Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Web Reporting > Application Security > Authorized Access
A newer version of this page is available. .
All docs
V20.2
Reporting
Product Information
Get Started with DevExpress Reporting
Create Reports
Detailed Guide to DevExpress Reporting
Visual Studio Report Designer
WinForms Reporting
WPF Reporting
Web Reporting
General Information
Document Viewer
Mobile Viewer UI
Report Designer
ASP.NET Web Forms Reporting
ASP.NET MVC Reporting
ASP.NET Core Reporting
JavaScript Reporting
Blazor Reporting
Client-Side API
Application Security
General Security Considerations
Authorized Access
Data Access Security
Custom SQL Query in Report Designer
Custom SQL Query Validation
Accessibility
End-User Documentation
WCF Report Service
Discontinued Platforms
Localize Reporting Applications
Redistribution and Deployment
Reporting in .NET Core 3.x and .NET 5
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Authorized Access to Reports and Documents in a Web Reporting Application

  • 4 minutes to read

This topic describes how to implement user authorization to restrict access to reports and documents in a web reporting application.

Authentication

You should implement any standard ASP.NET authentication and authorization methods to identify users.

If you use token-based identification (JWT bearer token), print and export operations will not work because the request for the exported document and the request to print the document are GET requests. The token cannot be sent to the server with these requests. To resolve this issue, use the IWebDocumentViewerExportResultUriGenerator service. For the complete code example, review the following project: How to export documents in an application with token-based authentication.

Authorized Access

To secure your web reporting application, you should prevent unauthorized access to the following objects on the server:

  • Controller actions
  • Reports
  • Documents generated from reports
  • Files exported from documents

The access rule is as follows: only the user who initially creates a report can preview the report or load the exported document.

You can authorize the following requests:

  • Requests to run controller actions
  • Requests to open reports (requests for report name resolution)
  • Requests for operations with the report
  • Requests for operations with the document
  • Requests for operations with the export results.

Review the following examples for the code that implements authorized access in web reporting applications:

View Example: Implement User Authorization (ASP.NET MVC)

View Example: Implement User Authorization (ASP.NET Core)

Protect Controller Actions

Built-in ASP.NET authorization allows you to restrict access to handlers and controller actions (use the [Authorize] attribute).

The following table lists default routes that process requests from reporting components:

Component ASP.NET Web Forms, MVC ASP.NET MVC Controllers ASP.NET Core
Report Designer DXXRD.axd /ReportDesignerApi/Invoke ReportDesignerController.DefaultUri
Document Viewer DXXRDV.axd /WebDocumentViewerApi/Invoke WebDocumentViewerController.DefaultUri
Query Builder DXQB.axd /QueryBuilderApi/Invoke QueryBuilderController.DefaultUri

An application with End-User Report Designer requires all three routes for proper operation.

You can implement custom handlers or custom controllers that inherit from controller classes and has the [Authorize] attribute or perform access check.

Protect Reports Resolved by Name

You can add access control logic to report name resolution services - services which process a string argument (reportUrl) passed to the method that opens a report. The following services are available:

  • The IWebDocumentViewerReportResolver service allows you to parse a report name, create a report instance and return it to the calling method. When you have a parameterized report, you can specify parameters in the report name that is passed to the service, and use parameters in the report’s constructor.

  • The ICachedReportSourceWebResolver service returns the CachedReportSourceWeb instance. It has an asynchronous counterpart - the ICachedReportSourceWebResolverAsync service that allows you to build a document asynchronously.

  • The IReportProvider service has lower priority than the previously mentioned services. However, it is not intended for exclusive use by the Document Viewer. The main advantage of IReportProvider service is that it can be attached to reports created at runtime. The IReportProviderAsync service gives you the benefits of asynchronous operation.

  • The ReportStorageWebExtension service is called when no other report name resolution services are available. It is designed to get reports from external storage (a file or a database) where they are saved in REPX format. You cannot apply parameters with this service because its GetData method returns a serialized report that is subsequently deserialized using a parameterless constructor.

Protect Reports and Documents Generated from Reports

Create and register the IWebDocumentViewerAuthorizationService service to implement authorization when the Document Viewer previews the document. The service is queried when the Document Viewer opens a report, and you can use the service to restrict access to the report. Service methods are called before document generation, and before any operation that reads the document.

Protect Exported Documents

Create and register the IExportingAuthorizationService service to implement authorization for exported documents. Access to the exported document can be granted only to the user who initiated the export.