I'm using Reporting Servicves for SQL Server 2000 and I've embedded a
ReportViewer control in an ASP.NET page. The reports I link to all require a
sensitive parameter value and I have been passing that through using the
query string. Unfortunately, the entire URL of the report--including the
parameter in the query string--is visible in the source for the page, and I
don't want the user to see this for security purposes.
Is there a way to hide this? I'm open to any and all suggestions.
Thanks,
MarkSearch the group on encryption - use System.Security.Cryptography package
I just repeat myself from a previous posting:
"Parameter's encryption is a key to solve your problem.
The simplest ( but not the only) way is:
1.create your own parameters collection pages (forms).
2. encrypt user input using a permanent or temporary encryption key.
3. Reference encryption assembly in your report designer.
4. use a decryption routine in your custom code akin
"=Code.Library.Decrypt(Parameters!account_id);" by retrieving an encryption
key used in step 2.
By using this approach even a simplest parameter will be totally un
guessable, because even a single digit will be encrypted to something like
"bHZiajB4TGpBdU1"
"
"Mark" <Mark@.discussions.microsoft.com> wrote in message
news:98599DF6-C0E8-418A-A573-8293EEE98E13@.microsoft.com...
> I'm using Reporting Servicves for SQL Server 2000 and I've embedded a
> ReportViewer control in an ASP.NET page. The reports I link to all require
> a
> sensitive parameter value and I have been passing that through using the
> query string. Unfortunately, the entire URL of the report--including the
> parameter in the query string--is visible in the source for the page, and
> I
> don't want the user to see this for security purposes.
> Is there a way to hide this? I'm open to any and all suggestions.
> Thanks,
> Mark|||For RS 2000 you can use web services. There is really no way using URL
integration to hide it from the source. You can hide it from the page being
displayed but if they go View, Source they will see it.
In VS 2005 there are two new controls that work with RS 2005. They use web
services under the covers, not URL integration. You do have to have RS 2005.
Note that you can upgrade to RS 2005 while leaving the database at 2000
(that is what I have done). You do need a SQL Server 2005 license for this
however.
My suggestion is if security is important then you use the new controls.
One other option, put the parameters in a database table and then pass the
primary key to the table and have a dataset extracting the parameters.
This does make things more complicated but it is a version independent
solution (if you can convince management to upgrade to RS 2005). Note what I
said about upgrading. Sometimes it is easier to get permission to upgrade
reporting services than it is to upgrade a SQL Server database.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Mark" <Mark@.discussions.microsoft.com> wrote in message
news:98599DF6-C0E8-418A-A573-8293EEE98E13@.microsoft.com...
> I'm using Reporting Servicves for SQL Server 2000 and I've embedded a
> ReportViewer control in an ASP.NET page. The reports I link to all require
> a
> sensitive parameter value and I have been passing that through using the
> query string. Unfortunately, the entire URL of the report--including the
> parameter in the query string--is visible in the source for the page, and
> I
> don't want the user to see this for security purposes.
> Is there a way to hide this? I'm open to any and all suggestions.
> Thanks,
> Mark|||Good point. I forgot about doing that.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Oleg Yevteyev" <myfirstname001atgmaildotcom> wrote in message
news:OdtQOZxCGHA.1816@.TK2MSFTNGP11.phx.gbl...
> Search the group on encryption - use System.Security.Cryptography package
> I just repeat myself from a previous posting:
> "Parameter's encryption is a key to solve your problem.
> The simplest ( but not the only) way is:
> 1.create your own parameters collection pages (forms).
> 2. encrypt user input using a permanent or temporary encryption key.
> 3. Reference encryption assembly in your report designer.
> 4. use a decryption routine in your custom code akin
> "=Code.Library.Decrypt(Parameters!account_id);" by retrieving an
> encryption
> key used in step 2.
> By using this approach even a simplest parameter will be totally un
> guessable, because even a single digit will be encrypted to something like
> "bHZiajB4TGpBdU1"
> "
>
> "Mark" <Mark@.discussions.microsoft.com> wrote in message
> news:98599DF6-C0E8-418A-A573-8293EEE98E13@.microsoft.com...
>> I'm using Reporting Servicves for SQL Server 2000 and I've embedded a
>> ReportViewer control in an ASP.NET page. The reports I link to all
>> require a
>> sensitive parameter value and I have been passing that through using the
>> query string. Unfortunately, the entire URL of the report--including the
>> parameter in the query string--is visible in the source for the page, and
>> I
>> don't want the user to see this for security purposes.
>> Is there a way to hide this? I'm open to any and all suggestions.
>> Thanks,
>> Mark
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment