Using authentication token when embedding HTML5 report viewer with Report Server backend

1 Answer 373 Views
General Discussions Report Parameters Report Viewer - HTML5 Security
Chris Olivier
Top achievements
Rank 1
Chris Olivier asked on 18 Jan 2023, 02:26 PM

I'm investigating the viability of embedding reports using the HTML5/Angular report viewers and using Report Server to manage and render the reports.

The reports will contain confidential information, so we need to ensure that report rendering/retrieval requests are secure.

Using the guest account or putting report server credentials in plain text in the client-side Javascript is not an option.

Ideally, we would like to send the report parameters to the report server in an encrypted manner (Using only SSL is susceptible to man-in-the-middle attacks).

What are our options for using custom authentication tokens with Report Server or putting a reverse proxy in front of Report Server to secure the embedding requests?

Any help will be greatly appreciated.

 

1 Answer, 1 is accepted

Sort by
0
Dimitar
Telerik team
answered on 23 Jan 2023, 11:18 AM

Hello Chris,

Thank you for the provided information!

When used with an external report viewer, the Telerik Report Server should be authenticated via the dedicated username and password sub-properties in the reportServer initialization settings - Report Viewer Initialization - Telerik Reporting.

Sending the username and password in an encrypted state from the Report Viewer to the Report Server is currently not a supported scenario, at least not out of the box, please feel free to log a request about such functionality on the feedback portal - Progress® Telerik® Report Server Feedback Portal

With that being said, one way to send the username and password in an encrypted manner would be to create a Reporting REST Service that will be used as a proxy. The Report Viewer will send the encrypted strings to this service, and the service will receive the strings on the server where it will decrypt them and will then connect to the Report Server behind the scenes to get the report and then render it. All of this can be achieved with a custom IReportSourceResolver.

This scenario is, for the most part, covered in the How to Display Reports From Report Server through Custom Report Source Resolver - Telerik Reporting KB article. The only change that you need to make is the part where you decrypt the username and password strings. You can send them from the report viewer as a stringified JSON in the value of the reportSource.report property, for example:

reportSource: {
report: '{"report":"Samples/Report1","username":"user","password":"password"}'
}

Then this string will be available in the Resolve method of the custom resolver's Resolve(String, OperationOrigin, IDictionary<String, Object>) method's first parameter:

 public class CustomReportSourceResolver : IReportSourceResolver
 {
     public Telerik.Reporting.ReportSource Resolve(string reportId, OperationOrigin operationOrigin, IDictionary<string, object> currentParameterValues)
     {
        ...
     }
}

I hope this approach will cover your needs, please do not hesitate to let me know if you have any further questions or if you need further assistance. 

Regards,
Dimitar
Progress Telerik

Brand new Telerik Reporting course in Virtual Classroom - the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products. Check it out at https://learn.telerik.com/.
Chris Olivier
Top achievements
Rank 1
commented on 25 Jan 2023, 06:26 AM

Thank you for the information, Dimitar. I will look further into IReportSourceResolver and the article that you linked to.
Tags
General Discussions Report Parameters Report Viewer - HTML5 Security
Asked by
Chris Olivier
Top achievements
Rank 1
Answers by
Dimitar
Telerik team
Share this question
or