先前完成ReportViewer匯出PDF檔加蓋浮水印的把戲,想套用到SSRS(SQL Server Reporting Service)上,二者原理相近,差別在於SSRS使用的是"/ReportServer/ReportServer?rs:Command=Render&rs:Format=IMAGE&..." URL進行匯出作業,故只需稍加修改BeginRequest的URL過濾條件,一樣能透過HttpModule掛載HttpResponse.Filter加入修改匯出檔的程序。

修改C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\web.config加上HttpModule設定後,卻導致ReportServer網站應用程式完全無法運作,彈出以下錯誤訊息:

[SecurityException: Request for the permission of type System.Web.AspNetHostingPermission, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.]
   SSRS2000Hacking.WaterMarkModule.Init(HttpApplication context) +0
   System.Web.HttpApplication.InitModules() +100
   System.Web.HttpApplication.InitInternal(HttpContext context, HttpApplicationState state, MethodInfo[] handlers) +1330
   System.Web.HttpApplicationFactory.GetNormalApplicationInstance(HttpContext context) +392
   System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext context) +256
   System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +414

錯誤訊息指出,問題出在設定BeginRequest事件的動作需要特定CAS權限,研判是ReportServer網站應用程式基於安全考量調降了一般ASP.NET程式執行權限,HttpModule因而也承襲低階權限,執行事件掛載動作時產生權限不足錯誤。查看ReportServer\web.config發現以下設定:

  <securityPolicy>
    <trustLevel name="RosettaSrv" policyFile="rssrvpolicy.config" />
  </securityPolicy>
<trust level="RosettaSrv" originUrl="" />

原來ReportServer設定了一組自訂securityPolicy,其內容儲存於rssrvpolicy.config,除了ReportServer運作必須的組件外,預設不賦與任何CAS權限。因此,解決此一權限問題最簡單方法是修改rssrvpolicy.config,將我們的匯出檔浮水印HttpModule DLL調成FullTrust安全等級(資安提醒: 本案例因程式為自行開發,可擔保其中不含惡意程序或安全漏洞,故授與FullTrust安全等級沒有風險。若調高安全等級的對象為外來元件,請務必確認其安全無虞方可為之。)

我採用的做法是在ReportServer\rssrvpolicy.config中為HttpModule DLL(SSRS2000WatermarkModule.dll)加上設定,以URL為比對依據,調為FullTrust等級:

<CodeGroup
        class="UnionCodeGroup"
        version="1"
        PermissionSetName="FullTrust">
    <IMembershipCondition
            class="UrlMembershipCondition"
            version="1"
            Url="$CodeGen$/*"
    />
</CodeGroup>
<CodeGroup
        class="UnionCodeGroup"
        version="1"
        PermissionSetName="FullTrust">
    <IMembershipCondition
            class="UrlMembershipCondition"
            version="1"
            Url="$AppDirUrl$/bin/SSRS2000WaterMarkModule.dll"
    />
</CodeGroup>   

加入設定後,浮水印模組就運作如常囉~


Comments

Be the first to post a comment

Post a comment