Authorized Access to Reports and Documents in a Web Reporting Application
- 4 minutes to read
This topic describes how you can introduce user authorization to restrict access to reports and documents within a web-based reporting application.
Authentication
Step 1 - Implement any standard ASP.NET authentication and authorization strategy to identify users.
If you use token-based identification (JWT bearer token), print and export operations will not work because the request for the exported document and the request to print the document are GET requests. The token cannot be sent to the server with these requests. To resolve this issue, use the IWebDocumentViewerExportResultUriGenerator service. For a complete code example, review the following project: How to export documents in an application with token-based authentication.
Authorized Access
To secure your web reporting application, you should prevent unauthorized access to the following objects on the server:
- Controller actions
- Reports
- Documents generated from reports
- Files exported from documents
The access rule is as follows: only a user who initially creates a report can preview the report or load the exported document.
You can authorize the following requests:
- Requests to run controller actions
- Requests to open reports (requests for report name resolution)
- Requests for operations against the report
- Requests for operations against the document
- Requests for operations against export results.
To implement authorized access in web-based reporting applications, please review the following examples:
Protect Controller Actions
Built-in ASP.NET authorization allows you to restrict access to handlers and controller actions (use the [Authorize]
attribute).
The following table lists default routes that process requests from reporting components:
Component | ASP.NET Web Forms, MVC | ASP.NET MVC Controllers | ASP.NET Core |
---|---|---|---|
Report Designer | DXXRD.axd | /ReportDesignerApi/Invoke | ReportDesignerController.DefaultUri |
Document Viewer | DXXRDV.axd | /WebDocumentViewerApi/Invoke | WebDocumentViewerController.DefaultUri |
Query Builder | DXQB.axd | /QueryBuilderApi/Invoke | QueryBuilderController.DefaultUri |
An application that uses our End-User Report Designer requires all three routes for proper operation.
You can implement custom handlers or custom controllers that inherit from controller classes with the [Authorize]
attribute or perform access check.
Protect Reports Resolved by Name
You can add access control logic to report name resolution services - services which process a string argument (reportUrl) passed to the method that opens a report. The following services are available:
- IWebDocumentViewerReportResolver
- Allows you to parse a report name, create a report instance, and return it to the calling method. If you have a parameterized report, you can specify parameters in the report name passed to the service and use parameters within the report’s constructor.
Note
The IWebDocumentViewerReportResolver service does not support asynchronous mode.
- ICachedReportSourceWebResolver
- Returns an instance of CachedReportSourceWeb. The ICachedReportSourceWebResolverAsync service allows you to build a document asynchronously.
- IReportProvider
- This service has lower priority than previously mentioned services (and is not intended for exclusive use by the Document Viewer). The primary advantage of IReportProvider service is that it can be attached to reports created at runtime. IReportProviderAsync uses asynchronous operations.
- ReportStorageWebExtension
- This service is called when no other report name resolution services are available. It is designed to obtain reports (stored in our REPX format) from external storage (a file or a database). Note that the GetData method returns a serialized report. If you use the GetData method to specify the default parameter value for a loaded report, set the Value property to the parameter value.
Protect Reports and Documents Generated from Reports
Create and register the IWebDocumentViewerAuthorizationService service to implement authorization when the Document Viewer previews the document. The service is queried when the Document Viewer opens a report, and you can use the service to restrict access to the report itself. Service methods are called before document generation, and before any operation that reads the document.
Protect Exported Documents
Create and register the IExportingAuthorizationService service to implement authorization for exported documents. Access to the exported document can be granted only to the user who initiated the export operation.