Controlling Security through Web Application

Hello all,

I have some questions hopefully you can help with regarding controlling access through ASP.NET.

We'd like to take advantage of reporting services functionality for reports, but we'd like to use our own security model. We have an extensive database-driven security model that exists independently of active directory and windows permissions. We use the NT Logon of the user, but that is all we use. Everything else is maintained within our database structure. We also have all of our web pages and reports in a large database with individual ID's that are permissioned against th

Currently we need a way to link users to reporting services using our own authentication, but this presents a problem. Currently we have a wrapper page (let's call it ReportAccess.aspx). That page authenticates the user and decides whether or not they have access to the report, and then should deliver the report.

Here is where I'm not sure what to do. Our original component simply threw the report URL into an IFRAME. So in order to make this work, we had to give ALL users permissions to all reports on reporting services, since the credentials get passed through. The problem here is that savvy people could look at the URLs and hack their way into reports they should not be seeing.

Ideally, we'd like to only give access to one account and have the ReportAccess.aspx page control that access, but I am not sure how to pull this off. Is this even possible?

The ugly alternative would be maintaining permissions in our system AND Reporting Services ... which would be a lot of work and juggling. There has to be a better way

Okay, I came across the ReportViewer control in ASP.NET and that may be exactly what I was looking for, but I am having a little bit of trouble getting it to work.

I have setup the component as follows:

<rsweb:ReportViewer ID="ReportViewer1" runat="server" ProcessingMode="Remote" >
<ServerReport ReportServerUrl="http://rs2k5/Reports/Pages/Folder.aspx" ReportPath="/MyReportFolder/MyReportName" DisplayName="Test Report" />
<LocalReport />
</rsweb:ReportViewer>

For the record, you can access the reports using this URL:
http://rs2k5/Reports/Pages/Report.aspx?ItemPath=%2fMyReportFolder%2fMyReportName

When I use [http://rs2k5/Reports/Pages/] as the ServerURL, I get a 404 file not found. Interestingly enough, when I use [http://rs2k5/Reports/Pages/Folder.aspx], I get something back, but it looks like this:

Client found response content type of 'text/html; charset=utf-8', but expected 'text/xml'. The request failed with the error message: -- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <script language="JScript" type="text/Javascript" ****snipped - very long HTML here****
|||To get entirely around security using the report viewer, you need to use an rdlc local to your project that does not rely on the report server all.|||

This is a pretty interesting approach. I had no idea the RDLC option existed. I'm going to test some with that.

Currently, I was able to get the ReportViewer working with Remote option. Turns out you can't point at your ReportServer, instead you have to point at your ReportManager. Using impersonation, I was able to successfully mimic a user's security, so that all users could access the reports using one single account (and then I can use my own validation on the ASP.NET page.