Authentication in the Stored Process Web Application

Starting with SAS 9.2, the default way for a user to log on to the SAS Stored Process Web Application is to use the Logon Manager. This is the standard mechanism used by SAS Web products. The user enters credentials in a logon dialog box. After verifying the user credentials, the Logon Manager forwards to the URL that was entered for the SAS Stored Process Web Application.

To log on using the same Basic authentication that was used in previous releases of the SAS Stored Process Web Application, use the following URL:

http://yourserver.com:8080/SASStoredProcess/do1

This URL bypasses the Logon Manager and enables the SAS Stored Process Web Application to handle the user verification. The SAS Stored Process Web Application sends an HTTP status 401 to force the Web browser to display a logon dialog box. This capability can be disabled by removing the servlet mapping for do1 in the web.xml configuration file.

Starting with SAS 9.2, users can run stored processes without having to log on. A guest user name can be defined to run stored processes under a fixed account. The guest user name and password are specified in the SAS Stored Process Web Application initialization parameters.

The default guest account is the anonymous Web account, usually named webanon, that was defined during the system installation. If this account was not created, or if you want to specify a different account, then the initialization parameters GuestUsername and GuestPassword are used to define a guest account. The encoded value of the GuestPassword parameter can be used for the GuestPassword property value, which can be obtained as follows:

PROC PWENCODE
in=”mypassword”; 
run;

To enable guest access, the SAS Stored Process Web Application initialization parameter AllowGuest must be set to true. Use the Configuration Manager in SAS Management Console to set this parameter. Expand the Configuration Manager group on the Plug-ins tab in SAS Management Console. Right-click the Stored Process Web App 9.3 node and select Properties. In the Properties dialog box, click the Advanced tab. Double-click the property value for the AllowGuest property, and change the value to true in order to grant guest access to the Anonymous Web User. The GuestUsername and GuestPassword initialization parameters can also be added. To add GuestUsername and GuestPassword, click Add and enter the property name and desired value for each.

After you modify the advanced properties for the SAS Stored Process Web Application in the Configuration Manager, you must stop the Web application server, restart SAS Remote Services, and then start the Web application server. A URL similar to the following can then be used to access the SAS Stored Process Web Application by using the guest account:

http://yourserver.com:8080/SASStoredProcess/guest

If the guest account is defined as an internal account, then any requests that use a workspace server will fail, including prompts that use dynamically generated lists and prompts that have dependencies.

The values _username and _password can be given as input parameters in the URL in order to bypass any login dialog box. The password value can be encoded as shown previously if the initialization parameter AllowEncodedPassword is set to true.

If a user name is defined on the host server but is not defined in metadata, then the user is considered a member of the Public group. By default, the Public group does not have permission to execute stored processes. You can use the Authorization Manager in SAS Management Console to assign ReadMetadata permission to the Public group, which enables these users to execute stored processes. For more information about using the Authorization Manager, see the product help.

To allow public IDs in the SAS Stored Process Web Application, the configuration parameter App.PublicIdAllowed must be set to true. On the SAS Management Console Plug-ins tab, click Application Management. Open Configuration Manager, right-click Stored Process Web App 9.3, and select Properties. Select the Advanced tab, and set the App.PublicIdAllowed configuration parameter to true.

To allow single system sign-on, you can use Web server trusted authentication with the Logon Manager. To set up your system for trusted authentication see the SAS Intelligence Platform: Security Administration Guide.

To log off, the variable _ACTION=LOGOFF can be sent to SAS Stored Process Web Application. This forces the current session to be immediately deleted, and a logoff screen is displayed.