I am calling my reports via URL, but it presents the report in IE with the url so the users might change the parameters value in IE addressbar. but i see RSReportHost.exe does'nt show the url at all.
Is it possible to show or call a report via URL using RSReportHost.exe
I am using VS 2003 with SQL RS 2005, i don't have a reportviewer control available to use.
Please help guys.
Thank you fery much.
RSReportHost is a desktop application designed for debugging reports. So, the short answer to your question is no. Moreover, URL access is not a very secure way to request reports. The Report ViewerASP.NET control does a reasonable job to hide the parameter values during reposts but it is not foolproof as well. Regardless of the fact that you don’t use the ASP.NET Report, RS 2005 URL addressability uses it behind the scenes by redirecting the user to the ReportViewer.aspx page. So, one way to mitigate the security risk with parameters is to request the report without parameters and rely on the Report Viewer to handle them. Stricter security requirements may require the web application to handle the parameters on the server side.
|||Thank you very much Teo.
But VS 2003 does'nt have a reportviewer to use with RS 2005.
Microsoft only released the viewer with vs 2005.
I have a very big project fully developed using vs 2003 and lot of state and federal construction projects are using the tool. and also we have integrated third party controls which specifically uses framework 1.1. i don't have an open option to switch to vs 2005 soon might have to wait until all the migration related issues gets cleared.
my current options are to use render webservices to load reports via pdf streams. which i am using. are there any other methods available using vs 2003 and sql rs 2005 please help.
Thank you once again. i read about you on google a lot.
|||Just to clarify, I was referring to the server ReportViewer.aspx page which the user is automatically redirected to with URL addressability. So, if the user clicks on a URL link which points to a report (e.g. http://localhost/reportserver?%2fAdventureWorks+Sample+Reports%2fCompany+Sales&rs:Command=Render) , the server will redirect her to that page which uses the ReportViewer ASP.NET Report Viewer control behind the scenes. Therefore, you don’t have to upgrade to VS.NET 2005 at all.
|||Thks Teo, But the problem with URL is the users can manipulate the url parameters by themselves in the IE address bar. I don't want the users manipulate the url's.
|||
True. You have different options to address this depending on the security risk.
1. If you think that hacking the report URL goes beyond the skills of your users, you may be fine with the ReportViewer parameter hiding.
2. You can use the user identity (User!UserID) to filter the parameter available values and/or report data (row-level security).
3. You can configure the Report Server to be accessable from your application server only and not directly from the end users.
4. You can use a trusted account between your application server and Report Server. All report requests will go under this account and you will secure the report catalog accordingly. These security policies will prevent the end users from requesting reports directly.
No comments:
Post a Comment