decide on what you can do with your old project.

Thank you for describing your requirements in greater detail. Please review my comments below:

>>Setup the data layer with the XAF's security in mind
You have not mentioned it explicitly, but refer to this method in the WinForms example (Program.cs). This SecuredObjectSpaceProvider is basically a wrapper around XPO's ThreadSafeDataLayer. It can create IObjectSpace objects, ORM-agnostic wrappers around XPO's Sessions. Since you have been using XPO for a long time, you likely have an application with a good separation of layers. There, you likely have a fabric method 'CreateSession' or something like that. To get secured XPO Sessions, simply create a secured IObjectSpace with SecuredObjectSpaceProvider, cast the result to XPObjectSpace and access its Session property:

C#
yourObjectSpace = objectSpaceProvider.CreateObjectSpace();  
    // The XPO way:  
    // var session = ((XPObjectSpace)yourObjectSpace).Session;

If you modify your 'CreateSession' this way, you likely will not need to modify your UI and other code. The alternative is to use IObjectSpace directly with minimal chances - the public IObjectSpace interface is very similar to Session.

>>How to log on.
Please review this method in the WinForms example (LoginForm.cs).

>>How to set up permission for specific objects
Please review this method in the XafSolution.Module project (DatabaseUpdate/Updater.cs). Typically, developers either configure these permissions in code during development or at runtime in production (using the XAF's WinForms or WebForms UI that you can see at https://docs.devexpress.com/eXpressAppFramework/113366/concepts/security-system).

>>How to check the permissions.
Please review this method and others in the WinForms example (EmployeeXXXForm.cs). Once you authenticated as shown above, you can call CanXXX methods of the SecurityComplexStrategy class, which you initialized in the Program.cs file once.

>>I expect the use of both the visual and non-visual APIs
Above we discussed XAF non-visual APIs only. XAF UI also allows you to setup permissions visually, as you learned earlier. Some customers build and deploy separate administrative XAF WinForms or WebForms apps for that sole purpose (i.e., the app is run by administrators only and has access to security and other system settings). Other customers allow their power users do this configuration work inside the same app - this is the most popular case. In your particular case with an existing WinForms app, it is more complicated, because it requires you to invoke pure XAF visual forms that may have a different look and feel as compared to your app. Although this scenario is technically possible (XAF forms are regular Windows Forms after all), this is a less recommended configuration. If you agree, I would recommend you stick with the first option (a separate administrative XAF app).

BONUS
Above we discussed the simplest client-side configuration when your WinForms app connects to the database directly (connection string is supposed to be encrypted by a developer for better safety). XAF's security also ships with the middle-tier application server that is in a short a secured end point or data service that may reside everywhere. Client apps do not have direct database connections at all. This configuration is advanced for environments with very strict security, but it also supports scenarios with non-XAF apps like your WinForms client: How to: Connect to the WCF Application Server from Non-XAF Applications.
If you wish, we can talk by Skype and share screens for 20-30 minutes if you have remaining questions. For this, email me at dennis@devexpress.com to discuss possible schedule. Have a good weekend!

Radim Literak 5 years ago

Hi Dennis,

Thanks for your suggestions. I have installed latest VS 2019 Community and DX 19.2 trial. So, if I open the solution file of the example, it is not working. I have created my own one, but there are also some issues. I can't open the forms in the Designer and also DB is not working.

There are too many new things for me, so, I feel a little bit lost here… Now it's important to me make it properly running… It requires some DB. I have found now the connection string. It looks as first necessary change to do:

XML
<connectionStrings>
  <add name="ConnectionString" connectionString="Data Source=(localdb)\MSSQLLocalDB;Initial Catalog=XafSolution;Integrated Security=True" />
</connectionStrings>

Please, how to set up it to work it properly? I have installed MS SQL Server Express 2017 on my computer, so I think it should support LocalDB. But it seems that there is something not working properly. Is there login credentials missing? I have tried something, but with the same result…

Best Regards,

Radim

Code
DevExpress.Xpo.DB.Exceptions.UnableToOpenDatabaseException
  HResult=0x80131500
  Message=Unable to open database. Connection string: 'Data Source=(localdb)\MSSQLLocalDB;Initial Catalog=XafSolution;Integrated Security=True;'; Error: 'System.Data.SqlClient.SqlException (0x80131904): Cannot open database "XafSolution" requested by the login. The login failed.
Login failed for user 'LITERAK-PC\Literak'.
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling, SqlAuthenticationProviderManager sqlAuthProviderManager)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
   at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
   at System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
   at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry)
   at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)
   at System.Data.SqlClient.SqlConnection.Open()
   at DevExpress.Xpo.DB.MSSqlConnectionProvider.CreateDataBase(SqlConnection conn)
ClientConnectionId:2603ed9e-6c50-42eb-82bc-99335cc48a40
Error Number:4060,State:1,Class:11'
  Source=DevExpress.Xpo.v19.2
  StackTrace:
   at DevExpress.Xpo.DB.MSSqlConnectionProvider.CreateDataBase(SqlConnection conn)
   at DevExpress.Xpo.DB.MSSqlConnectionProvider.CreateDataBase()
   at DevExpress.Xpo.DB.ConnectionProviderSql..ctor(IDbConnection connection, AutoCreateOption autoCreateOption)
   at DevExpress.Xpo.DB.MSSqlConnectionProvider..ctor(IDbConnection connection, AutoCreateOption autoCreateOption)
   at DevExpress.Xpo.DB.MSSqlConnectionProvider.CreateProviderFromString(String connectionString, AutoCreateOption autoCreateOption, IDisposable[]& objectsToDisposeOnDisconnect)
   at DevExpress.Xpo.DB.DataStoreBase.QueryDataStore(String providerType, String connectionString, AutoCreateOption defaultAutoCreateOption, IDisposable[]& objectsToDisposeOnDisconnect)
   at DevExpress.Xpo.XpoDefault.GetConnectionProvider(String connectionString, AutoCreateOption defaultAutoCreateOption, IDisposable[]& objectsToDisposeOnDisconnect)
   at DevExpress.ExpressApp.Xpo.ConnectionStringDataStoreProvider.CreateWorkingStore(IDisposable[]& disposableObjects)
   at DevExpress.ExpressApp.Xpo.XPObjectSpaceProvider.CreateObjectSpace(Func`1 objectSpaceDelegate)
   at DevExpress.ExpressApp.Xpo.XPObjectSpaceProvider.CreateObjectSpace()
   at DevExpress.ExpressApp.Xpo.XPObjectSpaceProvider.DevExpress.ExpressApp.IObjectSpaceProvider.CreateObjectSpace()
   at WindowsFormsApplication.LoginForm.Login_Click(Object sender, EventArgs e) in D:\ProjectsTests\XAF_how-to-use-the-integrated-mode-of-the-security-system-in-non-xaf-applications-e4908\XAF\XAF\WinForms\CS\LoginForm.cs:line 18
   at System.Windows.Forms.Control.OnClick(EventArgs e)
   at DevExpress.XtraEditors.BaseButton.OnClick(EventArgs e)
   at DevExpress.XtraEditors.BaseButton.OnMouseUp(MouseEventArgs e)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at DevExpress.Utils.Controls.ControlBase.WndProc(Message& m)
   at DevExpress.XtraEditors.BaseControl.WndProc(Message& msg)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
   at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
   at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr dwComponentID, Int32 reason, Int32 pvLoopData)
   at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
   at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
   at System.Windows.Forms.Application.RunDialog(Form form)
   at System.Windows.Forms.Form.ShowDialog(IWin32Window owner)
   at System.Windows.Forms.Form.ShowDialog()
   at WindowsFormsApplication.MainForm.ShowLoginForm(String userName) in D:\ProjectsTests\XAF_how-to-use-the-integrated-mode-of-the-security-system-in-non-xaf-applications-e4908\XAF\XAF\WinForms\CS\MainForm.cs:line 30
   at WindowsFormsApplication.MainForm.MainForm_Load(Object sender, EventArgs e) in D:\ProjectsTests\XAF_how-to-use-the-integrated-mode-of-the-security-system-in-non-xaf-applications-e4908\XAF\XAF\WinForms\CS\MainForm.cs:line 17
   at System.EventHandler.Invoke(Object sender, EventArgs e)
   at System.Windows.Forms.Form.OnLoad(EventArgs e)
   at DevExpress.XtraEditors.XtraForm.OnLoad(EventArgs e)
   at System.Windows.Forms.Form.OnCreateControl()
   at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
   at System.Windows.Forms.Control.CreateControl()
   at System.Windows.Forms.Control.WmShowWindow(Message& m)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
   at System.Windows.Forms.ContainerControl.WndProc(Message& m)
   at System.Windows.Forms.Form.WmShowWindow(Message& m)
   at System.Windows.Forms.Form.WndProc(Message& m)
   at DevExpress.XtraEditors.XtraForm.WndProc(Message& msg)
   at DevExpress.XtraBars.Ribbon.RibbonForm.WndProc(Message& msg)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

  This exception was originally thrown at this call stack:
    System.Data.SqlClient.SqlInternalConnectionTds.SqlInternalConnectionTds(System.Data.ProviderBase.DbConnectionPoolIdentity, System.Data.SqlClient.SqlConnectionString, System.Data.SqlClient.SqlCredential, object, string, System.Security.SecureString, bool, System.Data.SqlClient.SqlConnectionString, System.Data.SqlClient.SessionData, System.Data.ProviderBase.DbConnectionPool, string, bool, System.Data.SqlClient.SqlAuthenticationProviderManager)
    System.Data.SqlClient.SqlConnectionFactory.CreateConnection(System.Data.Common.DbConnectionOptions, System.Data.Common.DbConnectionPoolKey, object, System.Data.ProviderBase.DbConnectionPool, System.Data.Common.DbConnection, System.Data.Common.DbConnectionOptions)
    System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(System.Data.ProviderBase.DbConnectionPool, System.Data.Common.DbConnection, System.Data.Common.DbConnectionOptions, System.Data.Common.DbConnectionPoolKey, System.Data.Common.DbConnectionOptions)
    System.Data.ProviderBase.DbConnectionPool.CreateObject(System.Data.Common.DbConnection, System.Data.Common.DbConnectionOptions, System.Data.ProviderBase.DbConnectionInternal)
    System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(System.Data.Common.DbConnection, System.Data.Common.DbConnectionOptions, System.Data.ProviderBase.DbConnectionInternal)
    System.Data.ProviderBase.DbConnectionPool.TryGetConnection(System.Data.Common.DbConnection, uint, bool, bool, System.Data.Common.DbConnectionOptions, out System.Data.ProviderBase.DbConnectionInternal)
    System.Data.ProviderBase.DbConnectionPool.TryGetConnection(System.Data.Common.DbConnection, System.Threading.Tasks.TaskCompletionSource<System.Data.ProviderBase.DbConnectionInternal>, System.Data.Common.DbConnectionOptions, out System.Data.ProviderBase.DbConnectionInternal)
    System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(System.Data.Common.DbConnection, System.Threading.Tasks.TaskCompletionSource<System.Data.ProviderBase.DbConnectionInternal>, System.Data.Common.DbConnectionOptions, System.Data.ProviderBase.DbConnectionInternal, out System.Data.ProviderBase.DbConnectionInternal)
    System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(System.Data.Common.DbConnection, System.Data.ProviderBase.DbConnectionFactory, System.Threading.Tasks.TaskCompletionSource<System.Data.ProviderBase.DbConnectionInternal>, System.Data.Common.DbConnectionOptions)
    System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(System.Data.Common.DbConnection, System.Data.ProviderBase.DbConnectionFactory, System.Threading.Tasks.TaskCompletionSource<System.Data.ProviderBase.DbConnectionInternal>, System.Data.Common.DbConnectionOptions)
    ...
    [Call Stack Truncated]
Inner Exception 1:
SqlException: Cannot open database "XafSolution" requested by the login. The login failed.
Login failed for user 'LITERAK-PC\Literak'.

Radim Literak 5 years ago

I have found the DB in SQL Explorer and I have created the DB. Now I obtained DB schema error:

db_error.png

Radim Literak 5 years ago

I have found update method, which I have added to the source code:

C#
IObjectSpaceProvider objectSpaceProvider = new SecuredObjectSpaceProvider(security, connectionString, null);
objectSpaceProvider.UpdateSchema();

Now used users are missing. So it should be simple task… I hope. I was thinking that the example is complete…

Radim Literak 5 years ago

Sorry for all my partial comments, but I am finding each particular feature item-by-item… Now it seems as working. I have added users "User" and "Admin" manually to the DB and I can log on now to the application. I'm not sure, if the users have correct permissions, but now it's minor issue. I can play with it ;-).

Dennis Garavsky (DevExpress) 5 years ago

>>So, if I open the solution file of the example, it is not working. I have created my own one, but there are also some issues.

Would you please specify the solution file you opened, the Visual Studio version and post screenshots or additional information that will allow us to comment on the issues you discovered? I can only guess that you tested the .NET Core version of the WinForms example - design time is not yet supported by Microsoft there (coming in 2020 according to their blogs).

>>Now used users are missing. So it should be simple task… I hope. I was thinking that the example is complete…
The example is complete and works fine in our tests. To avoid any issues and simplify testing, it is important to follow the example's readme.md file. Of course, it is possible to connect to any database supported by XPO, not only to LocalDB. For LocalDB installation, I suggest you refer to the documentation for your SQL Server. Unless I am mistaken, you can choose an option during the installation.

Normally, client apps should not update the database (UpdateSchema) - in XAF, we even have a console app DBUpdater for that purpose. Here, for demo purposes, we used a separate app - XafSolution. As I noted in this ticket earlier, this app creates all required tables, users, roles, and permissions. This is also noted in the Prerequisites section of readme.md.

I would greatly appreciate it if you provide the requested information about errors and also clarify why you decided not to follow the tutorial. It is possible that we did not take other testing strategies into account and may need to update the example's description.

As for the upgrade, and if you wish, we can discuss this further in a separate private ticket or email. As you probably know, we are very flexible and there may be different options. If this is interesting for you, please specify the number of developers that would want to develop with XAF's security system in your company.

How to use XAF Security System in a non-XAF WinForms application

Answers approved by DevExpress Support

Other Answers

Recently viewed tickets