Secure access of Reports without URL in ASP.NET | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

Secure access of Reports without URL in ASP.NET

Hi, We have a requirement to only allow users access to one particular report of a parameterised report and to be accessible within our ASP.NET application. Users must only be able to view the report parameterised on one value that’s associated with their account. We cannot use a URL because this will allow the user to tamper with the parameter and ID values passed to the Reporting Server. In addition, the user shouldn’t be able to view the toolbars or the input parameter fields ..they should only be able to see the report and a few print / export options. Is it possible to do this without exposing the URL? I would most appreciate any help anyone could offer. I’m thinking this can somehow be done using some form of server-side initiated web service call? However then this begs the question of how to render the response, if this is at all even possible I know there’s a ReportViewer control however this appears to operate on URLs. Ideally we’d like to use the standard Reporting Services interface.
I’ve come up with a solution and I’d like to share my findings with you all: 1. add a reference to the root Reporting Service web service, it can be found in the root of your Reporting Services site in the ASMX file. Now create an instance of the ReportServices class, customize the parameters (including the output format, your security credentials etc.) then invoke the Render() method ..this will return a byte stream representing the output. You can then do whatever you want with this depending on what format you specified the output to render as. You’ll probably want to use Response.BinaryWrite() on the stream. The only caveat of this approach is that you can’t use the toolbar in the standard Reporting Services interface. I’m guessing the standard interface is an ActiveX control of some sort. 2. This is the method I ended up using. I created a HttpWebRequest object, executed the URL to the Report Server with all the parameters on the query string, then captured the output as a stream and then rendered it directly to the output of the ASPX page initiating the request. This is a good way to conceal the URL of a calling page. I hope someone will find this useful if they ever come across a similar problem. If anyone has a better approach, I’d be delighted to hear.
]]>