All,
I'm not sure how best to do this, but I have written some software and I'm
trying to get users to try it out. This is free software. Eventually
open-source.
Basically, after years of being involved with these forums, I have seen
lots of posters ask questions about how to enable some level of secured
access to their IBM i from web pages. The questions often go something like
this:
"We've written some CGI programs which we want to put on our production
box. How can we lock them down so only certain users can call them?"
"We don't want to give out IBM i user profiles to every user who calls our
CGI programs, but we don't want them open to everyone!"
"I don't want my users to get partway through a transaction and then go to
lunch - how can I stop them?"
In response to these sorts of questions and their answers (typically as
simplistic as "Use the UserID HTTP server configuration directive"), I
wrote the Web Access User Validator (WWWVALID) service program - a
fully-fledged security add-on to existing (and new) CGI programs.
A brief description (from the product documentation) is as follows:
*The Web Access User Validator (WWWVALID) is a service program which
contains a number of procedures which can be added to any existing CGI
program, to provide user profile/password (credential) validation.*
*Put simply, including WWWVALID in your CGI applications allows you to
define several options to provide enhanced application security:*
- *An application-specific sign-on page that is automatically displayed
when the user calls a given CGI program (by submitting a page from a
browser)
*
- *User-defined credential validation, allowing you to define your own
userid's and sign-on control
*
- *Application timeout processing (per-page and per-session), so a user
is forced to complete a transaction or submit a given page within a
specified time limit
*
- *Session-specific cookies, to ensure complete end-to-end session
management
*
- *The option to swap to run under the user profile used to sign-on, so
the CGI program can run with advanced authorities
*
*These additional options can be easily added to your existing CGI programs
with only a few lines of code, and with no changes to any HTTP server
configuration.*
Anyway, it's now ready for its unveiling. I would greatly appreciate it if
anyone could download it (see below), try it out and tell me what they
think. Particularly those of you who are already using CGI programs to
which they want to add a level of security. The downloadable package
includes a full user guide, setup instructions and a number of sample CGI
programs showing how to use WWWVALID. I have also attached a copy of the
user guide to this email.
The downloadable package (user guide plus V5R4 save file) is available on
SourceForge at *
http://sourceforge.net/projects/wwwvalid/*.<
http://sourceforge.net/projects/wwwvalid/>
The
version on there is a 'runtime' version, meaning that the save file
includes the source for the various example programs, but does not include
the *source* for WWWVALID itself - it contains a copy of the *SRVPGM
object, with observability removed. However, if anyone wants the source, I
will gladly send it to them. At some point I will update the SourceForge
package with the full source for all objects - if you download it form
there, you can be informed of any updates.
Thanks,
Rory
p.s. I checked with David and posted to the RPG list, since WWWVALID is
entirely written in RPG and the sample programs are also in RPG.
midrange.com
