We have developed a custom asp.net 2.0 RoleProvider to Authorize access to
different areas of our web app so that administrators of our application
could control access rather than IT staff. The custom RoleProvider reads
user and role information from a SQLServer 2005 Database. We are not using a
custom MembershipProvider. We are now trying to integrate Reporting Services
2005 with the Web App. I want the Roles used to authorize access to reports
be the same roles that are used to authorize access to the pages in my web
app. I would like to have reporting services use my custom RoleProvider. It
is my understanding that I need to create a class that implements
IAuthorizationExtension to do this.
I have the example from the Teo Lachev book. Not exacly what i needed, but
of figre if I could get that one running, I could modify it to call my custom
RoleProvider. When I implemented the sample from the book, I get an
exceiption when it calls the BinaryFormatter Deserialize method to
deserialize SecDesc item that was passed to GetAccess. The error message i
get is 'The input stream is not in a valid binary format. The starting
contents (in bytes) are :06-05-00-9c...'
Can anyone how a custom Authorization Extension is supposed to use the
Security descriptors it gets from RS?
Has anyone managed to use asp.net 2.0 RoleProviders with RS2005? Is there
any good documentation on how to implement and deploy an
IAuthorizationExtension? Should I be taking another approach?
It Seems to me that there ought to be [supplied by microsoft] an
implementation of the IAuthorizationExtension that calls a RoleProvider to
determine what groups a user is in, but I have not been able to find it.
Without this ability, the RoleProvider functionality is useless, because IT
staff would need to maintain AD Groups to control access to reports while an
Application Administrator would need to maintain RoleProvider Groups that
control access to my pages. It sounds like if someone wants to use
Reporting services, the should not be using a custom RoleProvider.Just in case anyone else experiences this problem in the future , I thought
I'd document what I've figured out so far. This is probably all buried in
some documentation somewhere, but I've been unable to find it.
When writing my pervious post, I had installed RS2005 and then installed a
custom Authorization Extension and was getting an error saying 'The
input stream is not in a valid binary format...'. when trying to access the
root folder of the report server. I had copied much of the code from the
Lachev book.
The root folder of the report server was created at the time I installed
RS2005. My custom Authorization Extension was not in place at the time the
root folder was created , so the ACL for the folder was created serialized
using the CreateSecurityDescriptor method of the default Authorization
Extension that comes with RS2005 (i.e. the one that works with AD groups).
I could browse to the root folder of the report server at this time with no
problem.
After I installed my custom Authorization Extension and browsed to the root
folder, RS Passed the ACL created and serialized by the default
Authorization Extension to my custom Authorization Extension. This caused
the issue. The CreateSecurityDescriptor and the CheckAccess methods work
hand-in-hand. The ACL create by CreateSecurityDescriptor of the default
Authorization Extension could not be deserialized by the GetAccess method of
my Custom Authorization Extension.
Afterwards, I created a new folder. Because this new folder was created
with my extension in place, the ACL was serialized by my own
CreateSecurityDescriptor method, and thus could be deserialized by my own
GetAccess method with no problem.
I just can't access the root folder after having installedmy extension,
because the security extension was not created by my code!.
"gover" <gover@.discussions.microsoft.com> wrote in message
news:03E811C4-6811-45EB-A071-0CAF14771C28@.microsoft.com...
> We have developed a custom asp.net 2.0 RoleProvider to Authorize access
> to
> different areas of our web app so that administrators of our application
> could control access rather than IT staff. The custom RoleProvider reads
> user and role information from a SQLServer 2005 Database. We are not using
> a
> custom MembershipProvider. We are now trying to integrate Reporting
> Services
> 2005 with the Web App. I want the Roles used to authorize access to
> reports
> be the same roles that are used to authorize access to the pages in my web
> app. I would like to have reporting services use my custom RoleProvider.
> It
> is my understanding that I need to create a class that implements
> IAuthorizationExtension to do this.
> I have the example from the Teo Lachev book. Not exacly what i needed, but
> of figre if I could get that one running, I could modify it to call my
> custom
> RoleProvider. When I implemented the sample from the book, I get an
> exceiption when it calls the BinaryFormatter Deserialize method to
> deserialize SecDesc item that was passed to GetAccess. The error message
> i
> get is 'The input stream is not in a valid binary format. The starting
> contents (in bytes) are :06-05-00-9c...'
> Can anyone how a custom Authorization Extension is supposed to use the
> Security descriptors it gets from RS?
> Has anyone managed to use asp.net 2.0 RoleProviders with RS2005? Is
> there
> any good documentation on how to implement and deploy an
> IAuthorizationExtension? Should I be taking another approach?
>
> It Seems to me that there ought to be [supplied by microsoft] an
> implementation of the IAuthorizationExtension that calls a RoleProvider
> to
> determine what groups a user is in, but I have not been able to find it.
> Without this ability, the RoleProvider functionality is useless, because
> IT
> staff would need to maintain AD Groups to control access to reports while
> an
> Application Administrator would need to maintain RoleProvider Groups that
> control access to my pages. It sounds like if someone wants to use
> Reporting services, the should not be using a custom RoleProvider.
>
>|||Did you ever figure out how to cleare the old security descriptor ?
"gover" wrote:
> Just in case anyone else experiences this problem in the future , I thought
> I'd document what I've figured out so far. This is probably all buried in
> some documentation somewhere, but I've been unable to find it.
> When writing my pervious post, I had installed RS2005 and then installed a
> custom Authorization Extension and was getting an error saying 'The
> input stream is not in a valid binary format...'. when trying to access the
> root folder of the report server. I had copied much of the code from the
> Lachev book.
> The root folder of the report server was created at the time I installed
> RS2005. My custom Authorization Extension was not in place at the time the
> root folder was created , so the ACL for the folder was created serialized
> using the CreateSecurityDescriptor method of the default Authorization
> Extension that comes with RS2005 (i.e. the one that works with AD groups).
> I could browse to the root folder of the report server at this time with no
> problem.
> After I installed my custom Authorization Extension and browsed to the root
> folder, RS Passed the ACL created and serialized by the default
> Authorization Extension to my custom Authorization Extension. This caused
> the issue. The CreateSecurityDescriptor and the CheckAccess methods work
> hand-in-hand. The ACL create by CreateSecurityDescriptor of the default
> Authorization Extension could not be deserialized by the GetAccess method of
> my Custom Authorization Extension.
> Afterwards, I created a new folder. Because this new folder was created
> with my extension in place, the ACL was serialized by my own
> CreateSecurityDescriptor method, and thus could be deserialized by my own
> GetAccess method with no problem.
> I just can't access the root folder after having installedmy extension,
> because the security extension was not created by my code!.
>
> "gover" <gover@.discussions.microsoft.com> wrote in message
> news:03E811C4-6811-45EB-A071-0CAF14771C28@.microsoft.com...
> > We have developed a custom asp.net 2.0 RoleProvider to Authorize access
> > to
> > different areas of our web app so that administrators of our application
> > could control access rather than IT staff. The custom RoleProvider reads
> > user and role information from a SQLServer 2005 Database. We are not using
> > a
> > custom MembershipProvider. We are now trying to integrate Reporting
> > Services
> > 2005 with the Web App. I want the Roles used to authorize access to
> > reports
> > be the same roles that are used to authorize access to the pages in my web
> > app. I would like to have reporting services use my custom RoleProvider.
> > It
> > is my understanding that I need to create a class that implements
> > IAuthorizationExtension to do this.
> >
> > I have the example from the Teo Lachev book. Not exacly what i needed, but
> > of figre if I could get that one running, I could modify it to call my
> > custom
> > RoleProvider. When I implemented the sample from the book, I get an
> > exceiption when it calls the BinaryFormatter Deserialize method to
> > deserialize SecDesc item that was passed to GetAccess. The error message
> > i
> > get is 'The input stream is not in a valid binary format. The starting
> > contents (in bytes) are :06-05-00-9c...'
> >
> > Can anyone how a custom Authorization Extension is supposed to use the
> > Security descriptors it gets from RS?
> >
> > Has anyone managed to use asp.net 2.0 RoleProviders with RS2005? Is
> > there
> > any good documentation on how to implement and deploy an
> > IAuthorizationExtension? Should I be taking another approach?
> >
> >
> > It Seems to me that there ought to be [supplied by microsoft] an
> > implementation of the IAuthorizationExtension that calls a RoleProvider
> > to
> > determine what groups a user is in, but I have not been able to find it.
> > Without this ability, the RoleProvider functionality is useless, because
> > IT
> > staff would need to maintain AD Groups to control access to reports while
> > an
> > Application Administrator would need to maintain RoleProvider Groups that
> > control access to my pages. It sounds like if someone wants to use
> > Reporting services, the should not be using a custom RoleProvider.
> >
> >
> >
> >
>
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment