In this lesson, you will learn how to use a Security System in the application. When you use this system, the SecurityStrategyComplex security strategy is applied to your application. According to this strategy, Users have Roles, which in turn are characterized by a permission set. This topic will guide you through creating an administrator and a common user in code. The administrator will have a full-access permission set, and the user will have a limited permission set. You will see how the administrator can create Users and Roles, specify Permissions for them, and then assign Roles to Users at runtime. You will also use the AuthenticationStandar authentication type to log on to the application.
In this lesson, you will learn how to use the security system in your application. When using this system, complex security policy security policy is applied to your application. According to this policy, the user has a role, and the role permission again set to feature. This topic guides you through creating an administrator and ordinary user code. Administrators will have full access to the set, and the user will have a limited set of permissions. You will see how the administrator to create users and roles, assign permissions, and then assign roles to users at run time. You will also use authentication type Standar authentication to log on to the application.
Note Note
Before proceeding, take a moment to review the following topics.
Before proceeding, please take a moment to review the following topics.
- Create a Solution using the Wizard
- Supply Initial Data (XPO/EF) lesson.
- Use the wizard to create solutions
- Provide initial data (XPO / EF) courses.
Active Directory Authentication
Active Directory Authentication
If you have followed the Create a Solution using the Wizard lesson, you have already enabled the Security System with the AuthenticationActiveDirectory authentication.
If you follow the course using the wizard to create a solution, it means that you use to authenticate Active Directory authentication is enabled security system.
Invoke the Application Designer for the WinForms application and take a look at the Security section.
WinForms application calls the Application Designer, and view the "Security" section.
As you can see in the image above, a Complex Security Strategy and Active Directory authentication are used, and the CreateUserAutomatically property is set to true. This means that a user object (PermissionPolicyUser) is created automatically when you first run the application. This object's UserName property is set to your Active Directory account. You've got all permissions as the automatically created user type is an administrator. To see this user's details at runtime, navigate to the User and MyDetails items in the navigation control.
As shown above, the use of complex security policies and Active Directory authentication, and "create a user automatically" property is set to true. This means that automatically creates a user object (user rights policy) when you first run the application. UserName property of this object to Active Directory accounts. You have access to all privileges as the user types administrator is automatically created. To see more information about this user at runtime, navigate to the navigation controls "user" and "MyDetails" items.
Now, follow the Tutorial to learn how to change authentication type in your application.
Now, learn how to change the authentication type applications follow the tutorial.
Standard Authentication
Standard Authentication
-
Invoke the Application Designer for the WinForms application. To use a standard authentication strategy, drag the AuthenticationStandard component from the DX.19.2: XAF Security Toolbox tab to the Designer's Security section.
-
Call WinForms application Application Designer. To use the standard authentication policies, set the Authentication standard components from DX.19.2: Drag XAF Security Toolbox tab to secure part of the designer.
- Invoke the Application Designer for the ASP.NET application. Drag the AuthenticationStandard component from the DX.19.2: XAF Security Toolbox tab to the Designer's Security section.
- 调用ASP.NET应用程序的应用程序设计器。将身份验证标准组件从 DX.19.2:XAF 安全工具箱选项卡拖动到设计器的安全部分。
Create Predefined Users and Roles in Code
在代码中创建预定义的用户和角色
-
Before running an application with Standard Authentication enabled, create several predefined Users and Roles business objects, and assign the Roles to Users. This will allow you to logon and create more Users at runtime.
-
在运行启用了标准身份验证的应用程序之前,请创建多个预定义的用户和角色业务对象,并将角色分配给用户。这将允许您在运行时登录并创建更多用户。
The objects that should exist in the database while running the application are created in the ModuleUpdater.UpdateDatabaseAfterUpdateSchema method in the MySolution.Module | DatabaseUpdate | Updater.cs/Updater.vb file (see the Supply Initial Data (EF/XPO) topic).
运行应用程序时数据库中应存在的对象在 MySolution.模块中的"模块更新器.更新数据库后更新架构"方法中创建。数据库更新 |Updater.cs/Updater.vb文件(请参阅电源初始数据 (EF/XPO) 主题)。
- First, create Roles. The following code demonstrates how to create an "Administrators" Role.
- 首先,创建角色。以下代码演示如何创建"管理员"角色。
using DevExpress.ExpressApp.Security; // ... public override void UpdateDatabaseAfterUpdateSchema() { base.UpdateDatabaseAfterUpdateSchema(); // ... PermissionPolicyRole adminRole = ObjectSpace.FindObject<PermissionPolicyRole>( new BinaryOperator("Name", SecurityStrategy.AdministratorRoleName)); if (adminRole == null) { adminRole = ObjectSpace.CreateObject<PermissionPolicyRole>(); adminRole.Name = SecurityStrategy.AdministratorRoleName; adminRole.IsAdministrative = true; } // ... }
Note 注意
In the code above, the PermissionPolicyRole class from the DevExpress.Persistent.BaseImpl.PermissionPolicy namespace is used for XPO, and the PermissionPolicyRole class from the DevExpress.Persistent.BaseImpl.EF.PermissionPolicy namespace is used for Entity Framework. Ensure that the correct using (Imports in VB) directive is added.
在上面的代码中,来自 DevExpress.持久.BaseImpl.权限策略命名空间的权限策略角色类用于 XPO,而来自 DevExpress 的"权限策略"类。实体框架。确保添加了正确的使用(VB 中的导入)指令。
Here, the "Administrators" Role has full access to objects of all types, because its IPermissionPolicyRole.IsAdministrative property is set to true.
此处,"管理员"角色具有对所有类型的对象的完全访问权限,因为它的 I 权限策略Role.is管理属性设置为 true。
Now create a "Users" Role - a very basic Role that will have access to the current user object only. You can later extend this Role's permission set in the UI using extension methods of the PermissionSettingHelper class. See the following code.
此处,"管理员"角色具有对所有类型的对象的完全访问权限,因为它的 I 权限策略Role.is管理属性设置为 true。
public override void UpdateDatabaseAfterUpdateSchema() { // ... PermissionPolicyRole userRole = ObjectSpace.FindObject<PermissionPolicyRole>(new BinaryOperator("Name", "Users")); if(userRole == null) { userRole = ObjectSpace.CreateObject<PermissionPolicyRole>(); userRole.Name = "Users"; userRole.PermissionPolicy = SecurityPermissionPolicy.AllowAllByDefault; userRole.AddTypePermission<PermissionPolicyRole>(SecurityOperations.FullAccess, SecurityPermissionState.Deny); userRole.AddTypePermission<PermissionPolicyUser>(SecurityOperations.FullAccess, SecurityPermissionState.Deny); userRole.AddObjectPermission<PermissionPolicyUser>(SecurityOperations.ReadOnlyAccess, "[Oid] = CurrentUserId()", SecurityPermissionState.Allow); userRole.AddMemberPermission<PermissionPolicyUser>(SecurityOperations.Write, "ChangePasswordOnFirstLogon", null, SecurityPermissionState.Allow); userRole.AddMemberPermission<PermissionPolicyUser>(SecurityOperations.Write, "StoredPassword", null, SecurityPermissionState.Allow); userRole.AddTypePermission<PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow); userRole.AddTypePermission<PermissionPolicyTypePermissionObject>("Write;Delete;Navigate;Create", SecurityPermissionState.Deny); userRole.AddTypePermission<PermissionPolicyMemberPermissionsObject>("Write;Delete;Navigate;Create", SecurityPermissionState.Deny); userRole.AddTypePermission<PermissionPolicyObjectPermissionsObject>("Write;Delete;Navigate;Create", SecurityPermissionState.Deny); } //... }
The following code demonstrates how to create Users.
以下代码演示如何创建用户。
C# VB.NET using DevExpress.ExpressApp.Security; // ... public class Updater : ModuleUpdater { public Updater(IObjectSpace objectSpace, Version currentDBVersion) : base(objectSpace, currentDBVersion) { } public override void UpdateDatabaseAfterUpdateSchema() { // ... // If a user named 'Sam' does not exist in the database, create this user. PermissionPolicyUser user1 = ObjectSpace.FindObject<PermissionPolicyUser>( new BinaryOperator("UserName", "Sam")); if(user1 == null) { user1 = ObjectSpace.CreateObject<PermissionPolicyUser>(); user1.UserName = "Sam"; // Set a password if the standard authentication type is used. user1.SetPassword(""); } // If a user named 'John' does not exist in the database, create this user. PermissionPolicyUser user2 = ObjectSpace.FindObject<PermissionPolicyUser>( new BinaryOperator("UserName", "John")); if(user2 == null) { user2 = ObjectSpace.CreateObject<PermissionPolicyUser>(); user2.UserName = "John"; // Set a password if the standard authentication type is used. user2.SetPassword(""); } } }
Finally, you will assign Roles to Users.
最后,您将角色分配给用户。
public class Updater : ModuleUpdater { // ... public override void UpdateDatabaseAfterUpdateSchema() { // ... user1.Roles.Add(adminRole); user2.Roles.Add(userRole); } }
Note注意
More examples are provided in the Client-Side Security (2-Tier Architecture) topic.
更多示例在客户端安全(2 层体系结构)主题中提供。
-
Run the WinForms or ASP.NET application. The following logon window will be displayed in a WinForms application.
-
运行 WinForms 或ASP.NET应用程序。WinForms 应用程序中将显示以下登录窗口。
- The following window will be displayed in the ASP.NET application.
- 以下窗口将显示在ASP.NET应用程序中。
- After the Log In button is clicked, the user's credentials are authenticated and the application will run.
- 单击"登录"按钮后,将对用户的凭据进行身份验证,应用程序将运行。
Create a Role in a UI
在 UI 中创建角色
Administrators, and other users with Role creation permission can create Roles as follows.
具有角色创建权限的管理员和其他用户可以创建角色,如下所示。
Select the Role item in the navigation control and click the New Action. In the invoked Detail View, set the name and permissions for the new Role.
在导航控件中选择"角色"项,然后单击"新建操作"。在调用的详细信息视图中,设置新角色的名称和权限。
With the Permission Policy property, you can assign "deny all", "read only all" or "allow all" default permission policies for each role. For each operation, you can explicitly specify the Allow or Deny modifier or leave it blank. If the modifier is not specified, the permission is determined by the role's permission policy.
使用"权限策略"属性,您可以为每个角色分配"拒绝所有"、"只读所有"或"允许所有"默认权限策略。对于每个操作,可以显式指定"允许"或"拒绝"修改器,或将其留空。如果未指定修饰符,则权限由角色的权限策略确定。
Create a User in a UI
在 UI 中创建用户
Users who have permission to create Users can do the following.
有权创建用户的用户可以执行以下操作。
Select the User item in the navigation control and click the New button. In the invoked Detail View, specify the User Name and assign one or more Roles.
在导航控件中选择"用户"项目,然后单击"新建"按钮。在调用的详细信息视图中,指定用户名并分配一个或多个角色。
Note 注意
Set the Is Active property to false if you need to temporarily prohibit the user from using the application.
如果需要暂时禁止用户使用应用程序,请将"是活动"属性设置为 false。
To assign a password to a newly created user, click the Reset Password button. The assigned password should be passed to the user. A User will be able to change it when logging on for the first time.
要为新创建的用户分配密码,请单击"重置密码"按钮。分配的密码应传递给用户。用户将能够在首次登录时更改它。
Note 注意
This button is the ResetPassword Action, which is available to users who are allowed to modify User objects. This button is not available when the Active Directory authentication is used.
此按钮是"重置密码操作",允许修改用户对象的用户可以使用。使用活动目录身份验证时,此按钮不可用。
My Details
我的详细信息
The My Details navigation item is available for users who have read access to the current User object. This navigation item opens the current user details.
"我的详细信息"导航项可供具有当前用户对象的读取访问权限的用户使用。此导航项将打开当前用户详细信息。
In an ASP.NET application, it can also be opened by clicking the My Details link at the top-right corner of the page.
在ASP.NET应用程序中,还可以通过单击页面右上角的"我的详细信息"链接来打开它。
Change Password
更改密码
When the standard authentication type is used, the Change My Password button is available once the My Details Detail View is displayed. This button opens a dialog where a user can change the password.
使用标准身份验证类型时,显示"我的详细信息"视图后,"更改我的密码"按钮将可用。此按钮将打开一个对话框,用户可以在其中更改密码。
Note 注意
This button is the ChangePasswordByUser Action that is not available if the Active Directory authentication is used. To change a password in this instance, end users can use the operating system's standard tools (e.g., press CTRL+ALT+DEL and select Change a password).
This button is unavailable when using Active Directory authentication "change password by user" operation. To change the password In this case, the end user can use the operating system's standard tools (for example, by CTRL_ALT_DEL and select "Change Password").