Restricting Access to Type Members

Contents
[ ]

In scenarios where report templates are created by a third party, it can make sense to restrict access of a template author to members of types sensitive from a security point of view. LINQ Reporting Engine provides API to accomplish this as illustrated with the following example. Given that SomeClass1 and SomeClass2 are types which members should be inaccessible by the engine through template syntax, you can use the following code snippet to make the engine restrict the access.

ReportingEngine.setRestrictedTypes(SomeClass1.class, SomeClass2.class);

After the code is run, on attempt to access any member of types SomeClass1 and SomeClass2 through a template, there are two possible outcomes while building a report:

  1. By default, the engine throws an exception saying about a syntactic error the same way it does when encounters a missing type member.
  2. If missing type members are allowed, the engine treats every such a member as a null literal (see “Accessing Missing Members of Data Objects” for more information).

Note – The engine also restricts access to members of types derived from SomeClass1 and SomeClass2 in the same way.

Restricted types can be set only before building the very first report. Once restricted types are checked for the first time while building a report, they cannot be changed after that and an exception is thrown on attempt to do this. That is why, the recommended place to set restricted types is your application’s startup.

Note – To determine whether access to a particular type member should be restricted, some reflective calls are done by the engine under the hood, so for better performance, it is recommended to keep the set of restricted types minimal by restricting access to members of only those types that are crucial in terms of security.

FAQ

  1. Q: How do I specify which types should be restricted?
    A: Call ReportingEngine.setRestrictedTypes and pass the Class objects of the types you want to block, e.g., ReportingEngine.setRestrictedTypes(SomeClass1.class, SomeClass2.class);. This must be done before the first report is built.

  2. Q: What happens if a template tries to access a member of a restricted type?
    A: By default the engine throws a syntactic‑error exception, indicating that the member cannot be resolved. If the engine is configured to allow missing members, the inaccessible member is treated as null.

  3. Q: Are members of subclasses of a restricted type also blocked?
    A: Yes. The restriction is applied recursively, so any type that derives from a restricted type inherits the same access limitation.

  4. Q: Can I change the list of restricted types after the first report has been generated?
    A: No. Once the engine has checked the restricted types during the first report build, any further attempt to modify the list results in an exception. Set the restrictions during application startup.

Inlining Syntax Error Messages into Templates in Java Optimizing Reflection Calls in Java