× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Don,

For a program to be "adopting authority" of its owner, you'd see the
following

  User profile . . . . . . . . . . . . . . . . . :   *OWNER

So your program isn't adopting authority, since it has *USER.

Now the second line:
  Use adopted authority  . . . . . . . . . . . . :   *YES


Means that if PGM1 has USRPRF(*OWNER) and say PGM1's owner is QSECOFR,
and PGM1 calls PGM2 where PGM2 has USRPRF(*USER), USRADPAUT(*YES).  Then
PGM2 while not adopting authority itself will make use of the QSECOFR
authority adopted by PGM1.

Make sense?


I don't think adopted authority is your problem.  Instead, it's the *USE
authority on the OUTQs.

Here's a nice explanation of spool file security:
http://www.itjungle.com/fhg/fhg063004-story02.html

HTH,


Charles Wilt
--
iSeries Systems Administrator / Developer
Mitsubishi Electric Automotive America
ph: 513-573-4343
fax: 513-398-1121
  

-----Original Message-----
From: web400-bounces+cwilt=meaa.mea.com@xxxxxxxxxxxx 
[mailto:web400-bounces+cwilt=meaa.mea.com@xxxxxxxxxxxx] On 
Behalf Of Don Cavaiani
Sent: Tuesday, July 18, 2006 3:16 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

 "Adopted authority adds the authority of a program owner to the
authority of the user running the program." 

Yes, that is the API being used here. Looks like all of my *OUTQs have
at least *USE authority!

Is that the problem ?  The owner of the program is SSA  (this is BPCS
ERP), and has *JOBCTL.  What if I just change the owner of 
the program?


-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Wilt, Charles
Sent: Tuesday, July 18, 2006 2:03 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

How does the program get the information it outputs?

If using the List Spooled Files (QUSLSPL) API, then the following
applies:

The requester is authorized to the output queue if one or more of the
following conditions are met:

    * The requester has *SPLCTL authority.
    * The requester has *JOBCTL authority, and the output queue is
specified as OPRCTL(*YES).
    * The requester has *READ authority to the output queue.

You've considered option 1, what about 2 & 3?


Charles Wilt
--
iSeries Systems Administrator / Developer Mitsubishi Electric 
Automotive
America
ph: 513-573-4343
fax: 513-398-1121
  

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Don Cavaiani
Sent: Tuesday, July 18, 2006 2:56 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

Charles - The users have *NONE, the program does show Adopted 
Authority

Program creation information:

  Program creation date/time . . . . . . . . . . :   07/14/06 
 08:38:32

  Type of program  . . . . . . . . . . . . . . . :   ILE

  Program entry procedure module . . . . . . . . :   WRKCGISPLF

    Library  . . . . . . . . . . . . . . . . . . :     BPCSCDUSR

  Activation group attribute . . . . . . . . . . :   QILE

  Shared activation group  . . . . . . . . . . . :   *NO

  User profile . . . . . . . . . . . . . . . . . :   *USER

  Use adopted authority  . . . . . . . . . . . . :   *YES

  Coded character set identifier . . . . . . . . :   65535

  Number of modules  . . . . . . . . . . . . . . :   1



-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx 
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Wilt, Charles
Sent: Tuesday, July 18, 2006 1:53 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

Don,

Do your general user profiles specify *SPLCTL?

Does the program use adopted authority?

Charles Wilt
--
iSeries Systems Administrator / Developer Mitsubishi Electric 
Automotive America
ph: 513-573-4343
fax: 513-398-1121
  

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Don Cavaiani
Sent: Tuesday, July 18, 2006 2:22 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

I turned the Special Authorities back to *NONE for QTMHHTP1.

When I run with UserID %%SERVER%% (my original setting), 
no one can 
access any of the spool file info which the WRKCGISPLF loads up.


When I run with UserID %%CLIENT%%, anyone can access any of
the spool
files which come up.  A general user ID can get the QSECOFR spool 
files to display.

This may be inherent in the design of this program ??

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Wilt, Charles
Sent: Tuesday, July 18, 2006 12:42 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

Sounds like the system isn't using the user name being supplied.

What's your config file look like?  Here's the relevant
lines out of
mine.

  34         <Location /melcgip/protected>
  35              AuthName "Protected - iSeries Username required"
  36              AuthType Basic
  37              PasswdFile %%SYSTEM%%
  38              UserID %%CLIENT%%
  39              Require valid-user
  40         </Location>
  

Line #38 is what tells Apache to run the CGI program under the 
provided user name.

HTH,


Charles Wilt
--
iSeries Systems Administrator / Developer Mitsubishi Electric 
Automotive America
ph: 513-573-4343
fax: 513-398-1121
  

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Don Cavaiani
Sent: Tuesday, July 18, 2006 1:00 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

Charles - I do have AS400 authentication enabled, but no
matter who I
signed in as, I was not able to access ANY spooled file (in
the sample

program WRKCGISPLF), until I changed the QTMHHTP1 profile
(which I
don't like either - as you say).

When I entered  *all in the user id of the Browser prompt,
all spool
files on the system show!  That would not be a problem if
when the
user clicks on one which WAS NOT THEIRS, then access would
be denied.
However, I was not able to access any of them - even
using qsecofr
validation??

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Wilt, Charles
Sent: Tuesday, July 18, 2006 11:40 AM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

Probably not the solution you want to use.

Now anybody who can get to the web server can access all
your spool
files.

Instead, you can configure Apache to ask for a users
iSeries user ID
and password, then the CGI job will switch over to that
profile to do
the work it needs to.

The CGIDEV2 documentation shows how to do it.  If you need
more help
just ask.

Charles Wilt
--
iSeries Systems Administrator / Developer Mitsubishi Electric 
Automotive America
ph: 513-573-4343
fax: 513-398-1121
  

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx 
[mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Don Cavaiani
Sent: Tuesday, July 18, 2006 11:49 AM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

Thanks, I gave Spool Control Special Authority access 
for that 
profile, and that did it!

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Matt.Haas@xxxxxxxxxxx
Sent: Tuesday, July 18, 2006 10:20 AM
To: web400@xxxxxxxxxxxx
Subject: Re: [WEB400] Apache

Unless you changed the defaults, it's QTMHHTP1. 

Matt

-----Original Message-----
From: web400-bounces+matt.haas=thomson.com@xxxxxxxxxxxx
[mailto:web400-bounces+matt.haas=thomson.com@xxxxxxxxxxxx]
On Behalf
Of Don Cavaiani
Sent: Tuesday, July 18, 2006 11:16 AM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

The job log of QZSRCCGI shows Not authorized to spooled
file.  I'm not

sure what user profile is "in effect" here?

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Matt.Haas@xxxxxxxxxxx
Sent: Tuesday, July 18, 2006 10:09 AM
To: web400@xxxxxxxxxxxx
Subject: Re: [WEB400] Apache

You're missing the last ")" in the command but now that the
program is

getting called, you should be able to start a service job
on the job
running the CGI program and debug it like you normally would.

Matt

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Don Cavaiani
Sent: Tuesday, July 18, 2006 11:04 AM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Apache

That did it Matt, thanks.  Now the program loads up fine,
but I get an

access error:  Cannot Access Spooled File Error in
command: CPYSPLF
FILE(QPRINT) TOFILE(QTEMP/SPLOUTPUT)
JOB(110888/TEST/STEPBYSTEP) SPLNBR(000001) MBROPT(*REPLACE) 
CTLCHAR(*PRTCTL

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Matt.Haas@xxxxxxxxxxx
Sent: Tuesday, July 18, 2006 9:44 AM
To: web400@xxxxxxxxxxxx
Subject: Re: [WEB400] Apache

I think you just need to add .pgm to the end of the URL. I
think you
can also add *.PGM to the end of the ScriptAlias to achieve
the same
thing (I'm not 100% sure on that) but try adding .pgm
in the URL
first.

Matt

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Don Cavaiani
Sent: Tuesday, July 18, 2006 10:15 AM
To: web400@xxxxxxxxxxxx
Subject: [WEB400] Apache

Greetings,

I am trying to get my first CGI (WRKCGISPLF) to execute.

Here is my configuration below:  I have compiled the
WRKCGISPLF into
the library named DONC.  When I run 
http://amereqip.com/cgi-bin/wrkcgisplf,
I get "page cannot be found". 

Top of Form 1
Display Configuration File 
HTTP server:  APACHE3         
Selected file:        /www/apache3/conf/httpd.conf    

1     # Configuration originally created by Apache 
Setup Wizard Wed
Jan 19 18:49:23 GMT+00:00 2005        
2     LogFormat "%h %l %u %t \"%r\" %>s %b" common    
3     CustomLog logs/access_log common        
4     ErrorLog logs/error_log 
5     LogMaint logs/error_log 8 0     
6     LogMaint logs/access_log 8 0    
7     Listen *:80     
8     MaxKeepAliveRequests 5  
9     TimeOut 120     
10    KeepAliveTimeout 4      
11    DocumentRoot /web       
12    ServerRoot /www/apache3 
13    Options -ExecCGI -FollowSymLinks 
-SymLinksIfOwnerMatch -Includes
-IncludesNoExec -Indexes -MultiViews  
14    SetEnvIf "User-Agent" "Mozilla/2" nokeepalive   
15    SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0     
16    SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0    
17    SetEnvIf "User-Agent" "RealPlayer 4\.0" 
force-response-1.0        
18    SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive        
19    SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0 
20    <Location />    
21    AuthName AS400  
22    AuthType Basic  
23    PasswdFile %%SYSTEM%%   
24    UserID %%SERVER%%       
25    Require valid-user      
26    </Location>     
27    ScriptAlias /db2www/ /QSYS.LIB/DONC.LIB/DB2WWW.PGM/     
28    ScriptAlias /cgi-bin/ /QSYS.LIB/DONC.LIB/       
29    Alias /doc /web/intranet        
30    Alias /nd /web/cgibin   
31    <Directory />   
32    deny From all   
33    </Directory>    
34    <Directory /web/intranet/testjava>      
35    Allow From all  
36    </Directory>    
37    <Directory /web/intranet>       
38    Allow From all  
39    </Directory>    
40    <Directory /web/cgibin> 
41    Allow From all  
42    </Directory>    
43    <Directory /web>        
44    Allow From all  
45    </Directory>    
46    <Directory /qsys.lib/donc.lib>  
47    Allow From all  
48    </Directory>    
49    <Directory /qntc/ntserver1/groups/mis>  
50    Allow From all  
51    </Directory>    
Bottom of Form 1

Don F. Cavaiani
IT Manager
Amerequip Corp.
920-894-7063
 
'Treat every person with kindness and respect, even those
who are rude

to you. Remember that you show compassion to others not
because of who

they are but because of who you are.'--Andrew T. Somers

"When faced with the choice of being 'right' or being
'kind', choose
the kind option every time."


--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/web400.


--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/web400.


--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/web400.


--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/web400.


--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/web400.


--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/web400.


--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/web400.



--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/web400.


--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting,
please take a
moment to review the archives at
http://archive.midrange.com/web400.



--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting, 
please take a 
moment to review the archives at 
http://archive.midrange.com/web400.


--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting, 
please take a 
moment to review the archives at 
http://archive.midrange.com/web400.



--
This is the Web Enabling the AS400 / iSeries (WEB400) 
mailing list To 
post a message email: WEB400@xxxxxxxxxxxx To subscribe, 
unsubscribe, 
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at 
http://archive.midrange.com/web400.


--
This is the Web Enabling the AS400 / iSeries (WEB400) 
mailing list To 
post a message email: WEB400@xxxxxxxxxxxx To subscribe, 
unsubscribe, 
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at 
http://archive.midrange.com/web400.



--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe, 
unsubscribe, or
change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.


-- 
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.




As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.