No Authentication token for some requests produced by Html5 Report Viewer

7 posts, 0 answers
  1. Aleksandar
    Aleksandar avatar
    8 posts
    Member since:
    Nov 2015

    Posted 01 Dec 2016 Link to this post

    Hi. 

     

    We use Html5 Report Viewer and set authentication token through it's property authenticationToken.

    Everything works fine except that viewer generates a request without the token.

     

    Here is the url:

    http://localhost:59815/api/reports/clients/173901-cdb6/instances/173902-9976/documents/173902-d1da173902-1f2a/resources/expand.png/

     

    And headers:

    GET http://localhost:59815/api/reports/clients/173901-cdb6/instances/173902-9976/documents/173902-d1da173902-1f2a/resources/expand.png/ HTTP/1.1
    Host: localhost:59815
    Connection: keep-alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
    Accept: image/webp,image/*,*/*;q=0.8
    Referer: http://localhost:59815/
    Accept-Encoding: gzip, deflate, sdch, br
    Accept-Language: en-US,en;q=0.8,de-DE;q=0.6,de;q=0.4

  2. Stef
    Admin
    Stef avatar
    3610 posts

    Posted 05 Dec 2016 Link to this post

    Hello Aleksandar,

    Image resources can be obtained without authorization.

    In general, the report is processed and rendered in HTML on the server, and the Reporting REST service delivers the HTML in the HTML5 Viewer. IMG elements in the HTML perform get requests to load the images.


    If you want to check what resources are requested on the server, you can override the ReportsControllerBase.GetResource(String,String,String,String) method.

    Regards,
    Stef
    Telerik by Progress
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Kasun
    Kasun avatar
    22 posts
    Member since:
    Oct 2016

    Posted 25 Apr 2018 Link to this post

    Hi Stef, 

    I have a question on this.I have a "$.ajaxSetup" function in the report viewer UI code and it will set all our security headers on "beforeSend" of all the ajax calls. But this particular image call does not go through usual ajax call route. 

    Is there a reason for that? Is it been called by something else other than ajax? 

    I just want to set our security headers on all the ajax calls going from the UI to reporting server REST service.

  4. Kasun
    Kasun avatar
    22 posts
    Member since:
    Oct 2016

    Posted 25 Apr 2018 Link to this post

    Hi Stef, 

    Is there a way to set custom headers to these image resource calls? I have a "$.ajaxSetup" and its "beforeSend" sets my headers to all the ajax calls going out. 

    But these calls don't go through it. 

     

  5. Ivan Hristov
    Admin
    Ivan Hristov avatar
    204 posts

    Posted 01 May 2018 Link to this post

    Hi Kasun,

    I believe you are referring to the expand/collapse handlers that trigger the toggle visibility actions on a report. Since they represent a static image, which is not bound to data, their retrieval is handled by the browser with a simple HTTP request. No specific ajax calls are performed, because these elements are just images with a src that points to a server-side resource. Discussions about the same subject can be followed here and here - they could give you more details on the subject.

    We'll also be glad if we can have some information about the current project and why it is required to have custom headers set on <img> elements upon retrieval. This discussion can be continued in a new support ticket if a publicly visible forum thread is inappropriate.

    Regards,
    Ivan Hristov
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  6. Chris
    Chris avatar
    2 posts
    Member since:
    May 2017

    Posted 29 Aug Link to this post

    Old post, but for the KB, our solution to this problem was to make an anonymous endpoint that accepts the bearer token value as a query parameter.  All this is over HTTPS and bearer token in header could be viewed using any browser's dev tools anyway, so we don't see the query string approach as any additional exposure.  Would love to hear if anyone knows if we're mistaken.  Code snippets below.

    pic box value binding: = Parameters.ImageBaseUrl.Value + Fields.PictureId + "?token=" + Parameters.Token.Value

    Our image endpoint:

          [AllowAnonymous]
            public ActionResult Pic(int id, string token)
            {
                //string accessToken = await HttpContext.GetTokenAsync("access_token");

                var client = new RestClient(apiBaseUrl);
                client.CookieContainer = new CookieContainer();
                var request = new RestRequest("your route goes here" + id.ToString(), Method.GET);
                request.AddHeader("Authorization", "Bearer " + token);
                var response = client.Execute(request);
                byte[] content = response.RawBytes;
                HttpContext.Response.Headers.Add("cache-control", "max-age=1800");

                return File(content, "image/jpeg");

            }

     

    ....hope this helps.

  7. Ivan Hristov
    Admin
    Ivan Hristov avatar
    204 posts

    Posted 02 Sep Link to this post

    Hello Chris,

    Thank you for sharing the approach of respecting the authentication token while loading image in a PictureBox item. I would say the approach is quite clever and I do not see anything wrong with it. As you pointed, there is no additional exposure - the communication is via HTTPS and the authentication token can be inspected anyway. I hope this approach will be helpful to anyone that needs to ensure that the access to the PictureBox image requires a valid token.

    However, the original question regards the resource images that represent the sorting state, but their value is determined internally and cannot be set through bindings. This problem will be considered when the custom sorting images is implemented - we have a feature request for it and you can vote for it here. We schedule the features for implementation based on user demand, so voting for a specific feature will move it up in our development tasks list.

    Regards,
    Ivan Hristov
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top