-
Notifications
You must be signed in to change notification settings - Fork 10
usefulTips
You have to be an administrator to accomplish these steps
Setting these might require a restart of the servers. The SASEnviromentManager UI gives you hints on this.
You can set these thru SASEnvironment Manager. All of these can be found together by going to SASEnvironmentManager->Configuration->Definitions and filtering on security.
-
CORS
- allowCredentials Set this to true
- Allowed Origins - set this to meet your needs.A * will leave this wide open to all clients. Talk to your site administrator.
-
cookies
- sameSite Critical for browsers like Chrome. For VA-SDK you need to set this to None
- To set this use the SASEnvironmentManager->Configurations->Definitons->sas.commons.web.security.cookies
-
CSRF
- allowed URI A sample is shown below. Use your expertise in regex to specify the allowed uris.
http(s?)[:]\/\/([^\.]+\.)*acme\.com,http(s)*[:]\/\/localhost([:])*\d*
During testing you can set this to .*
SAS Viya sessions will timeout after a set period of inactivity. In some situations one might want to set this timeout to specific values.
-
Follow the instructions at this link
-
Create a config for saslogon with a timeout much larger than what you set in Step 1.
Timeout is set in seconds. Set individual services and not the global - not really sure why.
Note that for Viya 3.4 the property to set is session.timeout but for 3.5 it is servlet.session.timeout
If you use a single CAS session for long periods(as in a web application) you should increase the timeout for cas sessions also. To do this use setsesopts casl statement or the action to set the timeout value. The default value is 60 mins(the doc does not specify units but I am guessing it is in minutes)
This section only applies when using authorization_code flow for authentication
There are two parts to keeping the session active for long periods.
- Keep your session active
You need to refresh the token used for the session. restaf-server.
-
Keep your app server session alive by acquiring tokens at some regular interval
-
Keep the services added thru store,.addServices active.
Extend the object passed to store.logon with these:
{
timers : [n,m].
keepAlive: <your appserver keepalive route - if you do not have one set this to null>
}
n = every n seconds restaf will make a call to the services added to the session via addServices. This keeps that service alive and alos keeps the csrf tokens current.
m = the session will timoeout after m secods
Set the following in the env file
KEEPALIVE=YES TIMERS=n,m
n and m are described above:
Here is an example (check every 5 mins and timeout in 4 hours and 1 minute)
TIMERS=300,14460
See the section below on clientid
- Users of restaf-server see the KEEPALIVE setting to keep the application authentication alive.
- It might also be useful to create authentication tokens with longer TTL. To do this increase the TTL setting when creating the clientid used to get the authentication token. See https://github.com/sassoftware/restaf/wiki/Managing-clientids for details.
This is useful if you want your custom apps to behave like our standard VA applications on timeout.
The comma-delimited list of URIs that users can be redirected to after signing in following a time-out or logoff. SAS application URIs and registered client redirect URIs are automatically included in the list.
Use SAS Environment Manager to set this in SAS Logon Manager configuration. An example is
http://localhost:8080/viyaapp,https://localhost/viyaapp
You can run this as part of your setup scripts. See https://github.com/sassoftware/restaf/wiki/Managing-clientids
Do the following in any shell:
npx @sassoftware/registerclient --host=Url-to-viya-server --ttl=<ttl in days>
The ttl option is only required if you want your tokens to have very long ttl. For more control see https://github.com/sassoftware/restaf/wiki/Managing-clientids for details. Tokens inherit their TTL from the associated clientid.
On prompt (>) enter
logon
Then respond to request for userid and password.
Once you are logged on issue "help" command to see what is possible.
Recommend that you use authorization_code flow for web applications. This will allow your application to use VA-SDK.
Here is an example;
add viyademo -t authorization_code -s secret -r http://localhost:8080/viyademo,http://localhost:8080/viyaapp,https://localhost/viyademo,https://localhost/viyaapp
Create password flow clientids
Here is an example:
add mycli -t password -s myclisecret
.... Under construction...
-
restaf
-
restaflib
-
Examples:
- Cas Server
- Compute Server
- Scoring with MAS
- Scoring with CAS
- Utility
-
CAS Related Functions
-
MAS Related Functions
-
Compute Server Related Functions
-
Reports Related Functions
-
Interactive CLI
-
Special Topic