P
Phil Aldis
Hi,
I'm having a little difficulty getting my head round windows integrated
security/impersonation and I'd appreciate a little help with the problem I'm
trying to solve (or an indication that what I'm trying to do is too hard to
be worth it!)
To give you the background: I'm developing a web portal application which
has fairly limited number of users. We're using SQL Server reporting
services. A number of the reports need to be bound to groups of users; also,
some of the reports need to know the logged-in user to use directly in the
SQL queries. This can, of course, all be done using Windows Integrated
Authentication. Also, another piece of info, I can't justify the cost of the
Enterprise version of SQL Server and so cannot use a reporting services
custom security extension (eg Form based authentication). Also, I'm serving
up my reports using the reportviewer custom control, which loads reports into
an IFrame, so effectively creates its own http requests.
I have no problems creating accounts on the server for every user. What I
don't like, however, is the integrated security popup box. It's quite ugly
and from a user experience point of view really doesn't fit in with their
expectations of a web application, where they would expect a more forms based
view. I thought that I might be able to do something in the background
whereby they could login through a form and I could manaully do the logging
in, and from then on (until timeout) this user would be regarded by the
webapp and report server as the credentials supplied.
Okay, so I used the demo in msdn:
ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic1.htm
and webapp'ed it. This works and I was hoping that if I didn't undo the
impersonation at the end, that all future http requests from this client
would be regarded as the impersonated user, which would obviously enable
someone to login and then when they view reports they would be that user. I
kinda knew that wasn't going to work and it feels like I might still be able
to do this by doing something with the security token.
Is what I'm trying to do mad? Am I going to have to implement my own
HttpHandler and impersonate the user I think someone is, at each request? It
would be great if there are any tutorials out there. Obviously if it's too
difficult, or will introduce huge security weaknesses in the system then it's
just not worth it. As I said, all I'm trying to do here is remove the popup
login box!
Thanks in advance for your help,
Phil Aldis
I'm having a little difficulty getting my head round windows integrated
security/impersonation and I'd appreciate a little help with the problem I'm
trying to solve (or an indication that what I'm trying to do is too hard to
be worth it!)
To give you the background: I'm developing a web portal application which
has fairly limited number of users. We're using SQL Server reporting
services. A number of the reports need to be bound to groups of users; also,
some of the reports need to know the logged-in user to use directly in the
SQL queries. This can, of course, all be done using Windows Integrated
Authentication. Also, another piece of info, I can't justify the cost of the
Enterprise version of SQL Server and so cannot use a reporting services
custom security extension (eg Form based authentication). Also, I'm serving
up my reports using the reportviewer custom control, which loads reports into
an IFrame, so effectively creates its own http requests.
I have no problems creating accounts on the server for every user. What I
don't like, however, is the integrated security popup box. It's quite ugly
and from a user experience point of view really doesn't fit in with their
expectations of a web application, where they would expect a more forms based
view. I thought that I might be able to do something in the background
whereby they could login through a form and I could manaully do the logging
in, and from then on (until timeout) this user would be regarded by the
webapp and report server as the credentials supplied.
Okay, so I used the demo in msdn:
ms-help://MS.MSDNQTR.2004JUL.1033/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic1.htm
and webapp'ed it. This works and I was hoping that if I didn't undo the
impersonation at the end, that all future http requests from this client
would be regarded as the impersonated user, which would obviously enable
someone to login and then when they view reports they would be that user. I
kinda knew that wasn't going to work and it feels like I might still be able
to do this by doing something with the security token.
Is what I'm trying to do mad? Am I going to have to implement my own
HttpHandler and impersonate the user I think someone is, at each request? It
would be great if there are any tutorials out there. Obviously if it's too
difficult, or will introduce huge security weaknesses in the system then it's
just not worth it. As I said, all I'm trying to do here is remove the popup
login box!
Thanks in advance for your help,
Phil Aldis