This document describes how to ensure a secure access to data in your web reporting applications and lists approaches allowing you to customize the default security mechanisms.
Default data access behavior of the End-User Report Designer is intended to provide a high level of database security.
We strongly recommend that you utilize the default behavior if your reporting application can be accessed by untrusted parties.
We also recommend that you use the access control functionality of your database management system to achieve the highest level of database security.
Before data source connection parameters are passed to the client, they are encrypted by default.
When the SQL Data Source wizard obtains connection strings from the Web.config file, only the connection name is serialized with the report definition.
You can register a custom connection string provider. Based on the registration mode you choose, all the connection parameters or the connection name only are serialized along with a report data source. When the report serialized with connection parameters is passed to the client, these parameters are encrypted by applying the MachineKey algorithm. To provide a custom encryption mechanism, use the ISecureDataConverter interface.
By default, the Data Source Wizard allows only visual constructing of SQL queries using the built-in Query Builder. Queries constructed using the Query Builder can only contain a SELECT statement and are guaranteed to be safe.
Manual editing of SQL queries is considered unsafe and is disabled by default. You can enable SQL editing at your own risk using the approach described in the following document: Enable Custom SQL in Report Designer
Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent execution of potentially harmful requests. Before enabling this option, please make sure to apply a secure SQL validation that prevents execution of harmful requests.
It is also recommended that you utilize the access control functionality of your database management system to achieve the highest level of database security.
If this feature is enabled, custom SQL editing is available on the following SQL Data Source Wizard pages.
Loading of custom assemblies that may be referenced by Entity Framework data sources is forbidden by default.
To permit loading a specific assembly, handle the EFDataSource.BeforeLoadCustomAssembly event (or static EFDataSource.BeforeLoadCustomAssemblyGlobal event) and specify the following properties of the BeforeLoadCustomAssemblyEventArgs object.
Specifies whether loading a custom assembly is allowed.
Specifies the path to a requested assembly.
Specifies the type to load from a custom assembly.
An unauthorized attempt to load a custom assembly will result in throwing a CustomAssemblyLoadingProhibitedException.