FAQ: .NET App Security & Web API (for EF Core & XPO ORM)

Free Capabilities

The basic functions of our Web API Service (including the Solution Wizard) are available for FREE as part of our .NET App Security & Web API Service free offer. To register your free copy today, please visit: https://www.devexpress.com/security-api-free. To use the free Solution Wizard, which creates Web API Service, run the Universal Component Installer from the Download Manager.

When you register for a free DevExpress product, you can use your registered product for as long as your needs dictate. Should an update be made available free-of-charge, you will be notified via email or this website. Updates that are issued free-of-charge can also be used indefinitely. Please refer to the DevExpress End User License Agreement for detailed licensing information.

Paid Capabilities

The following capabilities of our .NET App Security API and Web API Service ship as part of the Universal Subscription.

• Technical support through https://supportcenter.devexpress.com/ or support@devexpress.com;
• Full source code;
• XAF's administrative UI to manage users and roles at runtime using WinForms, WebForms, and Blazor apps;
  
• Advanced/enterprise functions:
  • Obtain a Report from a Web API Controller Endpoint
  • Validate Data Sent to Web API Endpoints
  • Obtain BLOB Data from a Web API Controller Endpoint
  • Execute CRUD Operations for Non-Persistent Objects
  • Obtain Localization Strings from a Web API Controller Endpoint
  • Audit Trail: Log Data Changes Made via Web API Endpoints

"XAF" or "eXpressApp Framework" is a Cross-Platform .NET App UI or an application framework for rapid application UI development using WinForms, WebForms, and Blazor. XAF's UI ships as part of the Universal Subscription. XAF has core libraries (for instance, the DevExpress.ExpressApp.XXX or DevExpress.Persistent.XXX assemblies) for common business tasks like CRUD, security authorization, validation, audit trail, localization, etc.

We made some of these non-visual cross-platform XAF modules available free-of-charge for non-XAF .NET developers (as part of our .NET Role-based Access Control & Permission Management API license). Our Web API Service also uses these core libraries to create an OData V4 and Swagger-based API Service for non-XAF apps.

Please explore our GitHub examples, online documentation, or tutorial videos (you can also search our extensive support database).

Option 1

The fastest way to install all required dependencies is to use the following DevExpress NuGet packages for .NET Standard 2.0+:

v22.1 and Newer

• EF Core: DevExpress.ExpressApp.Api.EFCore.All
• XPO: DevExpress.ExpressApp.Api.Xpo.All

v21.2 and Older

• EF Core: DevExpress.ExpressApp.EFCore and DevExpress.Persistent.BaseImpl.EFCore
• XPO: DevExpress.ExpressApp.Security.Xpo and DevExpress.Persistent.BaseImpl.Xpo

Please click the NuGet package links above to see specific .NET assemblies.

Option 2

You can also download and run our Unified Component Installer for .NET Framework and .NET Core. The installer will copy all required assemblies to "%PROGRAMFILES%\DevExpress XX.X" and register local NuGet package sources. Note: *.BaseImpl.* assemblies are required only if you use built-in PermissionPolicyXXX classes.

You do not need to reference XAF UI associated dependencies for WinForms, WebForms, and Blazor. The NuGet packages mentioned above contain non-visual cross-platform .NET Standard 2.0+ assemblies - compatible with .NET Core/.NET 5+ apps. Please click the NuGet package links above to see specific .NET assemblies.

For code examples on Security System in non-XAF apps, refer to the Role-based Access Control, Permission Management, and Web API for .NET App GitHub repository. For more information on Security System in XAF UI apps, refer to Security System and also research the following demos:

• MainDemo, SecurityDemo (c:\Users\Public\Documents\DevExpress Demos XX.X\Components\eXpressApp Framework\);
• DentalClinic (c:\Users\Public\Documents\DevExpress Demos XX.X\Components\WinForms\DevExpress.DentalClinic\CS\);
  For general information, please review our landing page.

Primary protection takes place at the data store level (security filters are added to SQL). If role-related permissions deny access, secured record fields display 'null' values or records are filtered out internally. For instance, assume you have 3 records in a database table and permissions allow the user to view 1 record. If your application queries records for this user, only 1 record will physically be returned in code instead of 3.

You can use CanCreate, CanRead, CanWrite, CanDelete and other CanXXX methods to mask secured fields or modify the UI as needed.

For more information, see this overview video.

Authentication APIs can use ASP.NET authentication and other middleware – these simply provide an additional layer of customization and extensibility not tied to any particular framework. You can marry authentication engine with built-in OAuth 2 (Microsoft, Google, Facebook, etc.) authentication providers (example) or implement any custom authentication scheme (example).

Authorization APIs are similar to IAsyncAuthorizationFilter and IAuthorizationFilter or AuthorizationHandler, IAuthorizationRequirement and IAuthorizationPolicyProvider APIs offered by Microsoft (you can learn more about Microsoft’s API from StackOverFlow or Microsoft documentation).

Our implementation differs in the following key areas:

• our API ships built-in user, role and permission entities that help developers manage authorization configurations at runtime (because they are physically stored in the database using XPO or EF Core ORMs). With a fully dynamic permission policy, your apps can address changes to security requirements without the need for redeployment. If you build an administrative UI, like we did in XAF's UI, developers can even delegate certain configuration responsibilities to application administrators or power users - these features are favorites among developers.
• Instead of hard-coded and narrow permissions for specific entities like "See Documents Owned by Me", our API offers a general purpose Type, Object, Member-level and custom permissions that can be used by developers with any entity type to solve security-related tasks of any complexity.
• Object and Member-level permissions include criteria support - a unique feature for fine-grain access control. You can specify criteria expressions using both string and strongly-typed formats. For instance, the following object permission addresses this business requirement: "allow 'Read' access to departments when title contains the word 'Development'".

C#
userRole.AddObjectPermissionFromLambda<Department>(SecurityOperations.Read, t => t.Title.Contains("Development"), SecurityPermissionState.Allow);

The following member permission addresses this business requirement: "deny 'Write' access to an employee's Last Name property when his/her department title does not contain the word 'Development'".

C#
userRole.AddMemberPermissionFromLambda<Employee>(SecurityOperations.Write, nameof(Employee.LastName), t => !t.Department.Title.Contains(protectedDepartment), SecurityPermissionState.Deny);

However, .NET client applications may require an additional layer of protection for application code and database connection information (based upon your application security requirements).

As you know, If application users have direct access to the database, a security system makes no sense. When given direct access, users can always modify data within the database regardless of permissions granted to them through the security system. To prevent users from accessing database connection information, an additional layer of protection can be implemented inside an app and between an app and the database server (based on target security requirements). For more information, please review the links below (each option includes pros and cons, including implementation and maintenance complexity):

• In .NET Framework, you can protect application configuration files using multiple options (such as encryption). In ASP.NET Core, you can use the Data Protection mechanism.
• In SQL Server, you can enable encrypted connections between the database engine and clients.
• You can also implement sensitive data filtering in your data service and connect client apps to this data service. For instance, with XPO and EF Core (v23.1+), users can configure a middle-tier application server or an OData/Web API service.

We recommend that you review our Console App code: XPO, EF Core. Similar code will work in any client or server .NET Core app. Three main steps to integrate Role-based Access Control & Permission Management API using EF Core data access are demonstrated below (it's very similar for XPO):

For more information, see this video.

You can create instances of PermissionPolicyUser, PermissionPolicyRole with type, object and member permissions. These ORM classes will create corresponding database objects. It is common to use a separate administrative database updater application for this purpose, though it is also possible to create a UI to generate this data at runtime (XAF's WinForms, WebForms and Blazor UI are good examples). For more information, see Predefined Users, Roles and Permissions and research code examples for XPO and EF Core.

XAF's administrative UI for managing users and roles is supported for XAF's WinForms, ASP.NET Web Forms or ASP.NET Core Blazor Server apps only.
This administrative UI is designed as a standalone XAF app and can NOT be embedded into non-XAF apps (well, technically, it can be embedded as these are regular forms for the target .NET platforms after all, but this requires low-level coding and we do not recommend/document this intentionally).
Consider the following solutions to manage users, roles and permissions at runtime in a non-XAF app UI:

1. Build a standalone XAF app for one of the 3 supported platforms (WinForms, ASP.NET Web Forms or ASP.NET Core Blazor Server) using XAF's Solution Wizard in just a few clicks without coding. Getting Started.
   
2. Build a custom UI from scratch is and call well-documented XAF's API to manage users, roles and permissions. You can build the UI with required options only (for instance, it's likely you do not need XAF's Action Permissions) and design it as your UX designers need. That is one of the reasons why we decided to skip building non-XAF UI user management components at this stage.

Absolutely. If you do not like the PermissionPolicyUser, PermissionPolicyRole and other built-in classes, you can implement required interfaces from scratch (these are IPermissionPolicyUser, IPermissionPolicyRole, ISecurityUserWithRoles and other ORM-agnostic interfaces from the DevExpress.Persistent.Base library). Custom implementations are helpful when you want to extend these classes with custom properties and also incorporate a user class into your own data model (for instance, a user class can be an employee, a customer or a calendar resource entity). For examples, review How to: Implement a Custom Security System User Based on an Existing Business Class or the source code of the built-in PermissionPolicyXXX classes.

EF Core: You can use the SecuredEFCoreObjectSpace.DbContext
XPO: Existing XPO apps often initialize XpoDefault.DataLayer and then create a new Session or UnitOfWork using a default constructor. To migrate to XAF's secured sessions with minimal impact, do the following:

• Declare a static helper method XpoHelper.GetSecuredUnitOfWork that returns ((XPObjectSpace)SecuredObjectSpaceProvider.CreateObjectSpace()).Session
• Auto-replace all "new UnitOfWork()" calls with "XpoHelper.GetSecuredUnitOfWork()". If you have "new Session()" calls - in addition to the previous replacement - you will also need to rework your code logic to explicitly call the UnitOfWork.CommitChanges method (this relates to migration from Session to UnitOfWork in general).
  For new apps, you can also use IObjectSpace instances directly(obtained using the CreateObjectSpace method of the XPO's SecuredObjectSpaceProvider or EF Core's SecuredEFCoreObjectSpaceProvider).

Refer to the Data Manipulation and Business Logic | Create, Read, Update and Delete Data help topic for API references and code examples.

We recommend that you create and keep a single SecurityStrategyComplex and object space provider instance for each user session. You can, however, create multiple IObjectSpace instances using a single object space provider.

This free .NET App Security API does not include technical support from DevExpress. Technical support is only available if you own the DevExpress Universal Subscription.

If you encounter a bug, please submit a bug report via our online support system: https://www.devexpress.com/ask. For suggestions to our development team, please complete our survey.

Component source code is not included in this free offer. Full source code is only available if you own the DevExpress Universal Subscription.