Scott,
If you use the "Passwd %%SYSTEM%%, Userid %%CLIENT%%, require valid-user"
setup the Apache server will start and close down QZSRCGI jobs as I
described. I admit it is some years since I was playing around with it but
I can’t imagine it has changed.
If you keep jobs persistence by using Accept-HTSession handles you will,
with a large user pool, eventually run into thresholds since you need a
long timeout to avoid casual users to be thrown out of the system.
In the persistent and stateful environment you have no way to restart your
web server without every user is thrown out. In a stateless environment you
can restart the webserver and the only thing the users experience is a
short delay before they can continue. That doesn’t mean that you can throw
a user or users out or time them out in the stateless environment.
If you use the "Passwd %%SYSTEM%%, Userid %%CLIENT%%, require valid-user"
setup you use system user id’s and passwords to gain access to the CGI
library. Are you telling me that these same system user ids/passwords can’t
be used to run FTP if the FTP server is started?
QTMHHTP1 is to me a “shitty” profile since it has no password and no
authority. You can of course validate users against OS profile and get a
handle to transfer underlying new jobs to another user profile but then you
lose all the benefits of a stateless active environment since you isn’t
able (at my best knowledge) to change the current user profile on an active
program.
The real problem here is that the stateless environment needs to have
access to a variety of other systems to be able to function such as the ERP
system, archive systems or other tools etc. so you really need a user
profile that has all the needed access.
Your statement “That's a good thing -- you don't want the profile people
can get into without any credentials to have a lot of authority!” is not
correct. No outsider can know what user profile you use in the Apache
servers QZSRCGI jobs since no one can access the .conf file if Apache is
configured proper and even if they knew the user profile they would not
know the password.
Another thing to remember is that Apache only grants direct access to
objects in a specific library and not to any objects in the library list or
in the system. If you keep your CGI library clean and CGI programs
protected in another way no one can access anything without being granted
access.
Basic or Digest Authentication will not save the day. It is simply not
enough and very equal to run security level 20 on IBM I and it is what I
call “false security” since it grants full access to any program in the CGI
library and doesn’t secure you from DOM and javascript injections. What you
really need is only to be able to access specific program/services in the
CGI library and in the same time often only allow the program/service to
process specific sections in a DB table without having to maintain a
complex security environment.
I could elaborate how to build a secured and SOX audited and approved
general system, but it is a little off-topic in this tread.
RPGOA in a stateless environment. Yes you can, but that will require new
coding since no existing 5250 program is made to run stateless. So in that
case we are just discussing if a program in the stateless environment
should use a RPGOA handler in front or use subprocedures in a service
program as middleware to whatever you want to do.
I notice that you use the latter method in all your own Open Source
implementation (HTTPAPI, FTPAPI, YAJL and POI) and all other programming
languages uses import of classes and methods (similar to service
programs/subprocedures) and not a DDS like based handler/interface. The
RPGOA technique is btw only supported by a few ISV’s that offers
proprietary handlers and there are few treads in main IBM I forums
(iProdeveloper, Code400, midrange.com) besides those that on a general
level discus the technique indicating that it isn’t widely used in legacy
code or by anyone else that the mentioned ISV’s.
In general the RPGOA handler is in that respect a RPG “oddball” since the
technique is nowhere to be found in any other programming language and is
not even supported in the other ILE based languages like COBOL, C or CL
that all communicates with each other using parameters to pass information
among them.
So “Open Access gives us very little we didn't have before.” - I think you
know who wrote that some 5 years ago or should I provide you with a link?
It is interesting reading ;-)
Now, I’m not a big fan of RPGOA mainly because it is RPG language
proprietary and keeps RPG programmers in the dark age of RLA like DDS based
instruction set (READ/WRITE/EXFMT) and stateful 5250 program designs
instead of moving/pushing them forward using SQL for DB access and service
programs/sub-procedures to connect them to the middleware and to be frank
the RPGOA argument “keep programmers in their comfort zone” isn’t IMO valid
– RPG programmers who don’t find themselves comfortable with using service
programs/sub procedures shouldn’t be allowed to call themselves “a
programmer” and certainly shouldn’t be allowed to program browser based web
solutions.
On Fri, Jun 12, 2015 at 5:59 AM, Scott Klement <midrange-l@xxxxxxxxxxxxxxxx>
wrote:
Henrik,
This is simply not correct QTMHHTP1 is only used as default, if you
specify
ServerUserId in the Apache conf. file the QZSRCGI jobs run under that
adapted user profile in the stateless environment.
That's true, you can override it to another profile in your Apache config
if you want. My point is it's the same for persistent CGI as it is for
standard CGI.
Try it. If you don't set up the whole "Passwd %%SYSTEM%%, Userid
%%CLIENT%%, Require valid-user" settings, persistent CGI will run under the
QTMHHTP1 profile (or whatever you override it to) just as any other CGI job.
I do this every day.
QTMHHTP1 is the most “shitty” user profile in the system. It has no way
accessing files through QNTC since has no password and it has the lowest
access to any IBM I objects.
That's a good thing -- you don't want the profile people can get into
without any credentials to have a lot of authority!
If you validate users against *OS in the Apache directive you are able to
use the same user id/password to get access to FTP (or other services) if
it is open for public access.
Where did you get this from? How do you enable it? How does it work?
Provide some information here, man. Apache doesn't serve FTP requests, and
the IBM FTP server doesn't automatically sign you in when you're logged
into Apache. What are you talking about?!
You may be right, but how do this ensure security in the AJAX request
without delegating access from the persistent session to the stateless
AJAX
requests?
If you are using browser authentication (i.e. BASIC or DIGEST) then the
browser will automatically pass the userid/password across on all
requests. Again, persistent and standard requests are the same in this
respect, it doesn't do anything different for persistent vs.
non-persistent... same would happen if none of your requests are
persistent.
The security is exactly the same, here.
In RPGOA you have bindings between the program that launches the UI and
process data – I have none now we also are talking about monoliths)! You
have bindings to the controller that runs on the server – I have none
since
the controller is entirely based on generic javascript configured by the
initial program that launches the SOA and configures it by passing
javascript/JSON objects to it at load time with a little twist …
Using RPGOA for your display has nothing to do with whether you have
bindings between the program that launches the UI and the one that
processes data. You could be calling web services, stored procedures, etc
to process the data... You could make it modular by breaking into modules,
service programs, stored procedures, or web services... it's up to you
whether you write your code in a monolithic manner or not.
RPGOA doesn't even require your program to be stateful. Most RPGOA
applications are -- but this is primarily because people use it to allow
them to run their programs with minimal changes.
There's nothing stopping you from making a stateless handler (and we
include one with Profound UI). It can work exactly like CGIDEV2, except
instead of WrtSection(), you call the RPG WRITE opcode. Then RETURN from
your program and the data is written out via Apache to the browser.
It's a choice, not a requirement.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.