Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Reporting for Web > Common Features > Security > Authorized Access
All docs
V23.2
Reporting
Product Information
.NET / .NET Core Support
Get Started with DevExpress Reporting
Create Different Report Types (Walkthroughs)
Detailed Guide to DevExpress Reporting
Localize Reporting Applications
Security Considerations
Visual Studio Report Designer
VS Code Report Designer
Reporting for Desktop
Reporting for .NET MAUI
Reporting for Web
Common Features
Security
General Security Considerations
Authorized Access
Application Permissions
Data Access Security
Multi-Tenant Support
Custom SQL Query in Report Designer
Custom SQL Query Validation
Printing and Export
Accessibility
Integrate Document Viewer Components
Client-Side Functionality
Themes and Styles
Localization
Supported Browsers
Display Documents from the Report and Dashboard Server
Custom HTML Templates
Web Farm and Web Garden Support
Document Viewer for Web
End-User Report Designer for Web
Web UI Development Bundles that Include Reports
Reporting for Blazor
Reporting for ASP.NET Core
Reporting for Angular
Reporting for Knockout-based Applications
Reporting for React
Reporting for Vue
Reporting for ASP.NET MVC
Reporting for ASP.NET Web Forms
Version Upgrade Guide
Troubleshooting
Cloud Integration
Cross-Platform .NET App UI
Backend Web API Service / REST API for Reporting
WCF Report Service
End-User Documentation
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Authorized Access to Reports and Documents in a Web Reporting Application

  • 3 minutes to read

This topic describes how you can introduce user authorization to restrict access to reports and documents within a web-based reporting application.

Authentication

Step 1 - Implement any standard ASP.NET authentication and authorization strategy to identify users.

Authorized Access

To secure your web reporting application, you should prevent unauthorized access to the following objects on the server:

  • Controller actions
  • Reports
  • Documents generated from reports
  • Files exported from documents

The access rule is as follows: only a user who initially creates a report can preview the report or load the exported document.

You can authorize the following requests:

  • Requests to run controller actions
  • Requests to open reports (requests for report name resolution)
  • Requests for operations against the report
  • Requests for operations against the document
  • Requests for operations against export results.

To implement authorized access in web-based reporting applications, please review the following examples:

View Example: Implement User Authorization (ASP.NET MVC)

View Example: Implement User Authorization (ASP.NET Core)

Protect Controller Actions

Built-in ASP.NET authorization allows you to restrict access to handlers and controller actions (use the [Authorize] attribute).

The following table lists default routes that process requests from reporting components:

Component ASP.NET Web Forms, MVC ASP.NET MVC Controllers ASP.NET Core
Report Designer DXXRD.axd /ReportDesignerApi/Invoke ReportDesignerController.DefaultUri
Document Viewer DXXRDV.axd /WebDocumentViewerApi/Invoke WebDocumentViewerController.DefaultUri
Query Builder DXQB.axd /QueryBuilderApi/Invoke QueryBuilderController.DefaultUri

An application that uses our End-User Report Designer requires all three routes for proper operation.

You can implement custom handlers or custom controllers that inherit from controller classes with the [Authorize] attribute or perform access check.

Protect Reports Resolved by Name

You can add access control logic to report name resolution services - services which process a string argument (reportUrl) passed to the method that opens a report. The following services are available:

IReportProvider
A recommended service for the Document Viewer and Report Designer. The primary advantage of IReportProvider service is that it can be attached to reports created at runtime. IReportProviderAsync uses asynchronous operations.
ReportStorageWebExtension
This service is called when no other report name resolution services are available. It is designed to obtain reports (stored in our REPX format) from external storage (a file or a database). Note that the GetData method returns a serialized report. If you use the GetData method to specify the default parameter value for a loaded report, set the Value property to the parameter value.

The following services have a higher priority than the previously mentioned services, although the scope of their use is limited.

IWebDocumentViewerReportResolver

Allows you to parse a report name, create a report instance, and return it to the calling method. If you have a parameterized report, you can specify parameters in the report name passed to the service and use parameters within the report’s constructor.

The IWebDocumentViewerReportResolver service is Intended for use only with the Web Document Viewer, and enables you to implement name resolution differently in the Report Designer and Document Viewer. The XRSubreport control does not use this service.

The IWebDocumentViewerReportResolver service does not support asynchronous mode.

Protect Reports and Documents Generated from Reports

Create and register the IWebDocumentViewerAuthorizationService service to implement authorization when the Document Viewer previews the document. The service is queried when the Document Viewer opens a report, and you can use the service to restrict access to the report itself. Service methods are called before document generation, and before any operation that reads the document.

Protect Exported Documents

Create and register the IExportingAuthorizationService service to implement authorization for exported documents. Access to the exported document can be granted only to the user who initiated the export operation.