A One-Click Solution to Build ASP.NET Core Web / HTTP / REST API Services

Interoperability Powered by OData & Swagger / OpenAPI

The Solution Wizard scaffolds a Web API Service with integrated authorization & CRUD operations powered by EF Core and our XPO ORM library. You can use OAuth2, JWT or custom strategies for authentication alongside tools like Postman or Swagger for API testing. The built-in security system also filters out secured server data based on permissions granted to users. Basic functions of our Web API Service are available for free.

Additional services/benefits of our Web API Service ship as part of the DevExpress Universal Subscription and include:

  • Technical support and full source code
  • XAF's administrative UI to manage users and roles at runtime using WinForms, WebForms, and Blazor apps
  • Localization functions (endpoints to obtain localized captions for classes, members, and custom UI elements)
  • Advanced/enterprise functions such as audit trail, endpoints to download reports, file attachments, check validation, etc.


WEB API Service - XAF | DevExpress


Mario Blatarić

Logon Ltd.

I have new, rather big, project and I decided to give Web API services a serious go (for a mobile app with GIS functionality). It turned to be serious time saver with ability to reuse entire data model and security. Before, I would have to write new project, replicate and constantly maintain data structure, deal with security and so on. Web API Services are just natural fit for XAF Blazor, I really like it.

Enterprise-Ready Role-based Access Control (RBAC) & Permission Management

While certain platforms (like ASP.NET) simplify authentication and basic authorization with built-in design time APIs, it's difficult to construct a flexible/customizable app security system (with the ability to customize the system once the app is deployed). Our Role-based Access Control (RBAC) & Permission Management API for .NET allows you to incorporate a highly flexible/customizable security system in your next .NET app.

LOB app developers want to save time and do not want to implement complex security memberships and authentication/authorization algorithms from scratch (such as apps that can filter protected data against a user's access rights or check whether the current user is allowed to delete records). Our Role-based Access Control & Permission Management API for .NET allows you to incorporate advanced security-related capabilities with minimal effort.

Getting security right (safe, fast, up-to-date, flexible, and database agnostic) is complicated. Pre-built middleware libraries like ASP.NET Core Identity or Identity Server can be difficult to configure or offer unnecessary functionality. Our Role-based Access Control & Permission Management API for .NET allows you to integrate a proven, database agnostic security sub-system in the shortest possible time.

User Authentication and Group Authorization - XAF | DevExpress

Target Audience & Common Usage Scenarios

XAF developers who need to create non-XAF .NET apps.

If you want to reuse data models and security settings/configurations (users, roles and permissions) stored within an existing XAF application database, look no further than XAF's .NET App Security & Web API for .NET.

Based on feedback, we know that many XAF developers create custom web and mobile UI clients to service various internal administrative tasks (data modifications, report generation, scheduled workflows). XAF's Security System is perfect for such usage scenarios.

Non-XAF developers who create standard line-of-business (LOB) apps.

If your .NET app includes login/logout forms and requires security related functionality, XAF's .NET App Security & Web API is an easy-to-use alternative to custom app-security logic.

From WinForms, WPF and ASP.NET, to .NET server technologies like ASP.NET Web API/OData, WCF – XAF's Security System is the perfect choice for the enterprise. And yes, XAF's .NET App Security & Web API for .NET also supports Blazor Server & Xamarin Forms (Android & iOS) (support for Blazor WebAssembly and .NET MAUI apps coming soon).

Demo Apps

Minimal dependencies. Your existing ORM knowledge. Secured apps in 3 steps.

Step 1

Reference a few XAF core assemblies from DevExpress NuGet or .NET Installers.

Step 2

Setup the authentication type, create users and roles using examples for target .NET platforms.

Step 3

Execute secured CRUD operations using your ORM database context or its XAF wrapper.

A WinForms CRUD app with Ribbon, Data Grid. The app includes list and detail forms within a Tabbed-MDI shell. Download Demo
DevExtreme + ASP.NET Web API OData
A client-side HTML/JavaScript CRUD app that uses the DevExtreme Data Grid and connects to an OData v4 web service (using the ASP.NET Core Web API). Download Demo
ASP.NET Web Forms
A server-side Web Forms CRUD app that uses our high-performance ASP.NET Data Grid. The demo supports inline data editing. Download Demo
A simple console app that connects to a database and outputs data records based on user rights. Download Demo
Coming soon. Please help us prioritize future development. Take a Survey
A native CRUD mobile app for Android and iOS that connects to the ASP.NET Core Web API service. Download Demo
Blazor Server
A server-side ASP.NET Core Blazor CRUD app that uses our high-performance Data Grid component. The demo supports inline data editing. Download Demo
Blazor WebAssembly
Coming soon. Please help us prioritize future development. Take a Survey
A server-side ASP.NET MVC Core CRUD app that uses our high-performance DevExtreme-based Data Grid. The demo supports inline data editing. Download Demo

David Desiderà

More than one year ago I explained to my collaborators that - in my opinion - it was possible to integrate XAF's security layer with UI interface into an existing WinForms enterprise application that was 10 years old. We successfully implemented it! It took 40 man-days of job in total instead of at least 400 if I had decided to start from scratch. You guys saved my life!

Need additional use-cases? Review our advanced user-role management UX for both WinForms and ASP.NET Apps.

Multi-Database Permission Storage

Configure and Persist Settings for Role-Based Access Control (RBAC) Tasks

1. Access control permissions (linked to roles and users) that can be stored in more than a dozen popular data stores (including popular database servers like SQL Server, Oracle, PostgreSQL, MySql, Firebird, XML and "in-memory" stores).

  • Type permissions grant Read, Write, Create, and Delete access to all objects.
  • Object Permissions work in conjunction with Type Permissions and grant access to object instances that fit a specified criterion.
  • Member Permissions grant access to specific members unconditionally or based on a criterion.

2. Powerful and easy-to-use APIs to configure users, roles and permissions in code or visually within XAF apps.

3. Support for extensions or replacement with custom user, role, and permission objects.

Role-Based Access Control with Multi-Database Permission Storage - XAF, DevExpress

Type, Record & Field Level Authorization Support

Filter Sensitive Data Automatically & Authorize CRUD Operations Manually

1. Two code lines to filter records against a logged user. With a secured object space provider, your ORM data query and modification API will remain unchanged.

2. Fine-grain access control for object relationships, individual objects or columns with or without criteria (example: can read the Full Name field, but cannot modify Salary).

3. Straightforward APIs to check CRUD or custom access rights for UI customizations (example: mask protected editors or disable menu commands).

4. Proven in production environments. Security permission caching for the best possible performance.

5. Easy troubleshooting with comprehensive documentation, diagnostic tools and DevExpress Support.

Authorization - XAF Security System, DevExpress

Joche Ojeda

One of the things I ask my customers is 'do you really want to develop a security system from scratch?' Experience tells me that when someone really wants to build a security system from scratch, it is because they have never had to build one before. Fact is that if you have built a security system from scratch, you'll definitely want to avoid it.

Field Tested Solutions that Work

Proven to save development time

Building and testing a robust security system is not an easy task, especially if your goal is to deliver a fully configurable system and introduce important features such as runtime permission control via an integrated UI.


See Performance Test

App Testing - XAF Security System, DevExpress

Bahalddin Elsayed

Regarding XAF's Security - I want to compare what XAF offers to what we built in our company. We initially sought to create the same structure and the same security system layout as XAF. To complete our custom security system and replicate the feature set available in XAF, required 5 months of development for 2 individuals. Obviously, XAF's built-in security system saves a lot of time, but what I really like about XAF's Security System is that you can hide or protect tables and associated records both horizontally and vertically. XAF's Security System also allows you to limit access to individual record columns unconditionally or by criteria. The beauty of XAF's access control rules is that they can be applied to user groups or roles.

Basic & Advanced Authentication Options

Authenticate Users with Standard Methods or Implement Custom Strategies

1. Built-in authentication types include: Forms (user name/password), Active Directory (Windows user) and Mixed (several authentication providers).

2. Includes a robust password generation/validation algorithm.

3. Allows you to extend standard authentication methods or replace our implementation with custom authentication strategies and logon parameters. For instance, our popular Blazor example supports OAuth2 with Google or Microsoft cloud authentication providers. Our Web API/OData example protects a backend service using a JWT bearer authentication schema with Azure AD.

Authentication - XAF Security System, DevExpress

Frequently Asked Questions

Is the .NET App Security & Web API free for commercial use?

Absolutely. .NET App Security & Web API is available free-of-charge. To download your copy, visit: https://www.devexpress.com/security-api-free.

When you register for a free DevExpress product, you can use your registered product for as long as your needs dictate. Should an update be made available free-of-charge, you will be notified via email or this website. Updates that are issued free-of-charge can also be used indefinitely. Please refer to the DevExpress End User License Agreement for detailed licensing information.

Is technical support included with the free .NET App Security & Web API?

No, this free .NET App Security & Web API does not include technical support from DevExpress. Technical support is only available if you own the DevExpress Universal Subscription.

How can I report bugs or share suggestions on .NET App Security & Web API development?

If you encounter a bug, please submit a bug report via our online support system: https://www.devexpress.com/ask. For suggestions to our development team, please complete our survey.

Is the source code included in this free .NET App Security & Web API?

No. Component source code is not included in this offer.

Does the use of this API in non-XAF apps require me to reference all of XAF, its UI and associated dependencies?

No, absolutely not - you do not need to use XAF’s UI or reference XAF associated dependencies. The NuGet packages mentioned above contain non-visual cross-platform .NET Standard 2.0+ assemblies - compatible with .NET Core/.NET 5+ apps.

How can I install all required dependencies?

The fastest way to install all required dependencies is to use the following DevExpress NuGet packages:

You can also download and run our unified installers for .NET Framework and .NET Core. The installer will copy all required assemblies to "c:\Program Files (x86)\DevExpress XX.X" and register local NuGet package sources.

Where can I find technical information and an API reference?

The best place to start is our Technical FAQ. To learn how to use the DevExpress .NET App Security & Web API in your application, explore our GitHub examples, online documentation, or tutorial videos (you can also search our extensive support database).

Register Your Free Copy Today

DevExpress .NET App Security & Web API is available free-of-charge.


Get It FreeEULA