Hello,
I am using the Silverlight report viewer to display reports via the Telerik WCF service.
The viewer is secured behind a layer of authentication, but I am concerned about the security of the WCF service endpoint, because our developer has made reports with user credentials hardcoded in the connection string, so if you stumbled across the endpoint, you would still be able to access the reports.
What I'd ideally want to do is make sure that all users of the WCF service are authorised.
I can't find any documentation about this anywhere.
Is there a solution?
Are there any approaches that I should be considering?
Thanks,
Ed
I am using the Silverlight report viewer to display reports via the Telerik WCF service.
The viewer is secured behind a layer of authentication, but I am concerned about the security of the WCF service endpoint, because our developer has made reports with user credentials hardcoded in the connection string, so if you stumbled across the endpoint, you would still be able to access the reports.
What I'd ideally want to do is make sure that all users of the WCF service are authorised.
I can't find any documentation about this anywhere.
Is there a solution?
Are there any approaches that I should be considering?
Thanks,
Ed
4 Answers, 1 is accepted
0
Massimiliano Bassili
Top achievements
Rank 1
Rank 1
answered on 19 May 2011, 03:05 PM
The
Authentication of your application is configurable through
Internet Information Services and this is not something specific to
Telerik Reporting service and is applicable to any standard WCF service. More information:
Cheers!
Cheers!
0
MikeWiese
Top achievements
Rank 1
Rank 1
answered on 24 May 2011, 01:39 PM
Hi Ed,
I also needed to ensure that the WCF endpoint for reporting uses the same integrated Windows authentication as the rest of my app. It caused me some grief but the following approach worked for me:
The IIS application in which my Silverlight app runs uses Windows authentication. Anonymous Authentication is turned off. So IIS will ensure that only authenticated users will have access to the Telerik Reports WCF service.
I did things in the opposite order to the Telerik how-to videos - I started with a working Silverlight app using WCF RIA Services and Windows authentication, then later I added some Telerik reports. When I first added a Telerik report to my solution after following all the best practices, videos, etc the report would not display my data. The runtime message printed inside the Silverlight ReportViewer mentioned "NotFound". From bashing my head against WCF RIA Services lately I understood this to be a generic way of saying "something threw an exception inside the WCF service you just called". And indeed, when I browsed directly to http://localhost/{myapp}/ReportService.svc I got an exception message "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service"
It turns out that for my scenario, the <system.serviceModel> section detailed in the Telerik help (http://www.telerik.com/help/reporting/silverlight-hosting-in-iis.html) needs a few tweaks to work under Windows Authentication. In particular I had to flesh out the binding specifications for each of the report service endpoints. So now, the <system.serviceModel> section in my web.config now looks like this:
Note the bindingConfiguration attributes and the bindings. I also changed the binding for the mex endpoint. This article was the key for me, and it explains things better than I can.
Mike
I also needed to ensure that the WCF endpoint for reporting uses the same integrated Windows authentication as the rest of my app. It caused me some grief but the following approach worked for me:
The IIS application in which my Silverlight app runs uses Windows authentication. Anonymous Authentication is turned off. So IIS will ensure that only authenticated users will have access to the Telerik Reports WCF service.
I did things in the opposite order to the Telerik how-to videos - I started with a working Silverlight app using WCF RIA Services and Windows authentication, then later I added some Telerik reports. When I first added a Telerik report to my solution after following all the best practices, videos, etc the report would not display my data. The runtime message printed inside the Silverlight ReportViewer mentioned "NotFound". From bashing my head against WCF RIA Services lately I understood this to be a generic way of saying "something threw an exception inside the WCF service you just called". And indeed, when I browsed directly to http://localhost/{myapp}/ReportService.svc I got an exception message "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service"
It turns out that for my scenario, the <system.serviceModel> section detailed in the Telerik help (http://www.telerik.com/help/reporting/silverlight-hosting-in-iis.html) needs a few tweaks to work under Windows Authentication. In particular I had to flesh out the binding specifications for each of the report service endpoints. So now, the <system.serviceModel> section in my web.config now looks like this:
<system.serviceModel> <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" /> <services> <service name="Telerik.Reporting.Service.ReportService" behaviorConfiguration="ReportServiceBehavior"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicBinding" contract="Telerik.Reporting.Service.IReportService"> <identity> <dns value="localhost" /> </identity> </endpoint> <endpoint address="resources" binding="webHttpBinding" bindingConfiguration="basicWebHttpBinding" behaviorConfiguration="WebBehavior" contract="Telerik.Reporting.Service.IResourceService"/> <endpoint address="mex" binding="webHttpBinding" bindingConfiguration="basicWebHttpBinding" contract="IMetadataExchange" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="ReportServiceBehavior"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="false" /> </behavior> </serviceBehaviors> <endpointBehaviors> <behavior name="WebBehavior"> <webHttp /> </behavior> </endpointBehaviors> </behaviors> <bindings> <basicHttpBinding> <binding name="basicBinding"> <security mode="TransportCredentialOnly"> <transport clientCredentialType="Windows" /> </security> </binding> </basicHttpBinding> <webHttpBinding> <binding name="basicWebHttpBinding"> <security mode="TransportCredentialOnly"> <transport clientCredentialType="Windows"/> </security> </binding> </webHttpBinding> </bindings> </system.serviceModel>Note the bindingConfiguration attributes and the bindings. I also changed the binding for the mex endpoint. This article was the key for me, and it explains things better than I can.
Mike
0
Adam
Top achievements
Rank 1
Rank 1
answered on 13 Sep 2011, 08:54 PM
I just want to thank Mike. Good job on that. I too have been bashing my head in over this problem. Thanks to Mike, my face will take a few less bashings today.
0
Jaime Bula
Top achievements
Rank 2
Rank 2
answered on 28 Sep 2011, 04:41 AM
Anyone has tried this witn AspNet forms based security for WCF Services?