安全性延伸模組 - Reporting Services (SSRS)Security Extensions Overview - Reporting Services (SSRS)

Reporting ServicesReporting Services 安全性延伸模組會啟用使用者或群組的驗證和授權;也就是說,它會讓不同的使用者登入到報表伺服器,並根據其識別執行不同的工作或作業。A Reporting ServicesReporting Services security extension enables the authentication and authorization of users or groups; that is, it enables different users to log on to a report server and, based on their identities, perform different tasks or operations. 依預設,Reporting ServicesReporting Services 會使用 Windows 架構的驗證延伸模組,此模組使用 Windows 帳戶通訊協定來確認宣稱在系統上具有帳戶之使用者的識別。By default, Reporting ServicesReporting Services uses a Windows-based authentication extension, which uses Windows account protocols to verify the identities of users who claim to have accounts on the system. Reporting ServicesReporting Services 會使用以角色為基礎的安全性系統來授權使用者。Reporting ServicesReporting Services uses a role-based security system to authorize users. Reporting ServicesReporting Services 以角色為基礎的安全性模型類似於其他技術以角色為基礎的安全性模型。The Reporting ServicesReporting Services role-based security model is similar to the role-based security models of other technologies.

因為安全性延伸模組是以開放且可延伸的 API 為基礎,所以您可以在 Reporting ServicesReporting Services 中建立新的驗證和授權延伸模組。Because security extensions are based on an open and extensible API, you can create new authentication and authorization extensions in Reporting ServicesReporting Services. 以下是一般安全性延伸模組實作的範例,此實作會使用以表單為基礎的驗證和授權:The following is an example of a typical security extension implementation that uses Forms-based authentication and authorization:

Reporting Services 安全性延伸模組處理序Reporting Services security extension process

如下圖所顯示,驗證和授權的進行方式如下:As shown in the illustration, authentication and authorization occur as follows:

  1. 使用者使用 URL 來嘗試存取入口網站,然後被重新導向至針對用戶端應用程式收集使用者認證的表單。A user tries to access the web portal by using a URL and is redirected to a form that collects user credentials for the client application.

  2. 使用者將認證提交給表單。The user submits credentials to the form.

  3. 使用者認證透過 LogonUser 方法提交給 Reporting Services Web 服務。The user credentials are submitted to the Reporting Services Web service through the LogonUser method.

  4. Web 服務呼叫客戶所提供的安全性延伸模組,並且確認自訂的安全性授權中具有使用者名稱和密碼。The Web service calls the customer-supplied security extension and verifies that the user name and password exist in the custom security authority.

  5. 在進行驗證後,Web 服務會建立驗證票證 (也稱為 "Cookie")、管理票證,然後針對入口網站的首頁確認使用者的角色。After authentication, the Web service creates an authentication ticket (known as a "cookie"), manages the ticket, and verifies the user's role for the Home page of the web portal.

  6. Web 服務將 Cookie 傳回給瀏覽器,並在入口網站中顯示適當的使用者介面。The Web service returns the cookie to the browser and displays the appropriate user interface in the web portal.

  7. 在使用者經過驗證後,瀏覽器會以 HTTP 標頭傳送 Cookie 以對入口網站提出要求。After the user is authenticated, the browser makes requests to the web portal while transmitting the cookie in the HTTP header. 這些要求是用於回應入口網站中的使用者動作。These requests are in response to user actions within the web portal.

  8. Cookie 會在 HTTP 標頭中,與所要求的使用者作業一起傳送給 Web 服務。The cookie is transmitted in the HTTP header to the Web service along with the requested user operation.

  9. 對 Cookie 進行驗證,如為有效,則報表伺服器會從報表伺服器資料庫傳回安全性描述項,以及與所要求作業相關的其他資訊。The cookie is validated, and if it is valid, the report server returns the security descriptor and other information relating to the requested operation from the report server database.

  10. 如果 Cookie 有效,則報表伺服器會呼叫安全性延伸模組,以檢查是否授權使用者執行特定的作業。If the cookie is valid, the report server makes a call to the security extension to check if the user is authorized to perform the specific operation.

  11. 如果使用者已獲得授權,則報表伺服器會執行要求的作業,並將控制項傳回給呼叫者。If the user is authorized, the report server performs the requested operation and returns control to the caller.

  12. 在使用者經過驗證後,對報表伺服器的 URL 存取會使用相同的 Cookie。After the user is authenticated, URL access to the report server uses the same cookie. Cookie 會以 HTTP 標頭傳輸。The cookie is transmitted in the HTTP header.

  13. 使用者會繼續在報表伺服器上要求作業,直到工作階段結束。The user continues to request operations on the report server until the session has ended.

何時實作安全性延伸模組When to Implement a Security Extension

我們建議您盡可能使用 Windows 驗證。We recommend that you use Windows Authentication if at all possible. 不過,下列兩個案例可能比較適合 Reporting ServicesReporting Services 的自訂驗證和授權:However, custom authentication and authorization for Reporting ServicesReporting Services may be appropriate in the following two cases:

  • 您具有無法使用 Windows 帳戶的網際網路或外部網路應用程式。You have an Internet or extranet application that cannot use Windows accounts.

  • 您具有自訂的使用者和角色,而且需要在 Reporting ServicesReporting Services 中提供相符的授權配置。You have custom-defined users and roles and need to provide a matching authorization scheme in Reporting ServicesReporting Services.

另請參閱See Also

實作安全性延伸模組Implementing a Security Extension