Using Secure Web Service Methods
Certain Reporting Services Web service methods may require a secure connection when you invoke them. The methods that require a secure connection are determined by the SecureConnectionLevel setting in the RSReportServer.config file. The value of the setting is an integer value with a valid range of 0 to 3. The following table lists the values.
|Level||Description||Web Methods Requiring SSL|
|0||Least secure. The report server does not check for a secure connection when Web service methods are invoked. However, all calls to the Web service can still be made to the report server over a secure connection.||None.|
|1||Minimally secure. All Web service calls that are made over an insecure connection and which might pass sensitive data such as user credentials are rejected. However, this setting does not guarantee security. It is still possible for sensitive data sent by the client to the report server to be exposed before the report server handles the request and rejects it.||Render (when the credential setting for the report that is being rendered is set to prompt), CreateDataSource, GetDataSourceContents, SetDataSourceContents, GetReportDataSources, SetReportDataSources, CreateReport, GetReportDefintion, SetReportDefinition, CreateDataDrivenSubscription, SetDataDrivenSubscriptionProperties, GetDataDrivenSubscriptionProperties, and PrepareQuery.|
|2||Secure. All rendered reports and all Web service calls require a secure connection. This includes all calls to the Render method and requests for rendered reports made through URL access. Using this secure connection level, subscription delivery can include only URLs to reports. Rendered reports cannot be embedded or included in a delivery.||All Level 1 methods, Render (all calls), and RenderStream.|
|3||Most secure. All calls made to the Reporting Services SOAP API require a secure connection.||All.|
Security Note The SecureConnectionLevel setting can only determine how the report server handles Web service requests. The report server does not control sensitive data that is sent by client applications. You should ensure that client applications do not transmit sensitive data over an insecure connection. If possible, use Secure Sockets Layer (SSL) encryption in all cases where user credentials and sensitive report data are sent over a network.
You can use the ListSecureMethods method of the Web service to return a list of Web service methods that require a secure connection according to the current configuration of the report server. In an SSL scenario, you should evaluate the list of methods that are returned by ListSecureMethods and change the scheme name of the Web service URI to https or http depending on the method being called.