Documentation
Tutorials
authentication Browsing-a-Cas-Table casActionRun casActionRunExample casFetchData Compute-Service-made-easy computeRunExample Executing-a-cas-action findReport getReportImage Managing-clientids masDescribe restafeditExample Scoring-in-the-Cas-Server Scoring-with-MAS Scripting-on-the-Cas-Server usefulTips vaddc videos_dataEntry
restaf restaflib restafedit

Tutorial

usefulTips

Useful configuration tips

You have to be an administrator to accomplish these steps

Security

Setting these might require a restart of the servers. The SASEnviromentManager UI gives you hints on this.

You can set these thru SASEnvironment Manager. All of these can be found by going to SASEnvironmentManager->Configuration->Definitions and filtering on security.

CORS

  • allowCredentials Set this to true
  • Allowed Origins - set this to meet your needs.A * will leave this wide open to all clients.

cookies

  • sameSite Critical for browsers like Chrome. For VA-SDK you need to set this to None

CSRF

  • allowed URI set this to .* during development

Content Security Policy

The notes here are for the simple case of handling forms. See SAS Administrator Document for more detailed notes. Starting with Viya 2022.09 release you have to set this to allow external applications access Viya.

CSP for SAS Logon Manager needs to something like this. In the example I added the domain of my applications to the default settings for SAS Logon Manager. Note that the domains are separated by a blank (not commas).

default-src 'self'; object-src 'none'; frame-ancestors 'self'; form-action 'self' https://localhost:5002 https://mystaticcontent.zzzz.web.core.windows.net;

Configuring CAS server for CORS

Please check your administration document for updates to this configuration.

If your web application calls CAS thru REST calls (restaf does that) you must apply the following configurations.

  • Set your KUBECONFIG env ( or use kubectl config commands to make your cluster current).
  • Get a copy of the casdeployment custom resource file yaml. The example below assumes that the casdeployment name is ‘default’. If not default, use your casdeployment name from the ‘kubectl get casdeployment’ command
kubectl get casdeployment default -o json > cas.json

Before proceeding make backup copy of cas.json - for potential recovery.

  • Locate the place to add your information.Search for SAS-LICENSE.
"containers": [
     {
        "env": [
              {
                  "name": "SAS_LICENSE",
                  "valueFrom": {
                        "secretKeyRef": {
                        "key": "SAS_LICENSE",
                        "name": "sas-cas-license"
                        }
                  }
              },
              {
                  "name": "CONSUL_HTTP_ADDR",
                  "value": https://localhost:8500
              },
  • If the environment variable TKHTTP_CORS_ALLOWED_ORIGINS does not exist in the json file, add it. If it does, modify it to for your purpose. Here is an example.
 "containers": [
     {
         "env": [
             {
                 "name": "SAS_LICENSE",
                 "valueFrom": {
                     "secretKeyRef": {
                         "key": "SAS_LICENSE",
                         "name": "sas-cas-license"
                     }
                 }
             },
             {
                 "name": "CONSUL_HTTP_ADDR",
                 "value": https://localhost:8500
             },
             {
                 "name": "TKHTTP_CORS_ALLOWED_ORIGINS",
                 "value": “https://localhost:8080,... “
             },

The value MUST MATCH what is in settings in SAS Environment Manager.

  • After saving your changes to cas.json, delete the casdeployment.
Kubectl delete casdeployment default    (Use your casdeployment name if it is not ‘default’.)
  • Make sure the deployment has been deleted
‘kubectl get casdeployment’ no longer shows your deployment.(should take just a few seconds)
  • Redeploy your casdeployment: Should take just a few seconds.
Kubectl create -f cas.json
  • Verify casdeployment is running
Kubectl get casdeployment shows your deployment again.

Setting SAS Viya Session Timeouts

SAS Viya sessions will timeout after a set period of inactivity. In some situations one might want to set this timeout to specific values.

  1. Follow the instructions at this link

  2. Create a config for saslogon with a timeout much larger than what you set in Step 1.

Timeout is set in seconds. Set individual services and not the global - not really sure why.

Note that for Viya 3.4 the property to set is session.timeout but for 3.5 it is servlet.session.timeout

Cas Session timeouts

If you use a single CAS session for long periods(as in a web application) you should increase the timeout for cas sessions also. To do this use setsesopts casl statement or the action to set the timeout value. The default value is 60 mins(the doc does not specify units but I am guessing it is in minutes)

The app server timeout

This section only applies when using authorization_code flow for authentication

There are two parts to keeping the session active for long periods.

  1. Keep your session active

You need to refresh the token used for the session. restaf-server.

  1. Keep your app server session alive by acquiring tokens at some regular interval

  2. Keep the services added thru store,.addServices active.

Extend the object passed to store.logon with these:

{
     timers   : [n,m].
     keepAlive: <your appserver keepalive route - if you do not have one set this to null>
}

n = every n seconds restaf will make a call to the services added to the session via addServices. This keeps that service alive and alos keeps the csrf tokens current.
m = the session will timoeout after m secods

Note to @sassoftware/viya-appserverjs users

Set the following in the env file

KEEPALIVE=YES TIMERS=n,m

n and m are described above:

Here is an example (check every 5 mins and timeout in 4 hours and 1 minute)

TIMERS=300,14460

Increasing the TTL for authentication tokens

See the section below on clientid

Notes

  1. Users of viyaappserver-js see the KEEPALIVE setting to keep the application authentication alive.
  2. It might also be useful to create authentication tokens with longer TTL. To do this increase the TTL setting when creating the clientid used to get the authentication token. See https://github.com/sassoftware/restaf/wiki/Managing-clientids for details.

Application specific configurations

Logon callback uris

This is useful if you want your custom apps to behave like our standard VA applications on timeout.

The comma-delimited list of URIs that users can be redirected to after signing in following a time-out or logoff. SAS application URIs and registered client redirect URIs are automatically included in the list.

Use SAS Environment Manager to set this in SAS Logon Manager configuration. An example is

http://localhost:8080/viyaapp,https://localhost/viyaapp

Setting up clientid for your custom applications

You can run this as part of your setup scripts. See https://github.com/sassoftware/restaf/wiki/Managing-clientids

Do the following in any shell:


npx @sassoftware/registerclient --host=Url-to-viya-server --ttl=<ttl in days>

The ttl option is only required if you want your tokens to have very long ttl. For more control see https://github.com/sassoftware/restaf/wiki/Managing-clientids for details. Tokens inherit their TTL from the associated clientid.

On prompt (>) enter

logon

Then respond to request for userid and password.

Once you are logged on issue "help" command to see what is possible.

Web Applications

Recommend that you use authorization_code flow for web applications. This will allow your application to use VA-SDK.

Here is an example;


add viyademo -t authorization_code -s secret -r http://localhost:8080/viyademo,http://localhost:8080/viyaapp,https://localhost/viyademo,https://localhost/viyaapp

Non-web applications

Create password flow clientids

Here is an example:


add mycli -t password -s myclisecret