Report viewer control authentication – Part 2 – Forms Authentication

If the reporting services configured to use forms authentication and you need to show the reports in the custom developed applications then the need of processing authentication the report viewer control through the code.
Report viewer control authentication using windows authentication is described in the part 1 here. Now, we will discuss the authenticating forms authentication through C# code.
If we are are developing windows application and want to use report viewer control, then we need to implement the below logic to authenticate.

reportViewer1.ServerReport.ReportServerCredentials.SetFormsCredentials(null, "userName", "password", "");
this.reportViewer1.RefreshReport();

Where as in forms authentication simply assigning the credentials not enough. The reasons behind are, security, code efficiency, performance, response time etc everything come into the picture. So, we need to write code which supports everything.
What are the major tasks?

• Report viewer control excepts the credential of type IReportServerCredentials. So, we need to create an object which inherits from this interface and pass this to the report viewer control to authenticate.
• Handling cookie. Based on the login and request is successful we will write the cookie to browser and keep that in browser for further requests processing. The advantage is if cookie is available then won’t make any request to report server for authenticating.
• To create the cookie related information we actually need of hijack the request and response and get the cookie information and save it to browser. So, how to catch the request and response which made to report server? We will discuss this later in this article.
• To actually communicate to the report server, we need to make the communication with it. The best way to do that is using web services. Everyone knows that reports in SSRS gets with two sites. One is report manager means report web application [/reports] and the report server means a report web service[/reportserver]. So, we will use the web service, write a proxy and implement the existing functions in it.

I think, it is little bit complex to understand the above tasks. But actually they are very simple to implement.


Code needed: We need two classes to get what we need. These are custom classes and add them in single file named ReportServerCredentials.cs somewhere in the project.

• Classes needed - ReportServerCredentials and ReportingService.

public class ReportServerCredentials : IReportServerCredentials
{
private Cookie m_authCookie;
public ReportServerCredentials(Cookie authCookie)
{
m_authCookie = authCookie;
}
public WindowsIdentity ImpersonationUser
{
get
{
return null;  // Use default identity.
}
}
public ICredentials NetworkCredentials
{
get
{
return null;  // Not using NetworkCredentials to authenticate.
}
}
public bool GetFormsCredentials(out Cookie authCookie,
out string user, out string password, out string authority)
{
authCookie = null;
user = ConfigurationManager.AppSettings["ReportServerUserName"];
password = ConfigurationManager.AppSettings["ReportServerPassword"];
authority = "";
return true;  // Use forms credentials to authenticate.
}
}
public class MyReportingService : rsExecutionReference.ReportExecutionService
{
private Cookie m_authCookie;
public Cookie AuthCookie
{
get
{
return m_authCookie;
}
}
protected override WebRequest GetWebRequest(Uri uri)
{
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri);
request.CookieContainer = new CookieContainer();
if (m_authCookie != null)
request.CookieContainer.Add(m_authCookie);
return request;
}
protected override WebResponse GetWebResponse(WebRequest request)
{
WebResponse response = base.GetWebResponse(request);
string cookieName = response.Headers["RSAuthenticationHeader"];
if (cookieName != null)
{
HttpWebResponse webResponse = (HttpWebResponse)response;
m_authCookie = webResponse.Cookies[cookieName];
}
return response;
}
}

A small explanation:
ReportServerCredentials class is the class which is inheriting from the IReportServerCredentials interface.

• If we are using the impersonation then the first property will be used.
• If we are passing the custom network credentials then the second property will be used.
• If we are using forms authentication then the method GetFormsCredentials() will be used.

ReportingService is the class which is inheriting from the ReportExecutionService web service. The question in your mind now is what is the "rsExecutionReference". This is the web reference to the report server web service. To get this, right click on the web application/web site and select the option "Add web reference". Now, in the input box, enter the report server url ending with "ReportExecution2005.asmx". For example, if your report server is at http://localhost/reportserver then the web service location will be http://localhost/reportserver/ReportExecution2005.asmx. Add the web reference to project or site. Now, we have the web service proxy created in the solution. So, in my code rsExecutionReference is nothing but the web service proxy for the report server web service.
The web service has two methods already implemented GetWebRequest() and GetWebResponse(). So, we are overriding them in our code to catch the cookie ticket information which is returned by the report server. If you observe the GetWebResponse() code, we are actually checking for the header information from the response and in the response we are catching the cookie we need. If cookie is null means the request authentication failed and means invalid credentials passed.
I think, till now what I have mentioned is clear for you and we are done with contacting or communicating with the web service. Now, where we are calling the web service or in other words where the authentication request started? It's not yet. Check the below code and notes for it.
I have a Utility class in my application where I place all the util related code in it. For example purpose, I am assuming this method you have placed in Utility class  [If no Utility class in your application then create one and place this below method in it].

public static HttpCookie AuthenticateReportServerAccess()
{
MyReportingService svc = new MyReportingService();
svc.Url = ConfigurationManager.AppSettings["ReportServerWebSeriveUrl"];
HttpCookie hcookie = null;
try
{
svc.LogonUser(ConfigurationManager.AppSettings["ReportServerUserName"],
ConfigurationManager.AppSettings["ReportServerPassword"], null);
Cookie myAuthCookie = svc.AuthCookie;
if (myAuthCookie == null)
{
//Message.Text = "Logon failed";
}
else
{
hcookie = new HttpCookie(myAuthCookie.Name, myAuthCookie.Value);
HttpContext.Current.Response.Cookies.Add(hcookie);
}
}
catch (Exception ex)
{
//Message.Text = "Logon failed: " + ex.Message;
}
return hcookie;
}

What this method is doing? A little explanation is here. We need to make or send a request to report server for authenticating the current request to load a report. So, I am using this method for that. I have a proxy class as described above and based on that I have created my own custom class named ReportingService. So, I am using that to make the call by using the built in function exists in the web service named LogonUser(). Which is actually takes three parameters named username, password and authority. Authority is optional, the specific authority to use when authenticating a user. For example, a Windows domain, some name to make distinct the call for that user. Pass a value of null to omit this argument. This will make call to the report server. Because of we override the request and response methods in proxy, it will come to those method and executes all the code in them. So, in the method AuthenticateReportServerAccess() we are making request and getting the cookie. If wrong credentials passed then it means cookie is null. So, you can write your own logic there like throw exception or show some message, If you have any login page implemented for reporting then redirecting the user there etc… If cookie exist then Add that cookie to the response object.
Now, we are done with making a call and processing it and loading cookie. Now what? What we left with… See below.
In the page where we have placed the report viewer control, there add the below code. The below code you can write may be in onclick event of something or when page loads depends on your requirement.

HttpCookie cookie = Request.Cookies["sqlAuthCookie"];
if (cookie == null)
{
cookie = Util.AuthenticateReportServerAccess();
}
if(cookie != null)            {
//Add logic to pass parameters if needed.

reportViewer1.ServerReport.ReportServerUrl = new Uri("reportserverurl");
reportViewer1.ProcessingMode = ProcessingMode.Remote;
reportViewer1.ServerReport.ReportPath = "reportPath";
Cookie authCookie = new Cookie(cookie.Name, cookie.Value);
authCookie.Domain = Request.Url.Host;
reportViewer1.ServerReport.ReportServerCredentials =
new ReportServerCredentials(authCookie);           
//If any parameters then reportViewer1.ServerReport.SetParameters(reportParams);
}

What is happening in the code? We are checking whether the cookie already exist means user is already authenticated and if it null then we are sending request to report server and loading the cookie to browser. If cookie exists then it will go to second if condition and loads the report in the report viewer control by passing the cookie information to report server.
OHHH… What else? we are done with complete coding. We are left with testing the code.
Note: If you observe the code, there are some places we are getting the appsettings keys from the web.config.

• ReportServerWebSeriveUrl: Report server web service url like http://localhost/reportserver/ReportExecution2005.asmx
• ReportServerUserName: Report server username
• ReportServerPassword: Report server password.

Hope you are well understood and not with many questions in mind at this stage. Please feel free to ask me if you have any questions. Love to hear comments.