Databases Reference
In-Depth Information
NOTE
Changing the strongly typed object set properties to implement row-level security does
not remove the need to handle
QueryCreated
event in dynamic page templates and
call the
GetQueryable
method of the
UnleashedMetaTable
class. Unfortunately, the
EntityDataSource
control does not rely on
ObjectSet
properties of the generated
ObjectContext
classes, such as the
NorthwindEntities
in this sample project.
Instead, it calls the
CreateObjectSet
method directly, bypassing any logic you might
have in the property getters. Because this method is defined in
ObjectContext
class
as nonvirtual, you cannot override it and have to resort to the event handlers and code-
behind.
Dynamic Data offers several options for implementing security. Table scaffolding enables
you to specify whether all or specific entities will be accessible for all users through the
dynamically generated web pages. Route constraints can be used to specify not only the
entities, but also the actions (the types of dynamic pages) that will be accessible. Neither
of these two options alone is robust enough to allow implementing a true role-based secu-
rity system. However, they can be used in combination with custom pages where security
is enforced with standard ASP.NET capabilities, such as the authorization rules in web
configuration files.
Web configuration files can be used to apply standard authorization rules to the dynami-
cally generated URLs using the
<location/>
element. This approach enables you to specify
flexible authorization rules for entities, actions, users, and roles. However, the resulting
configuration is rather verbose and quickly reaches the volume where ongoing mainte-
nance becomes difficult.
The metadata API provided by Dynamic Data includes security-focused methods that can
be overridden to implement a fully featured authorization system based on entities,
actions, users, and roles, plus limited support for row-level security. A significant advan-
tage of using the security APIs is the ability to not only prevent unauthorized access to
entire web pages, but also to perform UI trimming and hide inaccessible information and
actions from dynamic pages as well.
Although the metadata API is the best way to implement security in Dynamic Data web
pages, it is not directly applicable to the custom WebForms and MVC pages that most real-
world applications still need to get the job done. With the help of
security annotations
,
custom attributes similar to data annotations, you can define security rules that can be
equally accessible from web pages based on Dynamic Data and other ASP.NET frameworks.
You can also take it a step further and extend the Entity Framework's
ObjectContext
to
support these security annotations and enable reuse of the same security rules in other
types of applications as well.