Authorization in REST Service Controller
Environment
Product | Progress® Telerik® Reporting |
Description
On an attempt to add the [Authorize]
attribute above the ReportsController class, the report viewer no longer displays.
Solution
By design, the ReportsController methods for the resources are marked with the [AllowAnonymous]
attribute (i.e. they do not require authorization). The resource requests are left unauthorized because they are made by the browser and an authentication token for them cannot be sent by the viewers. However, all resources are generated with unique random IDs that cannot be guessed directly.
When the authorization attribute is set to the entire ReportsController, the methods not requiring authentication by default will be overridden and will require an authorization token that is not sent by the viewer when requesting formats or resources.
Thus, we can suggest two possible approaches:
-
Set the authorize attribute for the ReportsController methods - REST service methods, instead of the whole class. These methods are virtual and you can override them like the following:
For ASP.NET Core
[RESTAuthorize] public override IActionResult CreateDocument(string clientID, string instanceID, [FromBody] CreateDocumentArgs args) { return base.CreateDocument(clientID, instanceID, args); }
For ASP.NET
[RESTAuthorize] public override HttpResponseMessage CreateDocument(string clientID, string instanceID, CreateDocumentArgs args) { return base.CreateDocument(clientID, instanceID, args); }
It would be also possible to introduce some custom logic that adds the appropriate header (Token) to the requests for formats and resources. For example, the jQuery ajaxPrefilter event to add the appropriate header - Add custom auth headers to html reportviewer.
Notes
How to use the authorize attribute is not related to Telerik Reporting directly. Please refer to the Token-Based Authentication for Web Service APIs in C# MVC .NET article that gives additional information on how to implement the validation process.