Forms Authentication and RS Web Service
Often, report enabling Internet-facing applications require replacing the default RS Windows-based security with Forms Authentication. This allows clients to request reports by URL with the all the goodies that URL addressability entail, namely support for interactive features and the HTML Viewer toolbar. While RS Forms Authentication is well-documented (see the Forms Authentication whitepaper by Microsoft), something which may not be so obvious is that Forms Authentication can be used not only with URL addressability but also with the RS web service. Let’s say you want most of your reports to be requested by URL but some to be generated on the server-side of the application by SOAP. Or, you need to manage a Report Server installation configured for Forms Authentication from a WinForm client by calling the management SOAP APIs. The RS Forms Authentication model supports all these scenarios. All in all, it boils down to to storing the authentication ticket (cookie) received from the LogonUser call on the client side and passing it back with each request. I whipped out a simple WinForm app (sorry C# only, but they are free converters out there for C#->VB ) to show how this could be done. This sample doesn’t have any bugs! Common, we all know this is not true :-). Please let me know if something buggy raises its ugly head. Usual disclaimers apply also…you are on your own basically. DISCLAIMER: One thing that you may need definitely to change if you are planning to retrofit my code to a web app is way the app stores the cookie. You will notice that the sample app stores the cookie in a static class member. This is all fine with WinForm apps running on single thread by definitely no-no for web applications where you need to be aware of multi-threading and multi-user issues. If the web app is the same one that requests reports by URL, the simplest solution may be not to store the cookie at all but to get it from the current HTTP context, similar to the original implementation of the overridden proxy class that comes with the MS sample.
For time being, the sample Forms Authenticator app can be downloaded from here.