expressappframework-113436-data-security-and-safety-security-system-security-tiers-2-tier-security-integrated-mode-and-ui-level.md
Applications with 2-Tier Security directly connect to the database (without the Middle Tier Application Server). This topic describes the following 2-Tier Security modes:
Note
Keeping security logic in the client application is not safe or flexible since users can bypass the security system and access the database directly.
Use a Middle Tier application server between your application and the database server instead of client-side security. The following help topic describes how to set it up: Middle Tier Security.
SecuredObjectSpaceProvider (XPO) / SecuredEFCoreObjectSpaceProvider<TDbContext> (EF Core) creates secured Object Spaces that incorporate security permissions and filter protected data at the ORM level. As a result, secured data is not displayed in Views and Controllers or report data sources cannot access the data.
The following sections describe how applications with Integrated Security interacts with the database:
XPO-based application with the Integrated Security
Application without the Security System
Session loads from the database objects that meet the criteria generated according to Security permissions.Session copies objects from the unsecure Session. If a field value does not meet the permission criterion, it is replaced with the default value in the copied objects. Copied objects are available to users.Session copies object values that meet the Security permissions to the unsecure Session.Session saves the passed values in original objects in the database.EF Core-based application with the Integrated Security
Application without the Security System
DbContext loads from the database objects that meet the criteria generated according to Security permissions. This service copies the loaded objects and replaces the original property value with the default value if this property does not meet the permission criterion.DbContext.The Security System displays the default property value instead of its actual value if access to a property is denied. These values may match. Use the SecuritySystem.IsGranted method to determine which value is displayed.
The OnSaving and OnDeleting methods of a business class can be called multiple times because Integrated Mode and Middle Tier Security use more than one Session/DbContext object. If you implement custom logic in these methods, check whether a new value is already assigned to a property. This helps you avoid incorrect results. The following article describes how to do this with XPO: XPO Best Practices.
Detail Views do not display changes made to an object within a transaction (for example, an auto-generated sequential number for an XPO business object) even if you saved this object in a View. These changes are made on the server only and are not automatically passed to the client application. To show these changes, reload the object. If you want to reload the object on each Save operation, override the business class’s OnSaved method. The following example demonstrates how to override this method to reload an object on the client:
The Session.DataLayer property is null in the secured Session. Instead of DataLayer, we recommend that you use the View.ObjectSpace property to query and change data from the database. This technique is also recommended for non-secure applications.
To bypass security, call the CreateNonsecuredObjectSpace (XPO/EF Core) to create an unsecured IObjectSpace instance. Then, use this Object Space’s methods and access protected data as described in the following help topic: Create, Read, Update and Delete Data.
Note
You cannot create a non-secured Object Space on the client side if you use Middle Tier Security Server. To specify an object property’s value bypassing the security system, use the SetPropertyValueWithSecurityBypass method.
We do not recommend that you use this mode in XPO-based and EF Core-based applications because applications have direct access to the database in this mode, and you can modify protected data in code (for example, in Controllers). List and Property Editors hide the protected data on the UI level only.
Name property and object-level permission denies writing objects with criteria Name = Example. In this case, this object is displayed as read-only after the user saves it if the user creates an object and sets its Name property to Example.