Integrating UnitOfWork and XPObjectSpace descendants into an XAF app

We've made some code changes for v17.2.6+ as well as created two articles for advanced XAF developers who may need the subject for some low-level tuning:

How to customize the UnitOfWork behavior in XPO-based XAF applications

How to customize the Object Space behavior in XPO-based XAF applications

Sub-classing is itself easy.  The most interesting part comes for the two popular security configurations: the Integrated  mode and the Middle-Tier Application Server. Thankfully, this is rarely required for complex or specific scenarios only.  Here are several customer tickets for your reference:

    How to map a property to a calculated database column (implement a read-only persistent property)
    xpo and sql server identity fields
    Using inherited UnitOfWork object
    XAF: Create CreateCustomObjectSpaceProvider with parameters from login window
    SecurityStrategyComplex: How to modify objects/properties in code when the user does not have the permission?

To learn more about low-level options to control how your application saves data and where, check out the How to customize the underlying database provider options and data access behavior in XAF.

Your feedback is needed!
Finally, I am just curious: if you search your entire solution in Visual Studio (Control+Shift+F) for any of the ": UnitOfWork", ": XPObjectSpace", ": XPObjectSpaceProvider" strings or their VB.NET equivalents (e.g., Inherits UnitOfWork), how many occurrences  would you have and for what? Please let me know in the comments!

Diagnostic tool for Security System - YOUR FEEDBACK IS NEEDED!!!

Earlier we described the prototype of diagnostic tool. We created it to help a developer to understand why access to a certain object and its members is allowed or denied.  

  

We analyzed the feedback we got on this matter and provided the following improvements in v17.2.6:

 - To enable the security diagnostic tool, use the familiar EnableDiagnosticActions option.

 - You can select a type and a member you wish to analyze.

 - Results are presented in the XML format.

 - We provide more details on how the diagnostic tool calculates results.

 - There is a way to visualize criteria for easier analysis.

You can get more info about the tool from the KB article below:

                                     https://www.devexpress.com/kb=T589182.  

Your feedback is needed

Please test the tool and let us know whether it is useful in your development process and how you would change it. For instance, the more specific there are use cases of this tool where it was difficult to configure permissions for a user, the greater it is possible that we can arrive at technical solutions that will address them.

XAF Security System enhancements in v17.2.5

After updating your XAF project to 17.2.5, you may notice a new option in the Application Designer:

The new SecurityStrategy.RolesMergingMode property specifies how the Security System determines if a user can perform a specific operation in case this user has multiple roles with different permission sets. The available modes are listed in the RolesMergingMode enumeration.

How to diagnose effective access rights for a specific user or get full information about inner security permissions calculations

Security permissions calculation is quite a complex process, and sometimes it is difficult to diagnose why access to a certain object and its members is allowed or denied. It is more common for application administrators or regular XAF developers who may not want to study documentation guides or be able to debug the XAF source code as per How can I debug DevExpress .NET source code using PDB files or using other approaches. So, in addition to documenting security rules, we are researching the usefulness of a tool that would show how effective permissions are calculated for each user in the UI, very similar to our Diagnostic Action. This may be helpful even to us, to reduce support time spent on diagnosing related client problems.

Learn more about a possible solution (a diagnostic tool) from the KB article below and let us know what you think:

https://www.devexpress.com/kb=T589182

As for other wish list and scenarios, you can help us by filling out the following survey, if you haven’t done so already:

https://www.devexpress.com/go/XAF_Future_Survey_2017_Dec.aspx

Security - How to add OAuth2 authentication to a WinForms app

UPDATE:
XAF WinForms UI v23.2+ natively supports OAuth2 providers such as Microsoft Entra ID, Google, etc. - Documentation. The custom solution below is no longer required.

----

This is another example of how flexible the security module and our framework are. My colleague Michael has recently published an example on how to use the Microsoft, Google, Facebook or any compatible authentication provider within an XAF WinForms app:
https://www.devexpress.com/kb=T567978

This implementation is based on public community resources like StackOverFlow, so research the links in code comments for more details.

If you are looking for an ASP.NET example, do not miss the article we published earlier:
How to: Use Google, Facebook and Microsoft accounts in ASP.NET XAF applications (OAuth2 authentication demo)

Your feedback is needed!
Originally, we were not going to make a WinForms counterpart, because there were only a couple of requests for it + the whole scenario looked rare for desktop apps.
What is your own experience with it? Have you ever had such integration requests from your end-users? What providers do they need to cover most? Please let us know.

How to implement the CreatedBy, CreatedOn and UpdatedBy, UpdatedOn properties in a business class

I would like to promote a KB article, which may be interesting for users who are just getting started with our application framework. This information is actually not new and it was already available in the FAQ and Reference sections of our online documentation as well as the support knowledge base.

https://www.devexpress.com/kb=K18352

I must emphasize that there are actually many ways to implement such auditing properties, and your current code may differ from what we show. For instance, one may declare it as "internal  set {...}" or use the PersistentAlias attribute. Just do not be at all concerned. 

You are welcome to share your own implementations in post comments - maybe we can vote for the most concise and beautiful code, eh?:-P

How To: Use Google, Facebook and Microsoft accounts in ASP.NET XAF applications (OAuth2 authentication)

XAF security team has prepared a small demo illustrating the use of  OWIN OAuth 2.0 Authorization Server. Users can log in with their Google, Facebook or Microsoft accounts.

You can download the demo source code from DevExpress Support Center:
https://www.devexpress.com/Support/Center/Example/Details/T535280/

Technical details and instructions on how to use this approach in your existing applications are available in the example description in Support Center.


Your feedback is welcome!
We would greatly appreciate it if you try this example and share your feedback here in comments.

What happens when the current user is deleted (by himself/herself or another user) while still using the application?

Deletion of the user who is actively using the app is NOT handled by our security module at the moment (e.g., NullReferenceException and other errors may occur). That is mainly because this operation is very rare, and so far we have not received real-life scenarios from our users where this could be useful. Moreover, deleting by accident is already prevented by showing a confirmation message by the standard DeleteObjectsViewController > DeleteAction.

Refer to this Support Center ticket for more considerations and possible custom solutions.

Your feedback is needed!

Even though we do not provide ready solutions for this specific scenario, we will be more than happy to learn more about your experience in this regard to consider improvements to our product for the future. If you needed to handle such scenarios on your own, please elaborate more on your real-life requirements and implemented solutions. Thanks in advance.

What's New in XAF Help 17.1.3 and 17.1.4

In this post, I would like to provide an overview of the most important additions to XAF documentation introduced after the 17.1 release.

Linking XAF security roles and Active Directory Security Groups by name

We have recently created a new help topic devoted to one of the popular scenarios our users described: How to: Assign the Same Permissions for All Users of an Active Directory Group. This topic demonstrates how to map XAF security roles to AD groups. When a user logs on for the first time, existing roles with names matching the user's AD group names are automatically assigned. If the user membership in AD groups was modified, the associated roles collection will be updated accordingly on the next logon. Take special note that the corresponding XAF security roles with required permissions and matching the names of AD groups must be created first!

This article also required for us to avoid confusion with the AuthenticationActiveDirectory component name, because it does not support Active Directory Security Groups out of the box.  What this component does is just allow logging by the currently logged Windows user automatically or without the logon form.  To initialize the created XAF security user record, the AuthenticationActiveDirectory authentication uses the WindowsIdentity.Name property of an object obtained via the static WindowsIdentity.GetCurrent method to get a user name in the DOMAIN\USERNAME format.

I want to point out one implementation aspect that might be unclear: why did we create a AuthenticationActiveDirectory descendant instead of handling the CustomCreateUser event, which looks simpler? The main reason for using the descendant is that with it, the synchronization of XAF security roles is easier to implement when AD groups are updated.

I hope you find this example helpful. Please let us know in comments if you experienced a similar scenario and describe how you are currently handling it. Thanks in advance!

The recommended approach to hiding the 'Protected Content' columns and Property Editors is improved - YOUR FEEDBACK IS NEEDED!

I have recently updated the HideProtectedContentController code in the How to: Hide the 'Protected Content' Columns in a List View and Property Editors in a Detail View topic. The main change is that the HideProtectedContentController now checks if a visibility state for the target UI element is customized by existing Conditional Appearance rules before applying its own customizations.

void appearanceController_CustomApplyAppearance(object sender, ApplyAppearanceEventArgs e) {
    if(e.AppearanceObject.Visibility == null || e.AppearanceObject.Visibility == ViewItemVisibility.Show) {

        // ...
    }
}

This prevents possible conflicts with existing appearance rules.

If you are using the HideProtectedContentController code in your projects, we would greatly appreciate it if you try the updated code and share your feedback here in comments.

Please note that HideProtectedContentController may make a negative impact on the application performance in complex scenarios.

More secure password generation algorithms for built-in security system classes are available in XAF v16.2 and v17.1

We have offered new options for those of you who need to deploy apps to production environments with the FIPS policy enforced (e.g., government desktop computers or highly secured web servers). XAF APIs now support FIPS compliant algorithms for more secure user passwords encryption and images hashing. 

Please refer to the article below for more details and let me know what you think of it:

FIPS-compliance changes to the DevExpress.Persistent.Base.PasswordCryptographer and DevExpress.ExpressApp.Utils.ImageLoader classes 

New and updated XAF videos

I am glad to announce that the XAF team have published several new videos in DevExpress channel. These videos demonstrate the most attractive features from the What's New in XAF v16.2 list.

XAF Mobile Platform (CTP)

With this video, you can learn how to add a mobile client for your XAF application. This is the updated version of the previously published video. It demonstrates the following mobile enhancements introduced in 16.2

1. New UI layouts optimized for desktop and tablet devices.
2. Improved look and feel.
3. Application Simulator no longer requires an internet connection.
4. 'Active' and 'Enabled' action states are now context-dependent.

Displaying the currently logged user name and photo near the Log Off Action (UPDATED)

We continue to evolve our framework and save time to its users by removing routine work for the most popular customizations like this one. Now in the New Web UI, an image associated with the current user is displayed at the top right corner of the application page when the IModelApplicationWeb.CurrentUserDisplayMode is set to Image or CaptionAndImage.

To provide an individual image for each user, do the following: 
 - Declare a property of the MediaDataObject type in your User business class.
 - Apply the CurrentUserDisplayImageAttribute attribute to the class and pass the property name to it:

[CurrentUserDisplayImage("Photo")]
public class MyAppUser : DCUser, IXafEntityObject, IObjectSpaceLink {
// ...
public virtual MediaDataObject Photo { get; set; }
// ...
}

The result is demonstrated in the image below (look at the top right corner):

The table below demonstrates the effect of different CurrentUserDisplayMode values.

How to skip the logon dialog when debugging or testing an XAF app with the security system enabled

Sometimes during active development, you may find yourself in front of the logon form entering user credentials again and again, and it may eventually become boring. This simple to implement tip will not only save you development time, but also irritation. I wanted to highlight this technique for everyone here after assisting my colleague in this SC ticket + because another customer also found this solution helpful. Since, I also remembered that we have been using a similar thing internally for the installation tests of our demos, I think it is definitely time to let the rest of the world know about this as well.

Steps to implement

1. The instructions below imply that you have already created an XAF WinForms or Web app with the Security module, and its SecurityStrategyComplex and AuthenticationStandard components either using the Solution Wizard or manually. You likely also created predefined users and roles in code or using the application UI at runtime. Consult with the XAF online documentation for more details.

How to provide a specific View layout for users of certain security roles

I would like to quickly promote a recent update to our old Code Example in the support database: https://www.devexpress.com/example=E274
I hope you find this solution helpful. Let me know in case of any questions, suggestions or share your experience with other XAFers on how you are doing a similar task at the moment. Thanks!

Scenario:
This example demonstrates how to show a custom View against a role of the currently logged user. Custom Views were created and customized through the Model Editor for each role separately. For more convenience, custom Views have a name of a role in the Id attribute. For instance: Contact_ListView_Administrators, Contact_DetailView_Administrators, Contact_ListView_Users, Contact_DetailView_Users, etc. You may consider a specific naming convention, for example, to add a role name to the end of the view name. Use User and Admin user names with empty password to login into the application.

Implementation details:
There is E274.Module\Controllers\CustomizeViewAgainstRoleMainWindowController that tracks View showing using theXafApplication.ViewCreating event and replaces the default View's Id with a custom Id found in the Application Model by the role name. 

Simplifying the migration from SecuritySystemUser to the new PermissionPolicyUser API

We have recently prepared a KB article on the subject: How to use the new Allow/Deny permissions policy in the existing project and hope to hear your feedback on it and this new Allow/Deny security feature in particular. If you have not yet heard about it and its possible benefits for your project, I recommend you review the Concepts > Security System > New Security System > Permission Policies documentation along with a short overview video on our YouTube channel.

As a side note, a quite popular How to hide individual navigation items and groups for certain users example was updated to use the new PermissionPolicyRole class.

As always, our team is more than happy to learn more on how our security module can help your business better or assist in case of any difficulties. Feel free to contact us via the Support Center: https://www.devexpress.com/Support/Center/Question/Create  or in comments here.

UPDATED:
See also this post from our old customer http://www.codeproject.com/Articles/1153095/How-to-migrate-DevExpress-XAF-SecuritySystemUser-t  for an alternative migration procedure.

How to display the currently logged user name in the header bar near the Log Off Action on the Web

Here is another recent support thread update about personalizing your Web app:

To accomplish your task, consider one of the following solutions depending on your business requirements:

1. Default web template modification
Create a custom Default content template and add a new table cell with the following code to the markup (between cells containing the logo and header menu):

[ASPx]
                    ...
                    <td>
                        <img src="Images/Logo.png" />
                    </td>
                    <td class="width100"></td>
                    <td><%= DevExpress.ExpressApp.SecuritySystem.CurrentUserName %></td>
                    <td>
                        <div id="xafHeaderMenu" class="xafHeaderMenu" style="float: right;">
                        ...
                    </td>
                    ...

2. Inherit from the standard HeaderMenuController class
Override its GetActionContainerCaption method (and optionally the GetActionContainerImageUrl method) as shown in our XCRM demo ("C:\Users\Public\Documents\DevExpress Demos 1X.X\Components\eXpressApp Framework\XCRM\CS\XCRM.Module.Web\CustomHeaderMenuController.cs").

3 simple steps to improve the overall performance in a middle-tier application server scenario

UPDATED
The contents of this article were merged into the new document at Security - How to reduce the number of permission requests and improve overall performance.
=============

Preamble

Here I will be talking about the configuration described in the eXpressApp Framework > Concepts > Security System > New Security System > Middle Tier Security - WCF Service article, assuming that the application server (YourSolutionName.ApplicationServer) is used with a desktop client app (YourSolutionName.Win). I am not talking about the web client, because I anticipate that in this configuration the Client-Side Security (2-Tier Architecture) with the integrated mode (SecuredObjectSpaceProvider) is a more typical choice as long as the database is located on the same web server where the ASP.NET app is deployed.

1. Server or DataView data access mode for ListView

While this is not specific to the 'application server' scenario, it is still worth mentioning these options explicitly when you need to work with large lists in grids in an XAF app. You can learn more on how to select an appropriate mode for your particular case from the online XAF documentation: eXpressApp Framework > Concepts > UI Construction > Views > List View Data Access Modes.

The GetObjectsNonReenterant error for security permissions with complex criteria - Fixed in v15.2.5

In v15.2.5 we have made improvements at both the XPO and XAF levels to avoid the Entering state 'GetObjectsNonReenterant' from state 'CommitTransactionNonReenterant, CommitChangesToDataLayer' is prohibited due to state 'CommitChangesToDataLayer' error that might occur while evaluating security permission criteria involving collections during the object saving procedure (S170995). Our previous attempt was unsuccessful and I apologize for this and all the inconvenience this has caused you and your business.

Our new low-level solution does not require extra options on your side, and I invite you to test a new 15.2 build containing these improvements: 

http://downloads.devexpress.com/Share/DXP/S170995/DevExpressComponents-15.2.4.15357.exe

I am looking forward to hearing from you on how these improvements work in your real projects after installing this build and running the Project Converter tool. Thanks in advance!