0

I use ReportViewerForMvc and it installs ReportViewerWebForm.aspx into the root project folder. How do I restrict access to ReportViewerWebForm.aspx? I have tried

<location path="ReportViewerWebForm.aspx">
    <system.web>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>

However, this results in the .aspx denied access even to the logged in users.

Ian Kemp
  • 28,293
  • 19
  • 112
  • 138
Kok How Teh
  • 3,298
  • 6
  • 47
  • 85

2 Answers2

1

You can try adding allow element for all authenticated/logged in users after deny element:

<location path="ReportViewerWebForm.aspx">
    <system.web>
        <authorization>
            <deny users="?" />
            <allow users="*" />
        </authorization>
    </system.web>
</location>

Or try this example:

<configuration>
    <system.web>
        <!-- authentication element -->

        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>

    <location path="ReportViewerWebForm.aspx">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>

The "?" belongs to unauthenticated/anonymous users (not logged in), and "*" belongs to everyone else. The first matched authorization rule always processed first, in top to bottom order.

If you want restrict access to the report viewer page by allowing only certain roles to open it, use authorization schema like example below (mention all allowed roles separated by comma):

<location path="ReportViewerWebForm.aspx">
    <system.web>
        <authorization>
            <allow roles="rolename_1,rolename_2,..." />
            <deny users="*" />
        </authorization>
    </system.web>
</location>

Note: Make sure that you already have authentication element before using authorization rules:

<authentication mode="Forms">
   <forms loginUrl="~/Account/Login" ... />
</authentication>

References:

allow Element for authorization (ASP.NET Settings Schema)

deny Element for authorization (ASP.NET Settings Schema)

Setting authorization rules for a particular page or folder in web.config

Similar issues:

Authorization to deny access pages under a folder not working

Deny anonymous users problem

Tetsuya Yamamoto
  • 24,297
  • 8
  • 39
  • 61
0

Resolved by adding a code-behind and subclassing ReportViewerForMvc.ReportViewerWebForm, validate user in Page_Load event using session cookie.

Kok How Teh
  • 3,298
  • 6
  • 47
  • 85