| Groups | Blog | Home |
sql server reporting services : URL Access Security
web services. I don't know the size of your app or the difficulty is converting to asp.net with framework 2.0 but this sure would be a whole lot easier in that environment. -- Bruce Loehle-Conger MVP SQL Server Reporting Services [quoted text, click to view] "Norman Yuan" <NoAddress@NoEmail.fake> wrote in message news:unEdqBeAIHA.3508@TK2MSFTNGP06.phx.gbl... >I followed your previous posts. > > I do not think make URL to RS is good solution in your case, since your > ASP app uses custom security. If you use URL call to the RS server > directly, your user actually uses two web applications: one is your ASP > app 9with custom security), and one is the RS server (IIS running RS). In > order to achieve the same security control, you need re-configure the RS > server to meet the same requirement as your ASP app. Do you have the > control to the RS server? > > As I mentioned in my previous post and as Mike G suggested in this thread, > if you are able to make web service call in your ASP app, as you stated, > it is very simple to call RS's web service to get the report. It seems you > backed off froom this just because the RS web service returns an binary > stream. Really, get ting an binary stream on the server end is the best > and most ideal thing you can get on the server end. You can svae it as > file on the server with wnatever name you give it (and then return the > file name back to user, as you originally wanted), or send the stream to > user's browser, which triggers download/open popup. > > With VB or VBScript on the ASP server side code, it is not difficult to > save a binary stream. > > "Don Miller" <nospam@nospam.com> wrote in message > news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... >> After suggestions from this newsgroup, I would like to use URL access to >> render reports to PDF from my web application. My web application >> (classic ASP 3.0) is secured by custom authentification (not Windows >> auth) so no single page cannot be accessed without signing on first, and >> every single page in the application is SSL encrypted. >> >> I think I can put the ReportServer directory as part of my secure website >> as a virtual directory so it would require https (SSL), but I cannot seem >> to find a way to prevent anyone who has seen or figured out the URL >> (looking at JavaScript code, etc.) to access reports without signing on >> to my application and by simply changing the URL (e.g. changing >> CustomerID parameters). Anonymous users would seem to have unfettered >> access to confidential reports by doing this by simply pasting altered >> URLs in the browser. >> >> This is such a huge security hole, there must be some configuration to >> prevent this. Am I missing something obvious here? >> >> Thanks for any help. >> >
The following is for .net. But I'm pretty sure the pieces for sending the
pdf would work in Classic ASP, or at least get you in the right direction: http://support.microsoft.com/kb/875447 Mike G. [quoted text, click to view] "Don Miller" <nospam@nospam.com> wrote in message news:ODMWjCdAIHA.1208@TK2MSFTNGP05.phx.gbl... >> Someone may have a better answer, but with a little code, you can call >> the web service yourself from your web app. > > And that's the issue. I think I can figure out how to call a web service > with classic ASP when simple strings or even XML are returned from the web > service but it's beyond my comprehension on how a streaming PDF file from > SSRS would be handled. > > > "Mike G." <m4053946_noSpam_@yahoo.com> wrote in message > news:%23RtCKwcAIHA.4656@TK2MSFTNGP04.phx.gbl... >> Someone may have a better answer, but with a little code, you can call >> the web service yourself from your web app. This would eliminate the >> security issue, as the user themselves wouldn't need access to the >> reporting server. This would also deal with the issue of being able to >> name the file yourself, that you had raised on another thread. >> >> Mike G. >> >> >> "Don Miller" <nospam@nospam.com> wrote in message >> news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... >>> After suggestions from this newsgroup, I would like to use URL access to >>> render reports to PDF from my web application. My web application >>> (classic ASP 3.0) is secured by custom authentification (not Windows >>> auth) so no single page cannot be accessed without signing on first, and >>> every single page in the application is SSL encrypted. >>> >>> I think I can put the ReportServer directory as part of my secure >>> website as a virtual directory so it would require https (SSL), but I >>> cannot seem to find a way to prevent anyone who has seen or figured out >>> the URL (looking at JavaScript code, etc.) to access reports without >>> signing on to my application and by simply changing the URL (e.g. >>> changing CustomerID parameters). Anonymous users would seem to have >>> unfettered access to confidential reports by doing this by simply >>> pasting altered URLs in the browser. >>> >>> This is such a huge security hole, there must be some configuration to >>> prevent this. Am I missing something obvious here? >>> >>> Thanks for any help. >>> >> >> > >
Thanks a lot, that helps. I think in the end, this will all boil down to
less than 50 lines of code, but which 50 lines out of the hundreds I have to understand first? ;) [quoted text, click to view] "Mike G." <m4053946_noSpam_@yahoo.com> wrote in message news:eELeMUdAIHA.536@TK2MSFTNGP06.phx.gbl... > The following is for .net. But I'm pretty sure the pieces for sending the > pdf would work in Classic ASP, or at least get you in the right direction: > > http://support.microsoft.com/kb/875447 > > Mike G. > > > "Don Miller" <nospam@nospam.com> wrote in message > news:ODMWjCdAIHA.1208@TK2MSFTNGP05.phx.gbl... >>> Someone may have a better answer, but with a little code, you can call >>> the web service yourself from your web app. >> >> And that's the issue. I think I can figure out how to call a web service >> with classic ASP when simple strings or even XML are returned from the >> web service but it's beyond my comprehension on how a streaming PDF file >> from SSRS would be handled. >> >> >> "Mike G." <m4053946_noSpam_@yahoo.com> wrote in message >> news:%23RtCKwcAIHA.4656@TK2MSFTNGP04.phx.gbl... >>> Someone may have a better answer, but with a little code, you can call >>> the web service yourself from your web app. This would eliminate the >>> security issue, as the user themselves wouldn't need access to the >>> reporting server. This would also deal with the issue of being able to >>> name the file yourself, that you had raised on another thread. >>> >>> Mike G. >>> >>> >>> "Don Miller" <nospam@nospam.com> wrote in message >>> news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... >>>> After suggestions from this newsgroup, I would like to use URL access >>>> to render reports to PDF from my web application. My web application >>>> (classic ASP 3.0) is secured by custom authentification (not Windows >>>> auth) so no single page cannot be accessed without signing on first, >>>> and every single page in the application is SSL encrypted. >>>> >>>> I think I can put the ReportServer directory as part of my secure >>>> website as a virtual directory so it would require https (SSL), but I >>>> cannot seem to find a way to prevent anyone who has seen or figured out >>>> the URL (looking at JavaScript code, etc.) to access reports without >>>> signing on to my application and by simply changing the URL (e.g. >>>> changing CustomerID parameters). Anonymous users would seem to have >>>> unfettered access to confidential reports by doing this by simply >>>> pasting altered URLs in the browser. >>>> >>>> This is such a huge security hole, there must be some configuration to >>>> prevent this. Am I missing something obvious here? >>>> >>>> Thanks for any help. >>>> >>> >>> >> >> > >
After suggestions from this newsgroup, I would like to use URL access to
render reports to PDF from my web application. My web application (classic ASP 3.0) is secured by custom authentification (not Windows auth) so no single page cannot be accessed without signing on first, and every single page in the application is SSL encrypted. I think I can put the ReportServer directory as part of my secure website as a virtual directory so it would require https (SSL), but I cannot seem to find a way to prevent anyone who has seen or figured out the URL (looking at JavaScript code, etc.) to access reports without signing on to my application and by simply changing the URL (e.g. changing CustomerID parameters). Anonymous users would seem to have unfettered access to confidential reports by doing this by simply pasting altered URLs in the browser. This is such a huge security hole, there must be some configuration to prevent this. Am I missing something obvious here? Thanks for any help.
I followed your previous posts.
I do not think make URL to RS is good solution in your case, since your ASP app uses custom security. If you use URL call to the RS server directly, your user actually uses two web applications: one is your ASP app 9with custom security), and one is the RS server (IIS running RS). In order to achieve the same security control, you need re-configure the RS server to meet the same requirement as your ASP app. Do you have the control to the RS server? As I mentioned in my previous post and as Mike G suggested in this thread, if you are able to make web service call in your ASP app, as you stated, it is very simple to call RS's web service to get the report. It seems you backed off froom this just because the RS web service returns an binary stream. Really, get ting an binary stream on the server end is the best and most ideal thing you can get on the server end. You can svae it as file on the server with wnatever name you give it (and then return the file name back to user, as you originally wanted), or send the stream to user's browser, which triggers download/open popup. With VB or VBScript on the ASP server side code, it is not difficult to save a binary stream. [quoted text, click to view] "Don Miller" <nospam@nospam.com> wrote in message
news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... > After suggestions from this newsgroup, I would like to use URL access to > render reports to PDF from my web application. My web application (classic > ASP 3.0) is secured by custom authentification (not Windows auth) so no > single page cannot be accessed without signing on first, and every single > page in the application is SSL encrypted. > > I think I can put the ReportServer directory as part of my secure website > as a virtual directory so it would require https (SSL), but I cannot seem > to find a way to prevent anyone who has seen or figured out the URL > (looking at JavaScript code, etc.) to access reports without signing on to > my application and by simply changing the URL (e.g. changing CustomerID > parameters). Anonymous users would seem to have unfettered access to > confidential reports by doing this by simply pasting altered URLs in the > browser. > > This is such a huge security hole, there must be some configuration to > prevent this. Am I missing something obvious here? > > Thanks for any help. >
[quoted text, click to view]
> Someone may have a better answer, but with a little code, you can call the > web service yourself from your web app. And that's the issue. I think I can figure out how to call a web service with classic ASP when simple strings or even XML are returned from the web service but it's beyond my comprehension on how a streaming PDF file from SSRS would be handled. [quoted text, click to view] "Mike G." <m4053946_noSpam_@yahoo.com> wrote in message news:%23RtCKwcAIHA.4656@TK2MSFTNGP04.phx.gbl... > Someone may have a better answer, but with a little code, you can call the > web service yourself from your web app. This would eliminate the security > issue, as the user themselves wouldn't need access to the reporting > server. This would also deal with the issue of being able to name the file > yourself, that you had raised on another thread. > > Mike G. > > > "Don Miller" <nospam@nospam.com> wrote in message > news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... >> After suggestions from this newsgroup, I would like to use URL access to >> render reports to PDF from my web application. My web application >> (classic ASP 3.0) is secured by custom authentification (not Windows >> auth) so no single page cannot be accessed without signing on first, and >> every single page in the application is SSL encrypted. >> >> I think I can put the ReportServer directory as part of my secure website >> as a virtual directory so it would require https (SSL), but I cannot seem >> to find a way to prevent anyone who has seen or figured out the URL >> (looking at JavaScript code, etc.) to access reports without signing on >> to my application and by simply changing the URL (e.g. changing >> CustomerID parameters). Anonymous users would seem to have unfettered >> access to confidential reports by doing this by simply pasting altered >> URLs in the browser. >> >> This is such a huge security hole, there must be some configuration to >> prevent this. Am I missing something obvious here? >> >> Thanks for any help. >> > >
RS uses roles to determine who can see what. If you are not using windows
authentication then you need to implement forms authentication. RS has the ability to call your code for authentication of the user. What I do is allow users to run certain reports. They can run that report for any values. If you don't want to do that then what you need to do is include a user parameter in your query (for instance a user to CustomerID mapping or a user to user group to customer id mapping). Then RS has a global variable called User!UserID that you can map the query parameter to. So the UserID is not a parameter. The reason RS seems open to the world to you is because you are currently using Windows integrated security with RS. And, you must be in the local administrators group for the machine run RS. Those two things will make it seem like it is open to the world. It is not. RS comes with only one role configured. That is the administors role and it only has one windows group mapped to it. The local administrators group. Anyone not in that group today cannot view a single thing. Not one report, nothing. So, no, anonymous users cannot see everything. Read up on roles. One other point, if changing of parameters is a concern, web services is the way to go. Another point, I don't know how hard it is to have your app call another web page running in ASP.Net using the 2.0 framework but I know you have asp.net installed somewhere because RS requires it. If you can call a page under the 2.0 framework you can use the webform control that ships with VS 2005. It uses webservices and greatly simplifies integrating with RS. Trying to role your own otherwise is a big learning curve. Oh, the idea of moving the website, just remember RS is an asp.net application. For RS 2005 it is a 2.0 framework app. For RS 2000 is is a 1.1 framework app. -- Bruce Loehle-Conger MVP SQL Server Reporting Services [quoted text, click to view] "Don Miller" <nospam@nospam.com> wrote in message news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... > After suggestions from this newsgroup, I would like to use URL access to > render reports to PDF from my web application. My web application (classic > ASP 3.0) is secured by custom authentification (not Windows auth) so no > single page cannot be accessed without signing on first, and every single > page in the application is SSL encrypted. > > I think I can put the ReportServer directory as part of my secure website > as a virtual directory so it would require https (SSL), but I cannot seem > to find a way to prevent anyone who has seen or figured out the URL > (looking at JavaScript code, etc.) to access reports without signing on to > my application and by simply changing the URL (e.g. changing CustomerID > parameters). Anonymous users would seem to have unfettered access to > confidential reports by doing this by simply pasting altered URLs in the > browser. > > This is such a huge security hole, there must be some configuration to > prevent this. Am I missing something obvious here? > > Thanks for any help. >
Someone may have a better answer, but with a little code, you can call the
web service yourself from your web app. This would eliminate the security issue, as the user themselves wouldn't need access to the reporting server. This would also deal with the issue of being able to name the file yourself, that you had raised on another thread. Mike G. [quoted text, click to view] "Don Miller" <nospam@nospam.com> wrote in message news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... > After suggestions from this newsgroup, I would like to use URL access to > render reports to PDF from my web application. My web application (classic > ASP 3.0) is secured by custom authentification (not Windows auth) so no > single page cannot be accessed without signing on first, and every single > page in the application is SSL encrypted. > > I think I can put the ReportServer directory as part of my secure website > as a virtual directory so it would require https (SSL), but I cannot seem > to find a way to prevent anyone who has seen or figured out the URL > (looking at JavaScript code, etc.) to access reports without signing on to > my application and by simply changing the URL (e.g. changing CustomerID > parameters). Anonymous users would seem to have unfettered access to > confidential reports by doing this by simply pasting altered URLs in the > browser. > > This is such a huge security hole, there must be some configuration to > prevent this. Am I missing something obvious here? > > Thanks for any help. >
Thanks all.
My concept of what needs to happen is this: 1) My ASP 3.0 application will call a web service (which one I don't know yet - either RS or a custom ASP.NET website) using a) handcrafted ASP code to supply all the SOAP headers, etc.?, or b) use MSXML2.ServerXMLHTTP in ASP 3.0 to then call the RS web service and then just change the headers of the response (see code below)?, or c) create a new ASP.NET 2.0 website with a web service (that runs on my same production server) that takes a CustomerID as a parameter, configures and calls the RS web service, grabs the response.stream, writes it to a file, renames the file, and returns the path of the PDF file now on the server to the calling ASP 3.0 page. 2) Create an ASP.NET 2.0 website and web service that does what I described above. Seems like there are too many steps and I may not need the intermediary ASP.NET 2.0 website and web service at all (IF I KNEW WHAT I WAS DOING ;) ! And advice or pseudo-code would be appreciated. <% Dim xmlobject xmlobject = Server.CreateObject("MSXML2.ServerXMLHTTP") xmlobject.Open ("GET", "http://localhost/ReportServer/Pages/ReportViewer.aspx?%2fTestArchive%2fReport1Parameter", False) xmlobject.Send() ' Adding header newname = "NewName" & ".pdf" Response.AddHeader ("Content-Disposition", "attachment; filename=newname) 'Setting content type for webclient Response.ContentType = "application/pdf" ' Writing binary data Response.BinaryWrite (xmlobject.responseBody) %> [quoted text, click to view] "Norman Yuan" <NoAddress@NoEmail.fake> wrote in message news:unEdqBeAIHA.3508@TK2MSFTNGP06.phx.gbl... >I followed your previous posts. > > I do not think make URL to RS is good solution in your case, since your > ASP app uses custom security. If you use URL call to the RS server > directly, your user actually uses two web applications: one is your ASP > app 9with custom security), and one is the RS server (IIS running RS). In > order to achieve the same security control, you need re-configure the RS > server to meet the same requirement as your ASP app. Do you have the > control to the RS server? > > As I mentioned in my previous post and as Mike G suggested in this thread, > if you are able to make web service call in your ASP app, as you stated, > it is very simple to call RS's web service to get the report. It seems you > backed off froom this just because the RS web service returns an binary > stream. Really, get ting an binary stream on the server end is the best > and most ideal thing you can get on the server end. You can svae it as > file on the server with wnatever name you give it (and then return the > file name back to user, as you originally wanted), or send the stream to > user's browser, which triggers download/open popup. > > With VB or VBScript on the ASP server side code, it is not difficult to > save a binary stream. > > "Don Miller" <nospam@nospam.com> wrote in message > news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... >> After suggestions from this newsgroup, I would like to use URL access to >> render reports to PDF from my web application. My web application >> (classic ASP 3.0) is secured by custom authentification (not Windows >> auth) so no single page cannot be accessed without signing on first, and >> every single page in the application is SSL encrypted. >> >> I think I can put the ReportServer directory as part of my secure website >> as a virtual directory so it would require https (SSL), but I cannot seem >> to find a way to prevent anyone who has seen or figured out the URL >> (looking at JavaScript code, etc.) to access reports without signing on >> to my application and by simply changing the URL (e.g. changing >> CustomerID parameters). Anonymous users would seem to have unfettered >> access to confidential reports by doing this by simply pasting altered >> URLs in the browser. >> >> This is such a huge security hole, there must be some configuration to >> prevent this. Am I missing something obvious here? >> >> Thanks for any help. >> >
You're making this quite a bit more difficult than it is.
For Classic ASP OR ASP.NET: 1. call the reporting services web service, pass in whatever params you need to for the report. 2. get the response stream 3. send the response stream to the client. The link I sent earlier (http://support.microsoft.com/kb/875447) has a complete example of the asp.net solution (and is only 15 lines of code!). If you insist in using classic asp, you will have to figure out how to call the web service, which does mean working with soap, etc. Mike G. with the classic asp solution, you will have to write code to call the reporting services web service. [quoted text, click to view] "Don Miller" <nospam@nospam.com> wrote in message news:u0ciaaeAIHA.4836@TK2MSFTNGP06.phx.gbl... > Thanks all. > > My concept of what needs to happen is this: > > 1) My ASP 3.0 application will call a web service (which one I don't know > yet - either RS or a custom ASP.NET website) using a) handcrafted ASP code > to supply all the SOAP headers, etc.?, or b) use MSXML2.ServerXMLHTTP in > ASP 3.0 to then call the RS web service and then just change the headers > of the response (see code below)?, or c) create a new ASP.NET 2.0 website > with a web service (that runs on my same production server) that takes a > CustomerID as a parameter, configures and calls the RS web service, grabs > the response.stream, writes it to a file, renames the file, and returns > the path of the PDF file now on the server to the calling ASP 3.0 page. > > 2) Create an ASP.NET 2.0 website and web service that does what I > described above. > > Seems like there are too many steps and I may not need the intermediary > ASP.NET 2.0 website and web service at all (IF I KNEW WHAT I WAS DOING ;) > ! > > And advice or pseudo-code would be appreciated. > > > <% Dim xmlobject > xmlobject = Server.CreateObject("MSXML2.ServerXMLHTTP") > xmlobject.Open ("GET", > "http://localhost/ReportServer/Pages/ReportViewer.aspx?%2fTestArchive%2fReport1Parameter", > False) > xmlobject.Send() > ' Adding header > newname = "NewName" & ".pdf" > Response.AddHeader ("Content-Disposition", "attachment; filename=newname) > 'Setting content type for webclient > Response.ContentType = "application/pdf" > ' Writing binary data > Response.BinaryWrite (xmlobject.responseBody) > %> > > > "Norman Yuan" <NoAddress@NoEmail.fake> wrote in message > news:unEdqBeAIHA.3508@TK2MSFTNGP06.phx.gbl... >>I followed your previous posts. >> >> I do not think make URL to RS is good solution in your case, since your >> ASP app uses custom security. If you use URL call to the RS server >> directly, your user actually uses two web applications: one is your ASP >> app 9with custom security), and one is the RS server (IIS running RS). In >> order to achieve the same security control, you need re-configure the RS >> server to meet the same requirement as your ASP app. Do you have the >> control to the RS server? >> >> As I mentioned in my previous post and as Mike G suggested in this >> thread, if you are able to make web service call in your ASP app, as you >> stated, it is very simple to call RS's web service to get the report. It >> seems you backed off froom this just because the RS web service returns >> an binary stream. Really, get ting an binary stream on the server end is >> the best and most ideal thing you can get on the server end. You can svae >> it as file on the server with wnatever name you give it (and then return >> the file name back to user, as you originally wanted), or send the stream >> to user's browser, which triggers download/open popup. >> >> With VB or VBScript on the ASP server side code, it is not difficult to >> save a binary stream. >> >> "Don Miller" <nospam@nospam.com> wrote in message >> news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... >>> After suggestions from this newsgroup, I would like to use URL access to >>> render reports to PDF from my web application. My web application >>> (classic ASP 3.0) is secured by custom authentification (not Windows >>> auth) so no single page cannot be accessed without signing on first, and >>> every single page in the application is SSL encrypted. >>> >>> I think I can put the ReportServer directory as part of my secure >>> website as a virtual directory so it would require https (SSL), but I >>> cannot seem to find a way to prevent anyone who has seen or figured out >>> the URL (looking at JavaScript code, etc.) to access reports without >>> signing on to my application and by simply changing the URL (e.g. >>> changing CustomerID parameters). Anonymous users would seem to have >>> unfettered access to confidential reports by doing this by simply >>> pasting altered URLs in the browser. >>> >>> This is such a huge security hole, there must be some configuration to >>> prevent this. Am I missing something obvious here? >>> >>> Thanks for any help. >>> >> > >
I appreciate your advice but there seems still to be quite a large gap
between using .NET and ASP Classic (which I have to use). It will be quite difficult for me to get down to the bare metal with ASP and SOAP (e.g. understanding the WSDL for ReportingExecution and knowing what has to be present, i.e. credentials, parameters, etc.) versus using a high-level framework that takes care of the bare metal stuff under the covers. I still don't understand how a response stream is returned from a SOAP call where everything is encapsulated in XML <render>result string</render>. Is there anyone left out there who I could contract to do this? [quoted text, click to view] "Mike G." <m4053946_noSpam_@yahoo.com> wrote in message news:%23UGo66eAIHA.5124@TK2MSFTNGP04.phx.gbl... > You're making this quite a bit more difficult than it is. > > For Classic ASP OR ASP.NET: > 1. call the reporting services web service, pass in whatever params you > need to for the report. > 2. get the response stream > 3. send the response stream to the client. > > The link I sent earlier (http://support.microsoft.com/kb/875447) has a > complete example of the asp.net solution (and is only 15 lines of code!). > If you insist in using classic asp, you will have to figure out how to > call the web service, which does mean working with soap, etc. > > Mike G. > > > with the classic asp solution, you will have to write code to call the > reporting services web service. > > "Don Miller" <nospam@nospam.com> wrote in message > news:u0ciaaeAIHA.4836@TK2MSFTNGP06.phx.gbl... >> Thanks all. >> >> My concept of what needs to happen is this: >> >> 1) My ASP 3.0 application will call a web service (which one I don't know >> yet - either RS or a custom ASP.NET website) using a) handcrafted ASP >> code to supply all the SOAP headers, etc.?, or b) use >> MSXML2.ServerXMLHTTP in ASP 3.0 to then call the RS web service and then >> just change the headers of the response (see code below)?, or c) create a >> new ASP.NET 2.0 website with a web service (that runs on my same >> production server) that takes a CustomerID as a parameter, configures and >> calls the RS web service, grabs the response.stream, writes it to a file, >> renames the file, and returns the path of the PDF file now on the server >> to the calling ASP 3.0 page. >> >> 2) Create an ASP.NET 2.0 website and web service that does what I >> described above. >> >> Seems like there are too many steps and I may not need the intermediary >> ASP.NET 2.0 website and web service at all (IF I KNEW WHAT I WAS DOING ;) >> ! >> >> And advice or pseudo-code would be appreciated. >> >> >> <% Dim xmlobject >> xmlobject = Server.CreateObject("MSXML2.ServerXMLHTTP") >> xmlobject.Open ("GET", >> "http://localhost/ReportServer/Pages/ReportViewer.aspx?%2fTestArchive%2fReport1Parameter", >> False) >> xmlobject.Send() >> ' Adding header >> newname = "NewName" & ".pdf" >> Response.AddHeader ("Content-Disposition", "attachment; >> filename=newname) >> 'Setting content type for webclient >> Response.ContentType = "application/pdf" >> ' Writing binary data >> Response.BinaryWrite (xmlobject.responseBody) >> %> >> >> >> "Norman Yuan" <NoAddress@NoEmail.fake> wrote in message >> news:unEdqBeAIHA.3508@TK2MSFTNGP06.phx.gbl... >>>I followed your previous posts. >>> >>> I do not think make URL to RS is good solution in your case, since your >>> ASP app uses custom security. If you use URL call to the RS server >>> directly, your user actually uses two web applications: one is your ASP >>> app 9with custom security), and one is the RS server (IIS running RS). >>> In order to achieve the same security control, you need re-configure the >>> RS server to meet the same requirement as your ASP app. Do you have the >>> control to the RS server? >>> >>> As I mentioned in my previous post and as Mike G suggested in this >>> thread, if you are able to make web service call in your ASP app, as you >>> stated, it is very simple to call RS's web service to get the report. It >>> seems you backed off froom this just because the RS web service returns >>> an binary stream. Really, get ting an binary stream on the server end is >>> the best and most ideal thing you can get on the server end. You can >>> svae it as file on the server with wnatever name you give it (and then >>> return the file name back to user, as you originally wanted), or send >>> the stream to user's browser, which triggers download/open popup. >>> >>> With VB or VBScript on the ASP server side code, it is not difficult to >>> save a binary stream. >>> >>> "Don Miller" <nospam@nospam.com> wrote in message >>> news:uZy$omcAIHA.4568@TK2MSFTNGP02.phx.gbl... >>>> After suggestions from this newsgroup, I would like to use URL access >>>> to render reports to PDF from my web application. My web application >>>> (classic ASP 3.0) is secured by custom authentification (not Windows >>>> auth) so no single page cannot be accessed without signing on first, >>>> and every single page in the application is SSL encrypted. >>>> >>>> I think I can put the ReportServer directory as part of my secure >>>> website as a virtual directory so it would require https (SSL), but I >>>> cannot seem to find a way to prevent anyone who has seen or figured out >>>> the URL (looking at JavaScript code, etc.) to access reports without >>>> signing on to my application and by simply changing the URL (e.g. >>>> changing CustomerID parameters). Anonymous users would seem to have >>>> unfettered access to confidential reports by doing this by simply >>>> pasting altered URLs in the browser. >>>> >>>> This is such a huge security hole, there must be some configuration to >>>> prevent this. Am I missing something obvious here? >>>> >>>> Thanks for any help. >>>> >>> >> >> > >
[quoted text, click to view]
"Norman Yuan" <NoAddress@NoEmail.fake> wrote in message news:unEdqBeAIHA.3508@TK2MSFTNGP06.phx.gbl... > if you are able to make web service call in your ASP app, as you stated, > it is very simple to call RS's web service to get the report. The simplicity escapes me. Do you know of any examples of how to create the SOAP request properly to call RS's web service? (outside of .NET)
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |