The following scenarios where XAF developers accessed data in code before login will require changes with v18.2:
1. Show and modify data from a database on the logon form as described at How to: Use Custom Logon Parameters and Authentication, How to manage users (register a new user, restore a password, etc.) from the logon form in ASP.NET and similar articles.
2. Obtain data in the XafApplication.LoggingOn, XafApplication.SetupComplete and other events that occur before the XafApplication.LoggedOn event.
This does NOT affect ModuleUpdater scenarios where XAF uses a service object space for CRUD operations.
Why we did it
Previously, XAF developers could unintentionally write code that exposes or modifies secured data before users log in. Higher security standards demand each developer to explicitly allow data access in such scenarios. This will also minimize security risks in similar scenarios for the out-of-the-box XAF functionality in the future.
How to update your custom code
Customize the SecurityStrategy*.AnonymousAllowedTypes* collection to manage business object types for which you allow CRUD operations before a successful user authentication. For example:[C#]
// Inside the YourXafApplicationClassName constructor in the YourSolutionName.Wxx\WxxApplication.cs file: //... securityStrategyComplex1.AnonymousAllowedTypes.Add(typeof(YourBusinessClassName)); //...[VB.NET]
' Inside the YourXafApplicationClassName constructor in the YourSolutionName.Wxx\WxxApplication.vb file: '... securityStrategyComplex1.AnonymousAllowedTypes.Add(GetType(YourBusinessClassName)) '...
Refer to our updated online documentation and demos for more examples.
How to restore the previous behavior
To temporarily return the former behavior without making the aforementioned code adjustments, set the SecurityStrategy.AllowAnonymousAccess property to true (not recommended). For example:[C#]
// Inside the YourXafApplicationClassName constructor in the YourSolutionName.Wxx\WxxApplication.cs file: // ... securityStrategyComplex1.AllowAnonymousAccess = true; // ...[VB.NET]
' Inside the YourXafApplicationClassName constructor in the YourSolutionName.Wxx\WxxApplication.vb file: ' ... securityStrategyComplex1.AllowAnonymousAccess = True ' ...