I'm looking for some advice on how to protect reports that are ultimately displayed in ASPX pages. I have developed a Silverlight 3 application. Within the application, I am able to execute a report, and display this report in an HtmlPlaceholder or a seperate browser window. Because this report is embedded within an ASPX page, anyone can simply type in the URL for the report (www.MyWebSite.com/MyReport.aspx) and cause the report to be generated. These reports contain sensitive data, so I want to make sure that the pages are authenticated appropriately before they can be accessed. Any suggestions on how to accomplish this?
My environment is IIS 7, my Silverlight 3 application, plus the reports (each embedded in its own ASPX page). These are anonymous users that must log into my Silverlight 3 application. I do not wnat users to be able to access the ASPX pages without going through the SL3 app.
My environment is IIS 7, my Silverlight 3 application, plus the reports (each embedded in its own ASPX page). These are anonymous users that must log into my Silverlight 3 application. I do not wnat users to be able to access the ASPX pages without going through the SL3 app.
2 Answers, 1 is accepted
0
Clyde
Top achievements
Rank 1
Rank 1
answered on 17 Sep 2009, 09:24 PM
GEB,
While I am using a straight ASP.NET Webforms application, I would assume the concept would be the same. In the Page_Load section, do a validation check. if not authenticated then redirect to Login or display an access denied page.
You could also do further validation there for example checking whether the user has the required Role. You need to check that the user is logged in first before making this call.
I suggest creating a Security Method for all of this.
Regards
Clyde
While I am using a straight ASP.NET Webforms application, I would assume the concept would be the same. In the Page_Load section, do a validation check. if not authenticated then redirect to Login or display an access denied page.
| if (!System.Web.HttpContext.Current.User.Identity.IsAuthenticated) |
| { |
| FormsAuthentication.RedirectToLoginPage(); |
| OR |
| Response.Redirect("~/view/accessdenied.aspx"); |
| Response.End(); |
| } |
You could also do further validation there for example checking whether the user has the required Role. You need to check that the user is logged in first before making this call.
| if (!Roles.IsUserInRole(Membership.GetUser().UserName, "RoleNeededforReports")) |
| { |
| Redirect ... |
| } |
I suggest creating a Security Method for all of this.
Regards
Clyde
0
GEB
Top achievements
Rank 1
Rank 1
answered on 19 Sep 2009, 12:13 AM
Clyde, I think this is a good approach. However, there is one thing that I have not been able to determine. My user is being authenticated completely within my SilverLight 3 application. How to have my SL3 app set the IsAuthenticated flag so that the ASPX page can check it correctly? I know that this flag can be set via authentication within an ASPX page, but I want to authenticate within SL, then have the SL app set the flag. Once this is done, your recommendations should work great.
Has anyone been able to manipulate the IsAuthenticated flag via code within SL3?
Has anyone been able to manipulate the IsAuthenticated flag via code within SL3?