I want to add security to report(s) based on username and password present in my web application database. But i do not want add parameter(s) username/password in rdl file which shows password in clear text. What is the best way to perform this task? Currently, my reporting server bypass my web service? Report url directly call report on report server. Can I made to pass it via web service which can authenticate user? Any suggestions?

The method that gives you the most flexibility is to override the authentication in SSRS:

http://technet.microsoft.com/en-us/library/ms152825.aspx

If you're unable or unwilling to go that route, your best option is to pass the username as a report parameter. You should of course make this parameter hidden. In your report database, you will want to create many-to-many security tables that join your user table to the constraining entities in your report queries. For example, if you want row level security by branch or office or department or something, then you'd create a Users_Department table and in your reports query you inner join to that and the users table.

I've done this successfully in a past project. It's doesn't feel very elegant because it requires you to create the property authorization user interface admin screens that fill and update these many-to-many security tables and in addition all of your report queries must join properly to filter to the proper security table to filter the result data sets.

But in some scenario's, it's your best (or only!) option.