Hi all,
I don't know if this is the right forum, but i have a small question bout security of the self-hosted REST service for the reporting viewer.I am using asp.net core and have a few (secured) pages that show telerik reports. These are .trdp files hosted by ourselves and setup according to https://docs.telerik.com/reporting/telerik-reporting-rest-service-aspnetcore-mvc-core3 ...
This is however a jQuery implementation and from within the code of jquery i can probably easily change the .trdp file name (i use logical names, so not hard to guess) and get a different report. This was not a real big problem, but now certain users should not be able to see certain reports.So this suddenly became a problem.
Does anybody have an idea what the best approach would be to secure this?
Thanks,
Alexander
1 Answer, 1 is accepted
Hi Alexander,
The viewer provides an option to set authentication token that will add a Bearer token in the Authorization header for every request to the REST service. Another option is to resolve the viewer's ReportSource at run-time based on the currently logged in user, this can be done in a custom report resolver. You can also test if overriding the methods of Reporting REST service can be beneficial in your scenario.
We also provide a separate product for centralized reports storage and report users management - Telerik Report Server.
Regards,
Katia
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.