Rank 1
Hi.
We use Html5 Report Viewer and set authentication token through it's property authenticationToken.
Everything works fine except that viewer generates a request without the token.
Here is the url:
http://localhost:59815/api/reports/clients/173901-cdb6/instances/173902-9976/documents/173902-d1da173902-1f2a/resources/expand.png/
And headers:
GET http://localhost:59815/api/reports/clients/173901-cdb6/instances/173902-9976/documents/173902-d1da173902-1f2a/resources/expand.png/ HTTP/1.1
Host: localhost:59815
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Accept: image/webp,image/*,*/*;q=0.8
Referer: http://localhost:59815/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,de-DE;q=0.6,de;q=0.4
6 Answers, 1 is accepted
Image resources can be obtained without authorization.
In general, the report is processed and rendered in HTML on the server, and the Reporting REST service delivers the HTML in the HTML5 Viewer. IMG elements in the HTML perform get requests to load the images.
If you want to check what resources are requested on the server, you can override the ReportsControllerBase.GetResource(String,String,String,String) method.
Regards,
Stef
Telerik by Progress
Rank 1
Hi Stef,
I have a question on this.I have a "$.ajaxSetup" function in the report viewer UI code and it will set all our security headers on "beforeSend" of all the ajax calls. But this particular image call does not go through usual ajax call route.
Is there a reason for that? Is it been called by something else other than ajax?
I just want to set our security headers on all the ajax calls going from the UI to reporting server REST service.
Rank 1
Hi Stef,
Is there a way to set custom headers to these image resource calls? I have a "$.ajaxSetup" and its "beforeSend" sets my headers to all the ajax calls going out.
But these calls don't go through it.
I believe you are referring to the expand/collapse handlers that trigger the toggle visibility actions on a report. Since they represent a static image, which is not bound to data, their retrieval is handled by the browser with a simple HTTP request. No specific ajax calls are performed, because these elements are just images with a src that points to a server-side resource. Discussions about the same subject can be followed here and here - they could give you more details on the subject.
We'll also be glad if we can have some information about the current project and why it is required to have custom headers set on <img> elements upon retrieval. This discussion can be continued in a new support ticket if a publicly visible forum thread is inappropriate.
Regards,
Ivan Hristov
Progress Telerik
Rank 1
Old post, but for the KB, our solution to this problem was to make an anonymous endpoint that accepts the bearer token value as a query parameter. All this is over HTTPS and bearer token in header could be viewed using any browser's dev tools anyway, so we don't see the query string approach as any additional exposure. Would love to hear if anyone knows if we're mistaken. Code snippets below.
pic box value binding: = Parameters.ImageBaseUrl.Value + Fields.PictureId + "?token=" + Parameters.Token.Value
Our image endpoint:
[AllowAnonymous]
public ActionResult Pic(int id, string token)
{
//string accessToken = await HttpContext.GetTokenAsync("access_token");
var client = new RestClient(apiBaseUrl);
client.CookieContainer = new CookieContainer();
var request = new RestRequest("your route goes here" + id.ToString(), Method.GET);
request.AddHeader("Authorization", "Bearer " + token);
var response = client.Execute(request);
byte[] content = response.RawBytes;
HttpContext.Response.Headers.Add("cache-control", "max-age=1800");
return File(content, "image/jpeg");
}
....hope this helps.
Thank you for sharing the approach of respecting the authentication token while loading image in a PictureBox item. I would say the approach is quite clever and I do not see anything wrong with it. As you pointed, there is no additional exposure - the communication is via HTTPS and the authentication token can be inspected anyway. I hope this approach will be helpful to anyone that needs to ensure that the access to the PictureBox image requires a valid token.
However, the original question regards the resource images that represent the sorting state, but their value is determined internally and cannot be set through bindings. This problem will be considered when the custom sorting images is implemented - we have a feature request for it and you can vote for it here. We schedule the features for implementation based on user demand, so voting for a specific feature will move it up in our development tasks list.
Regards,
Ivan Hristov
Progress Telerik