Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Reporting for Web > Common Features > Security > Data Access Security
All docs
V23.2
Reporting
Product Information
.NET / .NET Core Support
Get Started with DevExpress Reporting
Create Different Report Types (Walkthroughs)
Detailed Guide to DevExpress Reporting
Localize Reporting Applications
Security Considerations
Visual Studio Report Designer
VS Code Report Designer
Reporting for Desktop
Reporting for .NET MAUI
Reporting for Web
Common Features
Security
General Security Considerations
Authorized Access
Application Permissions
Data Access Security
Multi-Tenant Support
Custom SQL Query in Report Designer
Custom SQL Query Validation
Printing and Export
Accessibility
Integrate Document Viewer Components
Client-Side Functionality
Themes and Styles
Localization
Supported Browsers
Display Documents from the Report and Dashboard Server
Custom HTML Templates
Web Farm and Web Garden Support
Document Viewer for Web
End-User Report Designer for Web
Web UI Development Bundles that Include Reports
Reporting for Blazor
Reporting for ASP.NET Core
Reporting for Angular
Reporting for Knockout-based Applications
Reporting for React
Reporting for Vue
Reporting for ASP.NET MVC
Reporting for ASP.NET Web Forms
Version Upgrade Guide
Troubleshooting
Cloud Integration
Cross-Platform .NET App UI
Backend Web API Service / REST API for Reporting
WCF Report Service
End-User Documentation
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Data Access Security

  • 4 minutes to read

This topic documents how you can mitigate security risks when accessing data in DevExpress-powered reporting applications.

Important

By default, our End-User Report Designer and its data access engine offers a high level of database security.

We strongly recommend the use of default behaviors if your reporting application is accessed by untrusted parties.

To minimize security-related risks, you should manage/apply access control within your database management system.

Data Connection Security

Data source connection parameters are encrypted before they are passed to the client.

When the SQL Data Source wizard obtains connection strings from the Web.config file, the serialized report only contains the connection name (and not the connection string itself).

You can register a custom connection string provider and store all the connection parameters or only the connection name with the serialized data source. When the report serialized with connection parameters is passed to the client, these parameters are encrypted by applying the MachineKey algorithm. To use a custom encryption engine, use the ISecureDataConverter interface instead.

Refer to the following topics for more information on data connection registration processes:

Database Security

Disable Custom SQL Queries

Initially, our Data Source Wizard only allows the use of SQL queries designed within our built-in Query Builder. The Query Builder can only construct safe SELECT queries.

Default security settings do not allow direct SQL query text editing. Enable SQL editing at your own risk using the approach described in the following document: Custom SQL Query in Report Designer for Web

Important

Custom SQL queries are validated before execution. Though our default validation engine only allows custom queries with SELECT statements (except for SELECT INTO clauses), it is not safe as it does not prevent execution of potentially harmful requests. You should implement secure SQL validation before you allow custom SQL queries.

Utilize the access control functionality of your database management system for the highest level of database security.

If custom SQL queries are enabled, you can edit SQL statements within the following SQL Data Source Wizard pages:

Restrict Access to Unauthorized Assemblies

Loading custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) is not allowed.

To load a specific assembly, handle the EFDataSource.BeforeLoadCustomAssembly event (or static EFDataSource.BeforeLoadCustomAssemblyGlobal event) and specify the following properties of the BeforeLoadCustomAssemblyEventArgs object:

AllowLoading
Specifies whether loading a custom assembly is allowed.
AssemblyPath
Specifies a path to a custom assembly.
ContextName
Specifies the type to load from a custom assembly.

An unauthorized attempt to load a custom assembly raises CustomAssemblyLoadingProhibitedException exception.

Restrict Access to External Resources

Ensure that reports from untrusted sources cannot use the DataSource or XmlDataPath property to access the file system and read files. Restrictions affect ExcelDataSource and JsonDataSource data sources.

You can use static properties and methods of the AccessSettings class to explicitly specify file operation restrictions for Excel data sources and specify allowed URLs for JSON data sources. If your application does not retrieve data from file-based data sources, add the DirectoryAccessRule.Deny() access rule to the AccessSettings.DataResources settings to prohibit all file operations with data sources (review the following code snippet for more information):

// JSON data can be loaded only from URLs; Excel data cannot be loaded from file directories (Excel data load from URLs is not supported)
  bool success = DevExpress.Security.Resources.AccessSettings.DataResources.TrySetRules(
      DevExpress.Security.Resources.UrlAccessRule.Allow(),
      DevExpress.Security.Resources.DirectoryAccessRule.Deny()) ;
  if (!success) System.Diagnostics.Debug.Print("Cannot change rules. The rules are already set.")