A default installation
of SAS BI Web Services for Java is not highly secure. The default
security mechanism is SAS authentication. All requests and responses
are sent as clear-Text. If users want to authenticate as a specific
user, then they can send a user name and password as clear-Text as
part of the WS-Security headers for SOAP services or as HTTP basic
authentication headers when using RESTful Web services (plain XML
and JSON). Authentication is performed by authenticating client credentials
at the SAS Metadata Server. Whenever user names and passwords must
be sent as clear-Text, SSL should be enabled to provide transport
layer security.
You can configure an
anonymous user account to use for Web service invocations when credentials
are not provided. The anonymous account is configured during software
configuration using the SAS Deployment Wizard. Anonymous users cannot
use the Web Service Maker; credentials must always be provided to
use the Web Service Maker.
SAS BI Web Services
can be secured by using Web authentication. This provides a way for
SAS BI Web Services to identify the calling subject as authenticated
by the underlying Java application server. This authentication mechanism
requires HTTP transport-level security to be enabled.
Note: Web authentication can be
used with both XMLA Web services and structured Web services but cannot
be used with the Web Service Maker Web service when invoked by SAS
Management Console clients because they use SAS one-time passwords.
Consult with your administrator
to determine how Web services are configured at your site and how
you can invoke them. For more information about setting up Web service
security, see the
SAS Intelligence Platform: Web Application Administration Guide.