Security When Calling a Web Service

Previous page
Table of content
Next page

Out of the box, SSRS supports Windows authentication and authorization. If you need to have custom authentication, SSRS provides this through custom authentication (or security) extensions. You have to develop a new security extension to handle custom authentication.

.NET Framework greatly simplifies Windows and Basic authentication handling through classes in the System.Net namespace.

Prior to deciding which authentication method to use, consider security implications of each form of authentication and SSRS virtual directory settings in IIS; see Figure 25.3.

Figure 25.3. SSRS virtual directory settings in IIS.


As you might recall, we leveraged the .NET Framework to set Windows credentials in the GeTReportXML2005() method earlier in this chapter: 

 rs.Credentials = System.Net.CredentialCache.DefaultCredentials;

To pass Basic authentication credentials, you can substitute the preceding code with the following code: 

 rs.Credentials = new System.Net.NetworkCredentials("user name", "password", "domain");

The credentials must be set prior to the use of any methods in SSRS web service. Calls to a web service method prior to setting credentials receive an error: HTTP 401 Error: Access Denied .

To increase security of web method calls, an administrator can configure IIS and SSRS to use SSL communications. SSRS uses SecureConnectionLevel (located in RSReportServer.config ) to determine which web service methods require SSL connection. The default is (noted in the configuration as <Add Key="SecureConnectionLevel" Value="0" /> ). SecureConnectionLevel has four levels that affect URL and SOAP interfaces that SSRS exposes:

  • SSRS does not check for secure connections (SSL). Method calls can still be made over SSL (HTTPS) connections, if needed.

  • 1 SSRS checks for secure connections. If SSL is not available, the web service rejects the method (such as CreateReport() and GetreportDefinition() ) calls that can pass sensitive information (such as user credentials). Because this setting is checked at the server, it is still possible to make a call that passes credentials before the web service handles the request. Method calls can still be made over SSL (HTTPS) connections, if needed. Because Render() is not restricted by this setting, it might be possible for a hacker to intercept sensitive data from a report.

  • 2 Most method calls, including Render() , are required to use SSL.

  • 3 All method calls are required to use SSL. In this case, SSRS requires SSL/HTTPS for all web service method calls.


Previous page
Table of content
Next page
Microsoft SQL Server 2005 Reporting Services
Microsoft SQL Server 2005 Reporting Services
ISBN: 0672327996
EAN: 2147483647
Year: 2004
Pages: 254
Authors: Michael Lisin, Jim Joseph
BUY ON AMAZON
MySQL Stored Procedure Programming
Lotus Notes and Domino 6 Development (2nd Edition)
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
C++ GUI Programming with Qt 3
Information Dashboard Design: The Effective Visual Communication of Data
Sap Bw: a Step By Step Guide for Bw 2.0
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy