-
Notifications
You must be signed in to change notification settings - Fork 10
usefulTips
You have to be an administrator to accomplish these steps
Setting these might require a restart of the servers. The SASEnviromentManager UI gives you hints on this.
You can set these thru SASEnvironment Manager. All of these can be found together by going to SASEnvironmentManager->Configuration->Definitions and filtering on security.
-
CORS
- allowCredentials Set this to true
- Allowed Origins - set this to meet your needs.A * will leave this wide open to all clients. Talk to your site administrator.
-
cookies
- sameSite Critical for browsers like Chrome. For VA-SDK you need to set this to None
- To set this use the SASEnvironmentManager->Configurations->Definitons->sas.commons.web.security.cookies
-
CSRF
- allowed URI A sample is shown below. Use your expertise in regex to specify the allowed uris.
http(s?)[:]\/\/([^\.]+\.)*acme\.com,http(s)*[:]\/\/localhost([:])*\d*
During testing you can set this to .*
SAS Viya sessions will timeout after a set period of inactivity. In some situations one might want to set this timeout to specific values.
-
Follow the instructions at this link
-
Create a config for saslogon with a timeout much larger than what you set in Step 1.
Starting with Viya 3.5.1 the timeout has to be set differently. Timeout is expressed as 30m for 30 minutes, 12h for 12 hours etc...
If you use a single CAS session for long periods(as in a web application) you should increase the timeout for cas sessions also. To do this use setsesopts casl statement or the action to set the timeout value. The default value is 60 mins(the doc does not specify units but I am guessing it is in minutes)
It might also be necessary to keep your applications token alive. To achieve this your application must access the /SASLogon/ route during the session from your app server.
As an example Below restaf-server's keepAlive route looks as follows:
async function keepAlive (req,h) {
let SASLogon = `${process.env.VIYA_SERVER}/SASLogon/`;
return h.response().redirect(SASLogon).code(302);
}
export default keepAlive;
In your application you need to exercise a route that looks something like the example above. Below is a restaf + react-based example where this route is exercised on every mouse click:
<...snip>
const handleUserClicks = () => {;
let payload = {
url: `${window.location.protocol}//${window.location.host}/${appOptions.logonPayload.appName}/keepAlive`,
method: 'GET',
};
store.request(payload);
};
<snip...>
return <div onClickCapture={handleUserClicks}>
{...childern}
</div>;
See this link for more useful information https://reactjs.org/blog/2020/08/10/react-v17-rc.html
See the section below on clientid
- Users of restaf-server see the KEEPALIVE setting to keep the application authentication alive.
- It might also be useful to create authentication tokens with longer TTL. To do this increase the TTL setting when creating the clientid used to get the authentication token. See https://github.com/sassoftware/restaf/wiki/Managing-clientids for details.
This is useful if you want your custom apps to behave like our standard VA applications on timeout.
The comma-delimited list of URIs that users can be redirected to after signing in following a time-out or logoff. SAS application URIs and registered client redirect URIs are automatically included in the list.
Use SAS Environment Manager to set this in SAS Logon Manager configuration. An example is
http://localhost:8080/viyaapp,https://localhost/viyaapp
You can run this as part of your setup scripts. See https://github.com/sassoftware/restaf/wiki/Managing-clientids
Do the following in any shell:
npx @sassoftware/registerclient --host=Url-to-viya-server --ttl=<ttl in days>
The ttl option is only required if you want your tokens to have very long ttl. For more control see https://github.com/sassoftware/restaf/wiki/Managing-clientids for details. Tokens inherit their TTL from the associated clientid.
On prompt (>) enter
logon
Then respond to request for userid and password.
Once you are logged on issue "help" command to see what is possible.
Recommend that you use authorization_code flow for web applications. This will allow your application to use VA-SDK.
Here is an example;
add viyademo -t authorization_code -s secret -r http://localhost:8080/viyademo,http://localhost:8080/viyaapp,https://localhost/viyademo,https://localhost/viyaapp
Create password flow clientids
Here is an example:
add mycli -t password -s myclisecret
.... Under construction...
-
restaf
-
restaflib
-
Examples:
- Cas Server
- Compute Server
- Scoring with MAS
- Scoring with CAS
- Utility
-
CAS Related Functions
-
MAS Related Functions
-
Compute Server Related Functions
-
Reports Related Functions
-
Interactive CLI
-
Special Topic