Skip to content

usefulTips

Deva Kumar edited this page Nov 4, 2020 · 15 revisions

Useful configuration tips

You have to be an administrator to accomplish these steps

sas.commons.web.security

Setting these might require a restart of the servers. The SASEnviromentManager UI gives you hints on this.

You can set these thru SASEnvironment Manager. All of these can be found together by going to SASEnvironmentManager->Configuration->Definitions and filtering on security.

  1. CORS

    • allowCredentials Set this to true
    • Allowed Origins - set this to meet your needs.A * will leave this wide open to all clients. Talk to your site administrator.
  2. cookies

    • sameSite Critical for browsers like Chrome. For VA-SDK you need to set this to None
    • To set this use the SASEnvironmentManager->Configurations->Definitons->sas.commons.web.security.cookies
  3. CSRF

    • allowed URI A sample is shown below. Use your expertise in regex to specify the allowed uris.
        http(s?)[:]\/\/([^\.]+\.)*acme\.com,http(s)*[:]\/\/localhost([:])*\d*

        During testing you can set this to .*


Managing SAS Viya Session Timeouts


SAS Viya sessions will timeout after a set period of inactivity. In some situations one might want to set this timeout to specific values.

  1. Follow the instructions at this link

  2. Create a config for saslogon with a timeout much larger than what you set in Step 1.

Timeout is set in seconds. Set individual services and not the global - not really sure why.

Note that for Viya 3.4 the property to set is session.timeout but for 3.5 it is servlet.session.timeout

Cas Session timeouts

If you use a single CAS session for long periods(as in a web application) you should increase the timeout for cas sessions also. To do this use setsesopts casl statement or the action to set the timeout value. The default value is 60 mins(the doc does not specify units but I am guessing it is in minutes)

The app server timeout

This section only applies when using authorization_code flow for authentication

There are two parts to keeping the session active for long periods.

  1. Keep your session active

You need to refresh the token used for the session. restaf-server.

  1. Keep your app server session alive by acquiring tokens at some regular interval

  2. Keep the services added thru store,.addServices active.

Extend the object passed to store.logon with these:

{
     timers   : [n,m].
     keepAlive: <your appserver keepalive route - if you do not have one set this to null>
}

n = every n seconds restaf will make a call to the services added to the session via addServices. This keeps that service alive and alos keeps the csrf tokens current.
m = the session will timoeout after m secods

Note to restaf-server users:

Set the following in the env file

KEEPALIVE=YES TIMERS=n,m

n and m are described above:

Here is an example (check every 5 mins and timeout in 4 hours and 1 minute)

TIMERS=300,14460

Increasing the TTL for authentication tokens

See the section below on clientid

Notes

  1. Users of restaf-server see the KEEPALIVE setting to keep the application authentication alive.
  2. It might also be useful to create authentication tokens with longer TTL. To do this increase the TTL setting when creating the clientid used to get the authentication token. See https://github.com/sassoftware/restaf/wiki/Managing-clientids for details.

Application specific configurations


Logon callback uris

This is useful if you want your custom apps to behave like our standard VA applications on timeout.

The comma-delimited list of URIs that users can be redirected to after signing in following a time-out or logoff. SAS application URIs and registered client redirect URIs are automatically included in the list.

Use SAS Environment Manager to set this in SAS Logon Manager configuration. An example is

http://localhost:8080/viyaapp,https://localhost/viyaapp

Setting up clientid for your custom applications

You can run this as part of your setup scripts. See https://github.com/sassoftware/restaf/wiki/Managing-clientids

Do the following in any shell:

npx @sassoftware/registerclient --host=Url-to-viya-server --ttl=<ttl in days>

The ttl option is only required if you want your tokens to have very long ttl. For more control see https://github.com/sassoftware/restaf/wiki/Managing-clientids for details. Tokens inherit their TTL from the associated clientid.

On prompt (>) enter

logon

Then respond to request for userid and password.

Once you are logged on issue "help" command to see what is possible.

Web Applications

Recommend that you use authorization_code flow for web applications. This will allow your application to use VA-SDK.

Here is an example;

add viyademo -t authorization_code -s secret -r http://localhost:8080/viyademo,http://localhost:8080/viyaapp,https://localhost/viyademo,https://localhost/viyaapp

Non-web applications

Create password flow clientids

Here is an example:

add mycli -t password -s myclisecret

Clone this wiki locally