SAS/IntrNet 9.2: Application Dispatcher |
The Application Dispatcher has several debugging options that can be turned on and off through the _DEBUG field in Application Dispatcher requests. Some of these options might represent security risks, including a few that are not documented and are used by Technical Support. For example, the Application Dispatcher includes an option to show the SAS log (which might contain source code), the host name and port number where the Application Server is running, or a list of all services known to the Application Broker.
To create a secure Application Dispatcher setup, decide which debugging options you want to allow and set the value of DebugMask or ServiceDebugMask in the Application Broker configuration file to the sum of those options. Add together the debug values that you want to allow and use that number in the directive. For example, if you want to allow only the field echo (1), status message (2), and output dump (16) values, you would set DebugMask to 19 (1+2+16). You can also use keywords to specify these options. For a list of valid debug values and keywords, see the List of Valid Debug Values.
Note: By default, all debugging options are allowed because the DebugMask and ServiceDebugMask directives are global and by-service directives.
The default value for the DebugMask is 32767, which is acceptable for most sites. The value 32767 indicates that all debug values are allowed. If you comment out the DebugMask option by maintaining the # sign in front of DebugMask, you are also allowing all debug values.
Some debug values pose a security risk, so it is recommended that you selectively disable these values by specifying a different DebugMask value. Setting a different DebugMask value controls the allowable values for the _DEBUG field in the HTML form or link.
Copyright © 2007 by SAS Institute Inc., Cary, NC, USA. All rights reserved.