Hi,
My company has an application in the standard client-server architecture; The client is written in VB 6 and uses reports from the old VB 6 report designer. I am currently undertaking a project which involves transferring these reports to Reporting Services in order to allow access via the internet (a new reporting web front-end is also being designed to work in tandem with the old client). The current client has data restriction features which restrict data and report access depending on a users group - these features can be managed via the client by users with the correct privileges. In order to prevent creation and maintenance of accounts on the both the Report Server and the database for the old client (and to allows non-windows authentication) I have implemented a custom security extension which authenticates users by checking their credentials against the client's database; I also need to authorize users requests against this database however I don't seem to be able to retrieve the identity of the catalogue item that Reporting Services is requesting authorization for.
for example a report is requested; Reporting Services calls the following method:
public bool CheckAccess(string userName, IntPtr userToken, byte[] secDesc, Microsoft.ReportingServices.Interfaces.ReportOperation requiredOperation)
I can't find a way of obtaining the reports name or identity from within this method so I can use it to query the external database to ascertain authorization.
Can anybody help? Am I missing something glaringly obvious?
Your time is very much appreciated.
Adam
In RS 2000 Version, I found this information at HttpContext.Request.QueryString[0]
But in 2005 I can't find it in HttpContext..... and I need it urgently.|||I have the solution. Call this Method from IAuthorizationExtension Constructor or from your CheckAccess Method:
<code>
public string GetReportName()
{
HttpContext.Current.Request.InputStream.Position = 0;
StreamReader rd = new StreamReader(HttpContext.Current.Request.InputStream);
XmlDocument SOAPDocument = new XmlDocument();
SOAPDocument.LoadXml(rd.ReadToEnd());
HttpContext.Current.Request.InputStream.Position = 0;
XmlNamespaceManager ns = new XmlNamespaceManager(SOAPDocument.NameTable);
ns.AddNamespace("def","http://schemas.microsoft.com/sqlserver/2005/06/30/reporting/reportingservices");
ns.AddNamespace("soap", "http://schemas.xmlsoap.org/soap/envelope/");
XmlNode result = null;
result = SOAPDocument.SelectSingleNode("//def:Item",ns);
if (result == null)
{
result = SOAPDocument.SelectSingleNode("//def:Report",ns);
}
if (result == null)
{
return HttpContext.Current.Cache["ReportName"].ToString();
}
String ReportPath = result.InnerText;
string[] ReportDescription = ReportPath.Split(new char[] { '/' });
HttpContext.Current.Cache.Insert("ReportName",ReportDescription[ReportDescription.Length-1],null,DateTime.Now.AddMinutes(5),TimeSpan.Zero);
return ReportDescription[ReportDescription.Length - 1];
}
</code>|||I don't think this method will work reliably. Can you elaborate on why you need the path in the security extension - why isn't the ACL that's passed in enough to make access check decisions?|||The ACL passed in check decisions method, is based in roles configured in Report Manager.
The security of my client has his own roles. I need know de report name to ask to my client security framework which type of access has the user to this report name.
PD: Sorry for my bad english.|||
Tudor Trufinescu - MSFT wrote:
I don't think this method will work reliably. Can you elaborate on why you need the path in the security extension - why isn't the ACL that's passed in enough to make access check decisions?
I have posted exactly the same question. The ACL doesn't tell me anything about what the actual object is that the user is trying to get to. It would be helpful to know that User X is trying to execute Report Y in order to do custom authorization....
No comments:
Post a Comment