expressappframework-113439-data-security-and-safety-security-system-security-tiers-middle-tier-security-xpo.md
Keeping security logic in the client application is not safe or flexible since users can bypass the security system and access the database directly. To prevent this, you can implement the Middle Tier application server that is an ASP.NET Core service between the client application and the database server. This Middle Tier Server filters out the secured data. In this case, clients cannot access the database server directly. The diagram below illustrates this configuration.
The following images demonstrate how Blazor and WinForms applications with Middle Tier Security interacts with the database:
Blazor application with the Middle Tier Application Server
WinForms application with the Middle Tier Application Server
Application without the Security System
When you create a new project with DevExpress CLI templates or the Template Kit and enable Middle-Tier Security, HTTPS is enabled by default with an ASP.NET Core HTTPS development certificate. This certificate cannot be used in non-development environments. For production, configure a proper TLS certificate for the application. For more information, refer to the documentation: Configure HTTPS.
ASP.NET Core Blazor applications use the client-server model. You do not need to implement the additional Middle Tier server in these applications.
The Middle Tier service and database can be installed on the same server. The application server can also be installed on a user workstation with the application, but this configuration does not improve security.
Blazor application with Middle Tier security does not support Windows authentication.
Integrated WebAPI services and Middle Tier security cannot be used simultaneously.
If you use custom permission requests, custom logon parameters, or other types that should be serialized (for example, non-persistent objects), use the static WebApiDataServerHelper.AddKnownType method to register them before a data server is initialized. Register these types on the server and client. Do not use this method to register business classes.
The Security System displays the default property value instead of its actual value if access to a property is denied. These values may match. Use the SecuritySystem.IsGranted method to determine which value is displayed.
The OnSaving and OnDeleting methods of a business class can be called multiple times because Integrated Mode and Middle Tier Security use more than one Session/DbContext object. If you implement custom logic in these methods, check whether a new value is already assigned to a property. This helps you avoid incorrect results. The following article describes how to do this with XPO: XPO Best Practices.
Detail Views do not display changes made to an object within a transaction (for example, an auto-generated sequential number for an XPO business object) even if you saved this object in a View. These changes are made on the server only and are not automatically passed to the client application. To show these changes, reload the object. If you want to reload the object on each Save operation, override the business class’s OnSaved method. The following example demonstrates how to override this method to reload an object on the client:
The Session.DataLayer property is null in the secured Session. Instead of DataLayer, we recommend that you use the View.ObjectSpace property to query and change data from the database. This technique is also recommended for non-secure applications.
See Also
Execute Direct SQL Queries in Integrated Mode and with XPO Middle Tier Security
How to Update the Middle Tier Implementation when Upgrading to XAF v17.2+