Improved ObjectDataSource Security in Reporting

In the latest release of Telerik Reporting, it's easier than ever to accommodate strict security and create tamper-proof reports.

One of the significant new features in Telerik Reporting R3 2016 is the improved security of the ObjectDataSource component. If strict security limitations require you to ensure only your code is executed by the report engine, the new settings allow you to do it.

Designing and Previewing Reports

In the Standalone Report Designer things are pretty straightforward—to use types from another assembly you have to include it in the AssemblyReference element anyway. But as you may have guessed, this change would lead to some issues during design-time in Visual Studio Report Designer. Before you sigh in resignation and diligently start digging into Visual Studio’s devenv.config file, here is the twist—you don’t have to.

When you are configuring an ObjectDataSource using the Wizard, the required assembly reference will be automatically added to the project’s configuration file upon successful completion. For convenience, it will be added even when the type used by the ObjectDataSource is declared in the same assembly. If the project lacks a configuration file, a new one will be automatically created and included in your project.

When previewing a report in Visual Studio Report Designer, the engine will extract the assembly references from the project configuration file and verify the type, declared in the ObjectDataSource definition, against them. In case the target type is not found, a SecurityException will be thrown.

Usage in a Standalone Application

When showing reports that use an ObjectDataSource instance in any report viewer, you should consider if the used type's assembly should be declared in the application’s configuration file. As we said before, if the type used by the ObjectDataSource component shares the same assembly with the report, you don’t have to do anything—it will just work (see our example ListBoundReport if you still have some doubts).

However, you probably use an external assembly to store your business objects—in that case you have to add the assembly name in the Telerik.Reporting section of your application’s config file (app.config or web.config). You can either copy it from your report library project’s configuration file (the ObjectDataSource Wizard has put it there, remember?) or add it manually. Finally, your configuration file should look like the one shown below:

We believe that the new way the ObjectDataSource component resolves types will add up to the creation of reliable and tamper-proof reports, protecting your data and securing your applications. Try it out as part of the latest Reporting release today.