In XPO blog post in November 2021, I grumbled about how difficult it was to develop a robust and flexible app security system from scratch with any .NET ORM, including Entity Framework (by security, I’m referring to user authentication and role-based data authorization with flexible permission management). Based on feedback, it seems that many of you agree with my position.
But let's be honest: for most (myself included), creating a robust security system is a serious and costly undertaking. This is especially true if your enterprise requires field-tested Role-Based Access Control (RBAC) and advanced authentication based on JWT + OAuth2 for Azure AD. Yes, too many acronyms and SDK to master, too many `principals`, `access tokens`, and `claims` to remember (brrr…my apologies to ASP.NET Core Identity creators and experts, but I personally hate this complexity. If people reading this are the same down-to-earth .NET developers like I am, please add "+1" in the comments section below).
CRUD, Authorization, Localization, and Much More for Entity Framework Core 5-based API Services
v22.1 marks the official release of our Web API Service. The Solution Wizard scaffolds an OData v4 Web API Service with integrated authorization & CRUD operations powered by EF Core 5 and our XPO ORM library. You can use OAuth2, JWT or custom strategies for authentication alongside tools like Postman or Swagger (OpenAPI) for API testing. The built-in security system also filters out secured server data based on permissions granted to users.
The basic functions of our Web API Service are available for FREE (as part of our .NET App Security & Web API Service free offer). To download your free copy, please visit: https://www.devexpress.com/security-api-free.
Additional services/benefits of our Web API Service are available to active DevExpress Universal Subscribers and include:
- Technical support and full source code
- XAF's administrative UI to manage users and roles at runtime using WinForms, WebForms, and Blazor apps
![Security_TypePermissions]()
- Localization functions (endpoints to obtain localized captions for classes, members, and custom UI elements). The Web API Service project includes a XAFML file with a designer (Model Editor) to help you localize and store strings under the BOModel and Localization nodes - you do not need to worry about the localization structure yourself.
![Localization Support - Web API Service, XAF | DevExpress]()
- Advanced/enterprise functions such as audit trail, endpoints to download reports, file attachments, check validation, etc.
Future Plans
- The next major version (v22.2) should support EF Core 6+ for data access.
- We also want to publish this Web API Service template as VSIX in the Visual Studio Marketplace for everyone who registered for our free offer (this will eliminate the need to download and run the DevExpress Unified Component Installer).
Your Feedback Matters
Our long-term customer, Mario Blatarić (Logon Ltd.), shared his recent experience with the Web API Service:
I have new, rather big, project and I decided to give Web API services a serious go (for a mobile app with GIS functionality). It turned to be serious time saver with ability to reuse entire data model and security. Before, I would have to write new project, replicate and constantly maintain data structure, deal with security and so on. Web API Services are just natural fit for XAF Blazor, I really like it.
I have new, rather big, project and I decided to give Web API services a serious go (for a mobile app with GIS functionality). It turned to be serious time saver with ability to reuse entire data model and security. Before, I would have to write new project, replicate and constantly maintain data structure, deal with security and so on. Web API Services are just natural fit for XAF Blazor, I really like it.Please take a moment to reply to the following questions – your feedback will help us shape/define future development strategies.
Thanks,
Dennis Garavsky
Principal Product Manager
dennis@devexpress.com