|
|
You're in the
sql server reporting services
group:ReportViewer over the internet
sql server reporting services:
I asked a similar question recently, but I'm afraid I'm still not sure
of the best way to proceed. We need the ability to provide internet users with the ability to access the Reporting Services report viewer. The internet users will not have a Windows accounts. The report viewer is necessary if we are to be able to provide report drill down, exporting to different formats, etc. How does an internet user (anonymous) authenticate to Reporting Services in this scenario? If it is not possible to provide internet users access to the report viewer, is it somehow possible through the Report Services SOAP API (Web Service) to provide access to reports that have drill down capabilities?
Mark,
[quoted text, click to view] > How does an internet user (anonymous) authenticate to > Reporting Services in this scenario? You need to replace the RS Windows-based security with custom security extension which will auuthenticate your users against a user profile store. For more information see http://msdn.microsoft.com/library/?url=/library/en-us/dnsql2k/html/ufairs.asp?frame=true#ufairs_topic3 [quoted text, click to view] > If it is not possible to provide internet users access to the report > viewer, is it somehow possible through the Report Services SOAP API > (Web Service) to provide access to reports that have drill down > capabilities? No, you need to use URL addressibility. ReportViewer coupled with Forms Authentication will be the ticket for this to work -- Hope this helps. ----------------------------------------------------- Teo Lachev, MCSD, MCT Author: "Microsoft Reporting Services in Action" Publisher website: http://www.manning.com/lachev Buy it from Amazon.com: http://shrinkster.com/eq Home page and blog: http://www.prologika.com/ ----------------------------------------------------- [quoted text, click to view] "MarkMurphy" <murphy@murphysw.com> wrote in message news:e061eb57.0409011711.10164dc2@posting.google.com... > I asked a similar question recently, but I'm afraid I'm still not sure > of the best way to proceed. > > We need the ability to provide internet users with the ability to > access the Reporting Services report viewer. The internet users will > not have a Windows accounts. The report viewer is necessary if we are > to be able to provide report drill down, exporting to different > formats, etc. How does an internet user (anonymous) authenticate to > Reporting Services in this scenario? > > If it is not possible to provide internet users access to the report > viewer, is it somehow possible through the Report Services SOAP API > (Web Service) to provide access to reports that have drill down > capabilities? > > > Thanks, Mark
Yes, but even easier (but not secure in any way) is to just turn on
Anonymous access to your /reports and /reportserver virtual directories. Then essentially anyone can view the reports without an IE/NT Auth popup. This (for the time being) is what we are doing here. We then pass in the appropriate AccountID via a URL parameter from a standard ASP POST. Granted, the parameter fields are hidden on the report (via SP1) but users could View Source on the resultant report, see the full URL and hack the AccountID and resubmit. So far, we're not concerned about that, since the data isn't sensitive. We did it this way to interface RS with an existing classic ASP web site. Our next task is to change the existing simple form-based login to one in .NET that is secure. Jeff [quoted text, click to view] "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message news:e8ETELPkEHA.3988@tk2msftngp13.phx.gbl... > Mark, > > > How does an internet user (anonymous) authenticate to > > Reporting Services in this scenario? > > You need to replace the RS Windows-based security with custom security > extension which will auuthenticate your users against a user profile store. > For more information see > http://msdn.microsoft.com/library/?url=/library/en-us/dnsql2k/html/ufairs.asp?frame=true#ufairs_topic3 > > > > If it is not possible to provide internet users access to the report > > viewer, is it somehow possible through the Report Services SOAP API > > (Web Service) to provide access to reports that have drill down > > capabilities? > > No, you need to use URL addressibility. ReportViewer coupled with Forms > Authentication will be the ticket for this to work > > -- > Hope this helps. > > ----------------------------------------------------- > Teo Lachev, MCSD, MCT > Author: "Microsoft Reporting Services in Action" > Publisher website: http://www.manning.com/lachev > Buy it from Amazon.com: http://shrinkster.com/eq > Home page and blog: http://www.prologika.com/ > ----------------------------------------------------- > > "MarkMurphy" <murphy@murphysw.com> wrote in message > news:e061eb57.0409011711.10164dc2@posting.google.com... > > I asked a similar question recently, but I'm afraid I'm still not sure > > of the best way to proceed. > > > > We need the ability to provide internet users with the ability to > > access the Reporting Services report viewer. The internet users will > > not have a Windows accounts. The report viewer is necessary if we are > > to be able to provide report drill down, exporting to different > > formats, etc. How does an internet user (anonymous) authenticate to > > Reporting Services in this scenario? > > > > If it is not possible to provide internet users access to the report > > viewer, is it somehow possible through the Report Services SOAP API > > (Web Service) to provide access to reports that have drill down > > capabilities? > > > > > > Thanks, Mark > >
We have form based security via SSL with standard ASP to differentiate
users, and check security with every page request via the Session object. We are HIPAA compliant with respect to security. We just aren't using NT Auth yet while converting a huge standard ASP web site, but are already rolling out Reporting Services. All SQL access is done via stored procedures. Save your rude quips for someone who isn't trying to help. [quoted text, click to view] "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message news:uhk32bRkEHA.1764@TK2MSFTNGP10.phx.gbl... > Jeff, > > I know that Anonymous access is an option but I won't even mention it and > you know why already. > > There is no way to differentiate the users and pretty much all bets are off > in terms of security. You may be better off just giving your users direct > access to the database to shell out to Enteprise Manager and do ad-hoc > reporting :-) > > -- > Hope this helps. > > ----------------------------------------------------- > Teo Lachev, MCSD, MCT > Author: "Microsoft Reporting Services in Action" > Publisher website: http://www.manning.com/lachev > Buy it from Amazon.com: http://shrinkster.com/eq > Home page and blog: http://www.prologika.com/ > ----------------------------------------------------- > > "Jeff Dillon" <jeff@removeemergencyreporting.com> wrote in message > news:OtpmIJRkEHA.3852@tk2msftngp13.phx.gbl... > > Yes, but even easier (but not secure in any way) is to just turn on > > Anonymous access to your /reports and /reportserver virtual directories. > > Then essentially anyone can view the reports without an IE/NT Auth popup. > > This (for the time being) is what we are doing here. We then pass in the > > appropriate AccountID via a URL parameter from a standard ASP POST. > Granted, > > the parameter fields are hidden on the report (via SP1) but users could > View > > Source on the resultant report, see the full URL and hack the AccountID > and > > resubmit. So far, we're not concerned about that, since the data isn't > > sensitive. We did it this way to interface RS with an existing classic ASP > > web site. Our next task is to change the existing simple form-based login > to > > one in .NET that is secure. > > > > Jeff > > > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message > > news:e8ETELPkEHA.3988@tk2msftngp13.phx.gbl... > > > Mark, > > > > > > > How does an internet user (anonymous) authenticate to > > > > Reporting Services in this scenario? > > > > > > You need to replace the RS Windows-based security with custom security > > > extension which will auuthenticate your users against a user profile > > store. > > > For more information see > > > > > > http://msdn.microsoft.com/library/?url=/library/en-us/dnsql2k/html/ufairs.asp?frame=true#ufairs_topic3 > > > > > > > > > > If it is not possible to provide internet users access to the report > > > > viewer, is it somehow possible through the Report Services SOAP API > > > > (Web Service) to provide access to reports that have drill down > > > > capabilities? > > > > > > No, you need to use URL addressibility. ReportViewer coupled with Forms > > > Authentication will be the ticket for this to work > > > > > > -- > > > Hope this helps. > > > > > > ----------------------------------------------------- > > > Teo Lachev, MCSD, MCT > > > Author: "Microsoft Reporting Services in Action" > > > Publisher website: http://www.manning.com/lachev > > > Buy it from Amazon.com: http://shrinkster.com/eq > > > Home page and blog: http://www.prologika.com/ > > > ----------------------------------------------------- > > > > > > "MarkMurphy" <murphy@murphysw.com> wrote in message > > > news:e061eb57.0409011711.10164dc2@posting.google.com... > > > > I asked a similar question recently, but I'm afraid I'm still not sure > > > > of the best way to proceed. > > > > > > > > We need the ability to provide internet users with the ability to > > > > access the Reporting Services report viewer. The internet users will > > > > not have a Windows accounts. The report viewer is necessary if we are > > > > to be able to provide report drill down, exporting to different > > > > formats, etc. How does an internet user (anonymous) authenticate to > > > > Reporting Services in this scenario? > > > > > > > > If it is not possible to provide internet users access to the report > > > > viewer, is it somehow possible through the Report Services SOAP API > > > > (Web Service) to provide access to reports that have drill down > > > > capabilities? > > > > > > > > > > > > Thanks, Mark > > > > > > > > > > > >
Jeff,
I know that Anonymous access is an option but I won't even mention it and you know why already. There is no way to differentiate the users and pretty much all bets are off in terms of security. You may be better off just giving your users direct access to the database to shell out to Enteprise Manager and do ad-hoc reporting :-) -- Hope this helps. ----------------------------------------------------- Teo Lachev, MCSD, MCT Author: "Microsoft Reporting Services in Action" Publisher website: http://www.manning.com/lachev Buy it from Amazon.com: http://shrinkster.com/eq Home page and blog: http://www.prologika.com/ ----------------------------------------------------- [quoted text, click to view] "Jeff Dillon" <jeff@removeemergencyreporting.com> wrote in message news:OtpmIJRkEHA.3852@tk2msftngp13.phx.gbl... > Yes, but even easier (but not secure in any way) is to just turn on > Anonymous access to your /reports and /reportserver virtual directories. > Then essentially anyone can view the reports without an IE/NT Auth popup. > This (for the time being) is what we are doing here. We then pass in the > appropriate AccountID via a URL parameter from a standard ASP POST. Granted, > the parameter fields are hidden on the report (via SP1) but users could View > Source on the resultant report, see the full URL and hack the AccountID and > resubmit. So far, we're not concerned about that, since the data isn't > sensitive. We did it this way to interface RS with an existing classic ASP > web site. Our next task is to change the existing simple form-based login to > one in .NET that is secure. > > Jeff > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message > news:e8ETELPkEHA.3988@tk2msftngp13.phx.gbl... > > Mark, > > > > > How does an internet user (anonymous) authenticate to > > > Reporting Services in this scenario? > > > > You need to replace the RS Windows-based security with custom security > > extension which will auuthenticate your users against a user profile > store. > > For more information see > > > http://msdn.microsoft.com/library/?url=/library/en-us/dnsql2k/html/ufairs.asp?frame=true#ufairs_topic3 > > > > > > > If it is not possible to provide internet users access to the report > > > viewer, is it somehow possible through the Report Services SOAP API > > > (Web Service) to provide access to reports that have drill down > > > capabilities? > > > > No, you need to use URL addressibility. ReportViewer coupled with Forms > > Authentication will be the ticket for this to work > > > > -- > > Hope this helps. > > > > ----------------------------------------------------- > > Teo Lachev, MCSD, MCT > > Author: "Microsoft Reporting Services in Action" > > Publisher website: http://www.manning.com/lachev > > Buy it from Amazon.com: http://shrinkster.com/eq > > Home page and blog: http://www.prologika.com/ > > ----------------------------------------------------- > > > > "MarkMurphy" <murphy@murphysw.com> wrote in message > > news:e061eb57.0409011711.10164dc2@posting.google.com... > > > I asked a similar question recently, but I'm afraid I'm still not sure > > > of the best way to proceed. > > > > > > We need the ability to provide internet users with the ability to > > > access the Reporting Services report viewer. The internet users will > > > not have a Windows accounts. The report viewer is necessary if we are > > > to be able to provide report drill down, exporting to different > > > formats, etc. How does an internet user (anonymous) authenticate to > > > Reporting Services in this scenario? > > > > > > If it is not possible to provide internet users access to the report > > > viewer, is it somehow possible through the Report Services SOAP API > > > (Web Service) to provide access to reports that have drill down > > > capabilities? > > > > > > > > > Thanks, Mark > > > > > >
Agreed. No harm done for us if the URL is hacked at this point, no sensitive
data. It's just buying us some time till we do it right. We have a large standard ASP application that uses simple form-based authentication (passing the entered username/password to SQL via sproc, comparing to our ERSUsers table, etc). We need to keep our ASP pages for now. Can we pass, via form POST from ASP to ASP.NET, the username and password they enter for proper Forms Authentication in RS? We want to avoid the IE popup, and avoid them having to log in twice, and keep our heavy investment in classic ASP. thx Jeff [quoted text, click to view] "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message
news:e4kZLkSkEHA.3912@TK2MSFTNGP12.phx.gbl... > Jeff, > > I didn't mean to be rude...a poor attempt for humor I guess. > > Just to clarify once again that the practice you described should be > avoided. RS doesn't know anything about your app security and passing the > AccountID through a report parameter is an invitation for a security hack. > There is really nothing stoping the user from requesting the report by URL > and passing whatever account id. > > Instead, if URL addressibility is used, Forms Authentication should be > implemented and the user identity should be retrieved from User!UserId. > > -- > Hope this helps. > > ----------------------------------------------------- > Teo Lachev, MCSD, MCT > Author: "Microsoft Reporting Services in Action" > Publisher website: http://www.manning.com/lachev > Buy it from Amazon.com: http://shrinkster.com/eq > Home page and blog: http://www.prologika.com/ > ----------------------------------------------------- > > "Jeff Dillon" <jeff@removeemergencyreporting.com> wrote in message > news:euwXPmRkEHA.2848@TK2MSFTNGP15.phx.gbl... > > We have form based security via SSL with standard ASP to differentiate > > users, and check security with every page request via the Session object. > We > > are HIPAA compliant with respect to security. We just aren't using NT Auth > > yet while converting a huge standard ASP web site, but are already rolling > > out Reporting Services. All SQL access is done via stored procedures. > > > > Save your rude quips for someone who isn't trying to help. > > > > > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message > > news:uhk32bRkEHA.1764@TK2MSFTNGP10.phx.gbl... > > > Jeff, > > > > > > I know that Anonymous access is an option but I won't even mention it > and > > > you know why already. > > > > > > There is no way to differentiate the users and pretty much all bets are > > off > > > in terms of security. You may be better off just giving your users > direct > > > access to the database to shell out to Enteprise Manager and do ad-hoc > > > reporting :-) > > > > > > -- > > > Hope this helps. > > > > > > ----------------------------------------------------- > > > Teo Lachev, MCSD, MCT > > > Author: "Microsoft Reporting Services in Action" > > > Publisher website: http://www.manning.com/lachev > > > Buy it from Amazon.com: http://shrinkster.com/eq > > > Home page and blog: http://www.prologika.com/ > > > ----------------------------------------------------- > > > > > > "Jeff Dillon" <jeff@removeemergencyreporting.com> wrote in message > > > news:OtpmIJRkEHA.3852@tk2msftngp13.phx.gbl... > > > > Yes, but even easier (but not secure in any way) is to just turn on > > > > Anonymous access to your /reports and /reportserver virtual > directories. > > > > Then essentially anyone can view the reports without an IE/NT Auth > > popup. > > > > This (for the time being) is what we are doing here. We then pass in > the > > > > appropriate AccountID via a URL parameter from a standard ASP POST. > > > Granted, > > > > the parameter fields are hidden on the report (via SP1) but users > could > > > View > > > > Source on the resultant report, see the full URL and hack the > AccountID > > > and > > > > resubmit. So far, we're not concerned about that, since the data isn't > > > > sensitive. We did it this way to interface RS with an existing classic > > ASP > > > > web site. Our next task is to change the existing simple form-based > > login > > > to > > > > one in .NET that is secure. > > > > > > > > Jeff > > > > > > > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message > > > > news:e8ETELPkEHA.3988@tk2msftngp13.phx.gbl... > > > > > Mark, > > > > > > > > > > > How does an internet user (anonymous) authenticate to > > > > > > Reporting Services in this scenario? > > > > > > > > > > You need to replace the RS Windows-based security with custom > security > > > > > extension which will auuthenticate your users against a user profile > > > > store. > > > > > For more information see > > > > > > > > > > > > > > > http://msdn.microsoft.com/library/?url=/library/en-us/dnsql2k/html/ufairs.asp?frame=true#ufairs_topic3 > > > > > > > > > > > > > > > > If it is not possible to provide internet users access to the > report > > > > > > viewer, is it somehow possible through the Report Services SOAP > API > > > > > > (Web Service) to provide access to reports that have drill down > > > > > > capabilities? > > > > > > > > > > No, you need to use URL addressibility. ReportViewer coupled with > > Forms > > > > > Authentication will be the ticket for this to work > > > > > > > > > > -- > > > > > Hope this helps. > > > > > > > > > > ----------------------------------------------------- > > > > > Teo Lachev, MCSD, MCT > > > > > Author: "Microsoft Reporting Services in Action" > > > > > Publisher website: http://www.manning.com/lachev > > > > > Buy it from Amazon.com: http://shrinkster.com/eq > > > > > Home page and blog: http://www.prologika.com/ > > > > > ----------------------------------------------------- > > > > > > > > > > "MarkMurphy" <murphy@murphysw.com> wrote in message > > > > > news:e061eb57.0409011711.10164dc2@posting.google.com... > > > > > > I asked a similar question recently, but I'm afraid I'm still not > > sure > > > > > > of the best way to proceed. > > > > > > > > > > > > We need the ability to provide internet users with the ability to > > > > > > access the Reporting Services report viewer. The internet users > > will > > > > > > not have a Windows accounts. The report viewer is necessary if we > > are > > > > > > to be able to provide report drill down, exporting to different > > > > > > formats, etc. How does an internet user (anonymous) authenticate > to > > > > > > Reporting Services in this scenario? > > > > > > > > > > > > If it is not possible to provide internet users access to the > report > > > > > > viewer, is it somehow possible through the Report Services SOAP > API > > > > > > (Web Service) to provide access to reports that have drill down > > > > > > capabilities? > > > > > > > > > > > > > > > > > > Thanks, Mark > > > > >
Jeff,
I didn't mean to be rude...a poor attempt for humor I guess. Just to clarify once again that the practice you described should be avoided. RS doesn't know anything about your app security and passing the AccountID through a report parameter is an invitation for a security hack. There is really nothing stoping the user from requesting the report by URL and passing whatever account id. Instead, if URL addressibility is used, Forms Authentication should be implemented and the user identity should be retrieved from User!UserId. -- Hope this helps. ----------------------------------------------------- Teo Lachev, MCSD, MCT Author: "Microsoft Reporting Services in Action" Publisher website: http://www.manning.com/lachev Buy it from Amazon.com: http://shrinkster.com/eq Home page and blog: http://www.prologika.com/ ----------------------------------------------------- [quoted text, click to view] "Jeff Dillon" <jeff@removeemergencyreporting.com> wrote in message news:euwXPmRkEHA.2848@TK2MSFTNGP15.phx.gbl... > We have form based security via SSL with standard ASP to differentiate > users, and check security with every page request via the Session object. We > are HIPAA compliant with respect to security. We just aren't using NT Auth > yet while converting a huge standard ASP web site, but are already rolling > out Reporting Services. All SQL access is done via stored procedures. > > Save your rude quips for someone who isn't trying to help. > > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message > news:uhk32bRkEHA.1764@TK2MSFTNGP10.phx.gbl... > > Jeff, > > > > I know that Anonymous access is an option but I won't even mention it and > > you know why already. > > > > There is no way to differentiate the users and pretty much all bets are > off > > in terms of security. You may be better off just giving your users direct > > access to the database to shell out to Enteprise Manager and do ad-hoc > > reporting :-) > > > > -- > > Hope this helps. > > > > ----------------------------------------------------- > > Teo Lachev, MCSD, MCT > > Author: "Microsoft Reporting Services in Action" > > Publisher website: http://www.manning.com/lachev > > Buy it from Amazon.com: http://shrinkster.com/eq > > Home page and blog: http://www.prologika.com/ > > ----------------------------------------------------- > > > > "Jeff Dillon" <jeff@removeemergencyreporting.com> wrote in message > > news:OtpmIJRkEHA.3852@tk2msftngp13.phx.gbl... > > > Yes, but even easier (but not secure in any way) is to just turn on > > > Anonymous access to your /reports and /reportserver virtual directories. > > > Then essentially anyone can view the reports without an IE/NT Auth > popup. > > > This (for the time being) is what we are doing here. We then pass in the > > > appropriate AccountID via a URL parameter from a standard ASP POST. > > Granted, > > > the parameter fields are hidden on the report (via SP1) but users could > > View > > > Source on the resultant report, see the full URL and hack the AccountID > > and > > > resubmit. So far, we're not concerned about that, since the data isn't > > > sensitive. We did it this way to interface RS with an existing classic > ASP > > > web site. Our next task is to change the existing simple form-based > login > > to > > > one in .NET that is secure. > > > > > > Jeff > > > > > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message > > > news:e8ETELPkEHA.3988@tk2msftngp13.phx.gbl... > > > > Mark, > > > > > > > > > How does an internet user (anonymous) authenticate to > > > > > Reporting Services in this scenario? > > > > > > > > You need to replace the RS Windows-based security with custom security > > > > extension which will auuthenticate your users against a user profile > > > store. > > > > For more information see > > > > > > > > > > http://msdn.microsoft.com/library/?url=/library/en-us/dnsql2k/html/ufairs.asp?frame=true#ufairs_topic3 > > > > > > > > > > > > > If it is not possible to provide internet users access to the report > > > > > viewer, is it somehow possible through the Report Services SOAP API > > > > > (Web Service) to provide access to reports that have drill down > > > > > capabilities? > > > > > > > > No, you need to use URL addressibility. ReportViewer coupled with > Forms > > > > Authentication will be the ticket for this to work > > > > > > > > -- > > > > Hope this helps. > > > > > > > > ----------------------------------------------------- > > > > Teo Lachev, MCSD, MCT > > > > Author: "Microsoft Reporting Services in Action" > > > > Publisher website: http://www.manning.com/lachev > > > > Buy it from Amazon.com: http://shrinkster.com/eq > > > > Home page and blog: http://www.prologika.com/ > > > > ----------------------------------------------------- > > > > > > > > "MarkMurphy" <murphy@murphysw.com> wrote in message > > > > news:e061eb57.0409011711.10164dc2@posting.google.com... > > > > > I asked a similar question recently, but I'm afraid I'm still not > sure > > > > > of the best way to proceed. > > > > > > > > > > We need the ability to provide internet users with the ability to > > > > > access the Reporting Services report viewer. The internet users > will > > > > > not have a Windows accounts. The report viewer is necessary if we > are > > > > > to be able to provide report drill down, exporting to different > > > > > formats, etc. How does an internet user (anonymous) authenticate to > > > > > Reporting Services in this scenario? > > > > > > > > > > If it is not possible to provide internet users access to the report > > > > > viewer, is it somehow possible through the Report Services SOAP API > > > > > (Web Service) to provide access to reports that have drill down > > > > > capabilities? > > > > > > > > > > > > > > > Thanks, Mark > > > > > > > > > > > > > > > > > > > >
Jeff,
If I understand you scenario well you want to keep your existing ASP application and implement Forms Authentication with RS? I would try to use the SOAP Toolkit to invoke the LogonUser SOAP API on the server side of the ASP application. This would be probably your best bet if you don't want to comprimise security because everything is done on the server side. Don't forget to also replicate the proxy override as demostrated by the Microsoft sample. Other options you can consider if you want to have two apps (ASP and ASP.NET) could be ecrypted cookies to pass the credentials, or IP filtering between both applications. -- Hope this helps. ----------------------------------------------------- Teo Lachev, MCSD, MCT Author: "Microsoft Reporting Services in Action" Publisher website: http://www.manning.com/lachev Buy it from Amazon.com: http://shrinkster.com/eq Home page and blog: http://www.prologika.com/ ----------------------------------------------------- [quoted text, click to view] "Jeff Dillon" <jeff@removeemergencyreporting.com> wrote in message
news:%231lylYTkEHA.1356@TK2MSFTNGP09.phx.gbl... > Agreed. No harm done for us if the URL is hacked at this point, no sensitive > data. It's just buying us some time till we do it right. > > We have a large standard ASP application that uses simple form-based > authentication (passing the entered username/password to SQL via sproc, > comparing to our ERSUsers table, etc). We need to keep our ASP pages for > now. Can we pass, via form POST from ASP to ASP.NET, the username and > password they enter for proper Forms Authentication in RS? We want to avoid > the IE popup, and avoid them having to log in twice, and keep our heavy > investment in classic ASP. > > thx > > Jeff > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message > news:e4kZLkSkEHA.3912@TK2MSFTNGP12.phx.gbl... > > Jeff, > > > > I didn't mean to be rude...a poor attempt for humor I guess. > > > > Just to clarify once again that the practice you described should be > > avoided. RS doesn't know anything about your app security and passing the > > AccountID through a report parameter is an invitation for a security hack. > > There is really nothing stoping the user from requesting the report by URL > > and passing whatever account id. > > > > Instead, if URL addressibility is used, Forms Authentication should be > > implemented and the user identity should be retrieved from User!UserId. > > > > -- > > Hope this helps. > > > > ----------------------------------------------------- > > Teo Lachev, MCSD, MCT > > Author: "Microsoft Reporting Services in Action" > > Publisher website: http://www.manning.com/lachev > > Buy it from Amazon.com: http://shrinkster.com/eq > > Home page and blog: http://www.prologika.com/ > > ----------------------------------------------------- > > > > "Jeff Dillon" <jeff@removeemergencyreporting.com> wrote in message > > news:euwXPmRkEHA.2848@TK2MSFTNGP15.phx.gbl... > > > We have form based security via SSL with standard ASP to differentiate > > > users, and check security with every page request via the Session > object. > > We > > > are HIPAA compliant with respect to security. We just aren't using NT > Auth > > > yet while converting a huge standard ASP web site, but are already > rolling > > > out Reporting Services. All SQL access is done via stored procedures. > > > > > > Save your rude quips for someone who isn't trying to help. > > > > > > > > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message > > > news:uhk32bRkEHA.1764@TK2MSFTNGP10.phx.gbl... > > > > Jeff, > > > > > > > > I know that Anonymous access is an option but I won't even mention it > > and > > > > you know why already. > > > > > > > > There is no way to differentiate the users and pretty much all bets > are > > > off > > > > in terms of security. You may be better off just giving your users > > direct > > > > access to the database to shell out to Enteprise Manager and do ad-hoc > > > > reporting :-) > > > > > > > > -- > > > > Hope this helps. > > > > > > > > ----------------------------------------------------- > > > > Teo Lachev, MCSD, MCT > > > > Author: "Microsoft Reporting Services in Action" > > > > Publisher website: http://www.manning.com/lachev > > > > Buy it from Amazon.com: http://shrinkster.com/eq > > > > Home page and blog: http://www.prologika.com/ > > > > ----------------------------------------------------- > > > > > > > > "Jeff Dillon" <jeff@removeemergencyreporting.com> wrote in message > > > > news:OtpmIJRkEHA.3852@tk2msftngp13.phx.gbl... > > > > > Yes, but even easier (but not secure in any way) is to just turn on > > > > > Anonymous access to your /reports and /reportserver virtual > > directories. > > > > > Then essentially anyone can view the reports without an IE/NT Auth > > > popup. > > > > > This (for the time being) is what we are doing here. We then pass in > > the > > > > > appropriate AccountID via a URL parameter from a standard ASP POST. > > > > Granted, > > > > > the parameter fields are hidden on the report (via SP1) but users > > could > > > > View > > > > > Source on the resultant report, see the full URL and hack the > > AccountID > > > > and > > > > > resubmit. So far, we're not concerned about that, since the data > isn't > > > > > sensitive. We did it this way to interface RS with an existing > classic > > > ASP > > > > > web site. Our next task is to change the existing simple form-based > > > login > > > > to > > > > > one in .NET that is secure. > > > > > > > > > > Jeff > > > > > > > > > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message > > > > > news:e8ETELPkEHA.3988@tk2msftngp13.phx.gbl... > > > > > > Mark, > > > > > > > > > > > > > How does an internet user (anonymous) authenticate to > > > > > > > Reporting Services in this scenario? > > > > > > > > > > > > You need to replace the RS Windows-based security with custom > > security > > > > > > extension which will auuthenticate your users against a user > profile > > > > > store. > > > > > > For more information see > > > > > > > > > > > > > > > > > > > > > http://msdn.microsoft.com/library/?url=/library/en-us/dnsql2k/html/ufairs.asp?frame=true#ufairs_topic3 > > > > > > > > > > > > > > > > > > > If it is not possible to provide internet users access to the > > report > > > > > > > viewer, is it somehow possible through the Report Services SOAP > > API > > > > > > > (Web Service) to provide access to reports that have drill down > > > > > > > capabilities? > > > > > > > > > > > > No, you need to use URL addressibility. ReportViewer coupled with > > > Forms > > > > > > Authentication will be the ticket for this to work > > > > > > > > > > > > -- > > > > > > Hope this helps. > > > > > > > > > > > > -----------------------------------------------------
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |