cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
PriitL
Obsidian | Level 7 PriitL
Obsidian | Level 7
Go to Solution

CSRF and asterisk @sas.web.csrf.referers.knownHosts

Posted 09-15-2022 07:18 AM (1362 views)

Hi!

 

We have to create a situation where user needs to see some report directly and therefore the link to exact report is placed at intranet webpage menu, for example https://web.domain.dn/somewhere/somepage. The link to the report is similar to <https://<sas_midtier_host.doman.dn>:8343/SASVisualAnalyticsViewer/?reportSBIP=SBIP://METASERVER/<longer-path-to-report>.  So, it means that referer for the sas_midtier_host is different.

 

Now, the problem is that even if I do have asterisk at sas.web.csrf.referers.knownHosts value, it still gives "The referring URL has been logged on the server. Please contact your SAS Administrator if you think the referring URL should be allowed. The SAS Administrator should review the information about cross site request forgery in the SAS Intelligence Platform documentation for instructions about using the sas.web.csrf.referers.knownHosts setting to whitelist the referring URL." 

referer-denies.PNGreferer-knownhosts-asterix.PNG

 

I remember the asterisk was typed while installing the environment:

 

referer-asterix-typed.PNG

 

The easiest solution would be turning CSFR off completely as the asterisk shouldn't restrict anybody anyway. But I'm still curious why it gives me the denial because of referer, is asterisk suitable for the cell?

 

Thanks!

 

PriitL

 

0 Likes
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
PriitL
Obsidian | Level 7 PriitL
Obsidian | Level 7

Re: CSRF and asterisk @sas.web.csrf.referers.knownHosts

Posted 09-16-2022 08:03 AM (1302 views)  |   In reply to gwootton

Thank You for Your reply.

 

Still, entries "http://*/,https://*/" do not work. The entry should be "http://*.dn/,https://*.dn/" (if domain is domain.dn for example).

 

View solution in original post

0 Likes
Reply
2 REPLIES 2
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: CSRF and asterisk @sas.web.csrf.referers.knownHosts

Posted 09-15-2022 08:22 AM (1322 views)  |   In reply to PriitL
An asterisk does not meet the format set forth in the prompt for that field, so I think you'd need to do http://*/ and https://*/. I would agree if you want to permit from any host you should instead set "sas.web.csrf.referers.performCheck" to false and restart your middle tier.

Whitelist of Websites and Methods Allowed to Link to SAS Web Applications
https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1xtsni38p58t3n1ljd2fy4c3joz.htm
--
Greg Wootton | Principal Systems Technical Support Engineer
Reply
PriitL
Obsidian | Level 7 PriitL
Obsidian | Level 7

Re: CSRF and asterisk @sas.web.csrf.referers.knownHosts

Posted 09-16-2022 08:03 AM (1303 views)  |   In reply to gwootton

Thank You for Your reply.

 

Still, entries "http://*/,https://*/" do not work. The entry should be "http://*.dn/,https://*.dn/" (if domain is domain.dn for example).

 

0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • ‎09-15-2022 07:18 AM
  • 1363 views
  • 1 like
  • 2 in conversation