Can a Custom Security Extension help me here?

I am hoping someone can tell me what I am trying to do is even possible
before I waste several hours of development time. I have read all relevant
posts in this newsgroup, and the Microsoft provided Forms Authentication
example
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsql2k/html/ufairs.asp).
However, I am still unsure if what I want to do will even work.
Here's the setup...
Reporting Services is being deployed on its own box, exposed to the internet.
For this discussion call it http://rs-box
Users are dropped to a "List of Reports" screen (an .aspx page) on this box
via a link clicked from an Apache server. I've handled the appropriate
security issues for this action just fine. What happens is the Apache server
sends the user's information encrypted on the query string:
ex. http://rs-box?userInfo=SomeEncryptedStringOfCharacters
My "List of Reports" .aspx page decryptes the userInfo parameter and
renders the available reports or kicks them back to the Apache server to
login. If the user information is acceptable, it gets dropped into the
HttpSession. That part is easy.
One of the reports shows the user all their account activity for a given
date range. I want them to be able to use the interactive toolbar (via their
web browser) to export to their chosen format, etc. The way the account
activity report is implemented is that one of the parameters it needs to run
is the user's account number. This is basically a parameter passed to the
report.
So here's my question. I need to check (I assume via a custom security
extension) if the account number being passed in along the URL is the same as
the account number stored in the HttpSession (I don't want users manipulating
the URL and calling up the account history for another user). It is a really
easy thing to check, but after a few hours of research I just don't know if
it is possible.
If I'm on the right track any hints as to which functions to override would
be greatly appreciated too...
ryanYes, if your account number is the UserID in your security extension, you
can simply use User!UserID as a parameter when pulling up the history.
That's very similar to what we're doing. Works like a snap -- after much
hassle setting it up. The Forms Authentication sample code is a great
start.
Cheers,
'(' Jeff A. Stucker
\
Business Intelligence
www.criadvantage.com
---
"ryan" <ryan@.discussions.microsoft.com> wrote in message
news:8B7B5537-4D72-4877-AD22-D1783A932674@.microsoft.com...
>I am hoping someone can tell me what I am trying to do is even possible
> before I waste several hours of development time. I have read all
> relevant
> posts in this newsgroup, and the Microsoft provided Forms Authentication
> example
> (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsql2k/html/ufairs.asp).
> However, I am still unsure if what I want to do will even work.
> Here's the setup...
> Reporting Services is being deployed on its own box, exposed to the
> internet.
> For this discussion call it http://rs-box
> Users are dropped to a "List of Reports" screen (an .aspx page) on this
> box
> via a link clicked from an Apache server. I've handled the appropriate
> security issues for this action just fine. What happens is the Apache
> server
> sends the user's information encrypted on the query string:
> ex. http://rs-box?userInfo=SomeEncryptedStringOfCharacters
> My "List of Reports" .aspx page decryptes the userInfo parameter and
> renders the available reports or kicks them back to the Apache server to
> login. If the user information is acceptable, it gets dropped into the
> HttpSession. That part is easy.
> One of the reports shows the user all their account activity for a given
> date range. I want them to be able to use the interactive toolbar (via
> their
> web browser) to export to their chosen format, etc. The way the account
> activity report is implemented is that one of the parameters it needs to
> run
> is the user's account number. This is basically a parameter passed to the
> report.
> So here's my question. I need to check (I assume via a custom security
> extension) if the account number being passed in along the URL is the same
> as
> the account number stored in the HttpSession (I don't want users
> manipulating
> the URL and calling up the account history for another user). It is a
> really
> easy thing to check, but after a few hours of research I just don't know
> if
> it is possible.
> If I'm on the right track any hints as to which functions to override
> would
> be greatly appreciated too...
> ryan