Hi - I have the reportviewer component working fine in our intranet
enviroment, but am looking to move it over to an internet enviroment
in a few weeks, and have a few questions about this.
At the moment I embed the reportviewer control in the .aspx pages
(which have forms authentication security), and set the properties as
follows:
ReportPath="/ReportCreationTest/Comparison&rs:Command=Render"
ServerUrl="http://myserver/Reportserver/"
1) Is it possible to use the "normal" version of reporting services in
an internet enviroment, or am I going to have to upgrade to enterprise
edition and write a custom security extension?
2) How do I stop someone connecting straight to
"www.myserver.com/Reportserver/" and accessing the reports directly?
The fact that I have the reportviewer control embedded in the .aspx
pages means that I have to allow anonymous access to the reports from
IIS (doesn't it?). So how can I also stop people accessing the reports
directly? It would seem to me that this is why I need the custom
seecurity extension.
In an ideal scenario, I need to prevent people from simply running the
reports, but allow users who have access to the .aspx pages to run the
reports through reportviewer.
Thanks for any help :)
JamesTeo Lachev's answer to my question "RS from VBScript/ASP web-app", 16.nov
2004 may be relevant.
His book it is great, by the way! Other books I have read waste too much
time on designing the reports.
"jamesb" <jxb@.ovum.com> skrev i melding
news:ca7a83be.0411230551.2cfa83d7@.posting.google.com...
> Hi - I have the reportviewer component working fine in our intranet
> enviroment, but am looking to move it over to an internet enviroment
> in a few weeks, and have a few questions about this.
> At the moment I embed the reportviewer control in the .aspx pages
> (which have forms authentication security), and set the properties as
> follows:
> ReportPath="/ReportCreationTest/Comparison&rs:Command=Render"
> ServerUrl="http://myserver/Reportserver/"
> 1) Is it possible to use the "normal" version of reporting services in
> an internet enviroment, or am I going to have to upgrade to enterprise
> edition and write a custom security extension?
> 2) How do I stop someone connecting straight to
> "www.myserver.com/Reportserver/" and accessing the reports directly?
> The fact that I have the reportviewer control embedded in the .aspx
> pages means that I have to allow anonymous access to the reports from
> IIS (doesn't it?). So how can I also stop people accessing the reports
> directly? It would seem to me that this is why I need the custom
> seecurity extension.
> In an ideal scenario, I need to prevent people from simply running the
> reports, but allow users who have access to the .aspx pages to run the
> reports through reportviewer.
> Thanks for any help :)
> James|||Leif,
Thanks for the kudos. I'd appreciate if you could let me know what could be
improved in my book if I ever decide to write a new edition. I welcome
feedback from everybody. You can use my blog to provide feedback
http://prologika.com/blog/archive/2004/11/21/185.aspx
To address James' question:
1) Depends on your security requirements and whether you need interactive
features.
If you need report interactivity (drilldown, document maps, report toolbar)
you have to use URL addressability which means that your internet user will
have direct access to the Report Server.
If you don't care about the identity of the user (no need for the Report
Server to tell the users apart) you can use Anonymous and the Standard
edition of RS. Apart of not being able to discriminate the users, the
disadvantage of this approach is that you have to bring the RS offline to
manage the report catalog since you don't want to grant admin rights to the
Anonymous account.
If you need to differentiate the users, you have to use Forms
Authentication. This will require the Enterprise edition.
Finally, if you don't care about report interactive features, you can
generate the reports on the server-side of your application using SOAP.
As a side note, it looks like the new RS 2005 controls will support report
interactivity with SOAP. For example, the expand event will raised in the
control which can in turn call down to the RS server.
2) By using Forms Authentication (custom security extension) or generating
the reports on the server side of the application. In the later case, your
RS box could be on your private LAN (not accessible from Internet).
Hope this helps.
---
Teo Lachev, MVP [SQL Server], MCSD, MCT
Author: "Microsoft Reporting Services in Action"
Publisher website: http://www.manning.com/lachev
Buy it from Amazon.com: http://shrinkster.com/eq
Home page and blog: http://www.prologika.com/
---
"Leif" <leif.audun.hagen@.officeteam.no> wrote in message
news:OhnwPtW0EHA.1308@.TK2MSFTNGP09.phx.gbl...
> Teo Lachev's answer to my question "RS from VBScript/ASP web-app", 16.nov
> 2004 may be relevant.
> His book it is great, by the way! Other books I have read waste too much
> time on designing the reports.
> "jamesb" <jxb@.ovum.com> skrev i melding
> news:ca7a83be.0411230551.2cfa83d7@.posting.google.com...
> > Hi - I have the reportviewer component working fine in our intranet
> > enviroment, but am looking to move it over to an internet enviroment
> > in a few weeks, and have a few questions about this.
> >
> > At the moment I embed the reportviewer control in the .aspx pages
> > (which have forms authentication security), and set the properties as
> > follows:
> >
> > ReportPath="/ReportCreationTest/Comparison&rs:Command=Render"
> >
> > ServerUrl="http://myserver/Reportserver/"
> >
> > 1) Is it possible to use the "normal" version of reporting services in
> > an internet enviroment, or am I going to have to upgrade to enterprise
> > edition and write a custom security extension?
> >
> > 2) How do I stop someone connecting straight to
> > "www.myserver.com/Reportserver/" and accessing the reports directly?
> >
> > The fact that I have the reportviewer control embedded in the .aspx
> > pages means that I have to allow anonymous access to the reports from
> > IIS (doesn't it?). So how can I also stop people accessing the reports
> > directly? It would seem to me that this is why I need the custom
> > seecurity extension.
> >
> > In an ideal scenario, I need to prevent people from simply running the
> > reports, but allow users who have access to the .aspx pages to run the
> > reports through reportviewer.
> >
> > Thanks for any help :)
> >
> > James
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment