SAS/IntrNet 8.2: Application Dispatcher |
One feature of the Application Dispatcher lets you view the SAS log. This helps when developing an application; however, it creates a potential security risk in a production-level application. Programs of the type .SAS, .SOURCE, and .MACRO all submit statements that appear in the log. SAS Component Language (SCL) statements do not appear in the log, but statements submitted by using an SCL submit block do appear. (SCL is available with SAS/AF software).
You can accomplish many of the same tasks in SCL that you can by using these other program types. SCL is the most secure program type. If you create your Dispatcher program with SCL and the user attempts to return the SAS log, your program statements do not appear. Additionally, SCL is more secure because it is a compiled language. Compiled macros (.MACRO program types) share this feature. Using SCL lets you compile the program and delete the readable source. This prevents someone from reading the program statements even if they gained access to the SAS catalog on the Application Server machine.
Running a .MACRO entry prints the original source to the SAS log if the MPRINT option is set. To prevent this, you can include the following statement in a request init program:
options nomprint;
You can protect access to your data by using password-protected data sets. This feature of SAS software lets you assign a password to a data set. You must then supply the password to access or to modify the data set. You can choose to code the password to the data set in your application or require the user to supply it. If you code the password into your application, ensure that the user cannot view that password by returning the SAS log to the browser or by reading your source code files.
SAS/IntrNet 8.2: Application Dispatcher |