Every time we generate a web report, ajax request leads to the execution of handlers: WebResource.axd and FastReport.Export.axd. Files with the axd extension are used in ASP.Net applications to get resources from dll libraries: images, javascript and styles.
As a result, we get an HTML report file. But, since the report is generated and located in the IIS cache, then, knowing the generated report ID (which is generated upon request), a malefactor can easily get it. And this is a potential security issue if the report contains confidential data. The way out of this situation can be user authentication. That is, if the report is called by a specific user, then only he can get a copy of it.
We could check the http request for user authentication, but this is not a way out. A malefactor can always spoof a request. The best solution would be session authentication. Until recently, FastReport.Net did not provide such functionality. But in version 2019.3.13 there appeared an event for ajax authentication of report resources loaded via asp handler in WebReport.
The WebReport.CustomAuth event is executed before the report is displayed. At this point, you can check the user in the session. Here is an example of using a new event:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
public ActionResult Index() { Session["User"] = "Father Brown"; ... webReport.CustomAuth += WebReport_CustomAuth; ... } ... private void WebReport_CustomAuth(object sender, CustomAuthEventArgs e) { e.AuthPassed = (e.Context.Session["User"] as string) == "Father Brown"; } ... |
As you can see, first, before creating the report, we set the username in the Http session, subscribe to the event. In the event handler, we perform a user check. If the report is requested by another user, then his name in the session will be different and the report will not be displayed. This example shows user authentication, but you can implement your own version.
Thus, we can significantly improve data security by implementing report authentication.
