Prologika Forums

I am writing a custom security extension (using  Windows Authentication) and using Windows Authorization Manager’s AuthStore (in xml file format) for storing all security policies. In CheckAccess method of IAuthorizationExtension interface implementation, I want to know which item is accessed so that I can check the access permission to that particular item in my AuthStore. In this link http://prologika.com/CS/forums/p/614/2338.aspx  it is mentioned that  the only way to get the item path is through report url but we don't have our own report manager application, hence we cannot pass the report url.

Is there any way to save the security descriptor of a particular item so that in the CheckAccess method we can directly compare it with the one we get in the method call and get to know which item it maps to?

... but we don't have our own report manager application, hence we cannot pass the report url.

You don't need to pass the report url explicitly. The idea there is just to get the ASP.NET query string. Since the Report Server executes under IIS, you shoud get something like /server/reportserver/path/reportname?...

Is there any way to save the security descriptor of a particular item so that in the CheckAccess method we can directly compare it with the one we get in the method call and get to know which item it maps to?

You can cache it but you don't know the item to be secured, correct? So, I am not sure if this approach will help.

 We are using ssrs report manager for accessing reports. Can you please give some pointers which tell how to get the query string in our custom security extension?

If you could provide link to any apropriate articles or APIs, that would be very helpful.

System.Web.HttpContext.Current.Request.Url should give you the incoming url.

Thanks for that reply Teo.

I tried getting the url using "System.Web.HttpContext.Current.Request.Url".

I have a hierarchy of folders like Home\Testfolder1\TestFolder2\Report1

While accessing TestFolder1 and TestFolder2 I expect that the url should give me something like
http://reporting-machine/ReportServer/Reserved.ReportServer?%2fTestFolder1
and
http://reporting-2k5-2/ReportServer/Reserved.ReportServer?%2fTestFolder1%2fTestFolder2
respectively.

But what I get instead is
http://reporting-machine/ReportServer/ReportService2005.asmx
or
http://reporting-machine/ReportServer/ReportExecution2005.asmx  

and only when I access Report1, I get the result as expected i.e
http://reporting-machine/ReportServer/Reserved.ReportServer?%2fTestFolder1%2fTestFolder2%2fReport1

So my observation is, I get the correct path only when I access a particular report and not when I access a particular folder.
My question is why can't I see the correct path when I access a particular folder or is there any other way to get the folder information (path)?

This probably happens because only report requests result in URL GET requests. The rest are POST requests from web service invocations so you need to parse the input stream to get to the raw POST payload. Try this:

        System.Web.HttpContext.Current.Request request = System.Web.HttpContext.Current.Request;

        if (request.Headers["SOAPAction"] == null)
        {
            // GET request

            //request.Url will give you the report path
        }
        else
        {

            // POST request
            stream = request.InputStream;
            byte[] requestBody = new byte[stream.Length];
            stream.Read(requestBody, 0, requestBody.Length);
            request.InputStream.Position = 0L;
            string request = Encoding.ASCII.GetString(requestBody);
           // parse the request POST payload to get to the item path

        }

Thanks Teo, now everything is working fine except for the Authentication Extension's LogOnUser Function.
We got to make a decision regarding where to put the code to update the Authorization store from the database.
As LogOnuser function is called only once during the lifetime of user's session, we thought of putting this code in that function. But the problem is, LogOnUser function is not getting called at all.
I tried restarting IIS service on both client and server machines but in the Trace log everything gets printed except for the traces in LogOnUser Function.
I also tried returning false from the Logonuser Funtion but still the reports work fine without giving any authentication errors.

My question is Why LogOnUser funtion is not getting called?

PS: I'm posting this question using different credentials but this is in reference to the previously asked questions.

The Report Server invokes your LogonUser implementation after your custom application invokes the LogonUser() API.

We are looking for a method which is invoked only once during the lifetime of user's session so that we can do all the initialization related to the authorization store in that method. As we are using Windows Authentication, IAuthentication::LogOnUser is not helpful as it does not get invoked at all.

Will it be correct to declare a static constructor for IAuthentication interface implementation and do all initializations in that Authentication constructor? Is there any other option (method) for doing the same?

A static constructor but it will be invoked once instead of once per user. Have you tried SetConfiguration? If I recall correctly it is called several times by the ReportServer however.

I have tried SetConfiguration and it is called several times. So right now I'm proceeding with static constructor solution. But now I have a different problem :

For getting the path of item that is currently getting accessed, I am using this code as you had suggested in your earlier posts :

        System.Web.HttpContext.Current.Request request = System.Web.HttpContext.Current.Request;

        if (request.Headers["SOAPAction"] == null)
        {
            // GET request

            //request.Url will give you the report path
        }
        else
        {

            // POST request
            stream = request.InputStream;
            byte[ requestBody = new byte[stream.Length];
            stream.Read(requestBody, 0, requestBody.Length);
            request.InputStream.Position = 0L;
            string request = Encoding.ASCII.GetString(requestBody);
           // parse the request POST payload to get to the item path

        }

The problem I am facing is that, the else part does not give me the item path all the time. Encoding.ASCII.GetString(requestBody) returns me a string which is in the format :

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
                     <soap:Body>
                         <ListChildren xmlns="http://schemas.microsoft.com/sqlserver/2005/06/30/reporting/reportingservices">
                              <Item>/SampleReports/TestFolder1</Item>
                              <Recursive>false</Recursive>
                          </ListChildren>
                      </soap:Body>
</soap:Envelope>

I parse this string to get the value of <Item> node, but sometimes the value is empty. I tried to run this code for some n number of time with a sleep of m seconds.
but still the item node value is empty. So my question is why is one attempt not sufficient to give me the correct request url? Is there any other alternative to get this url?

What API is being invoked when the Item is empty? In your example, ListChildren takes an item argument but others APIs may not have an Item argument.

A different API is invoked everytime. I did not notice that earlier. Now it is working fine. Thanks Teo.

Having been solved this problem, I'm facing another problem with my custom security extension.
I want my security extension to support both msrs 2000 and msrs 2005, so I have compiled my source code with 8.0.1038.0 version of Microsoft.ReportingServices.Interfaces.dll.
When I run this security extension in 2.0 environment (on msrs 2005 installed machine) I get an exception :

Exception caught instantiating Windows report server extension: System.TypeLoadException: Method 'CheckAccess' in type 'MyCustomSecurityExtension.Authorization' from assembly 'MyCustomSecurityExtension, Version=1.0.2852.34699, Culture=neutral, PublicKeyToken=null' does not have an implementation.

I guess this is because of the two new enums ModelOperation and ModelItemOperation for which the 2005 version of Microsoft.ReportingServices.Interfaces.dll implements CheckAccess functions with prototypes :

public bool CheckAccess(string userName,
            IntPtr userToken, byte[ secDesc,
            ModelItemOperation requiredOperation)

public bool CheckAccess(string userName,
            IntPtr userToken, byte[ secDesc,
            ModelOperation requiredOperation)

These two functions are not supported in msrs 2000.

My question is, is it possible for a custom security extension to support both msrs 2000 and 2005? and if yes how do I get rid of this exception?

I don't think so. You will need to prepare two binaries of your custom security extension.

I created two binaries with the necessary changes in the source files and referencing appropriate versions of Microsoft.ReportingServices.Interfaces.dll in

both the projects. The binary for msrs 2005 works fine but in case of msrs 2000(sp2), I get an exception while creating IAuthenticationExtension object.

Request for the permission of type System.Security.Permissions.StrongNameIdentityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral,

PublicKeyToken=b77a5c561934e089 failed.

I tried adding mscorlib entry in the rssrvpolicy.config file and giving it Fulltrust but that doesn't not help.
Why is it looking for 1.0.5000.0 version of mscorlib instead of 1.1 version, I also tried adding this code in the Web.config in reportserver

<runtime>
 <legacyImpersonationPolicy enabled="true"/>
 <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
  <dependentAssembly>
   <assemblyIdentity name="mscorlib"
   publicKeyToken="b77a5c561934e089"
   culture="neutral" />
   <bindingRedirect oldVersion="1.0.5000.0"
   newVersion="1.1.4322.573"/>
  </dependentAssembly>
 </assemblyBinding>
</runtime>

But this also doesn't help.