1.  Home
  2. WEB400
  3. March 2005

Re: Switching Profiles

Hi Mark,

I'm generating a new profile token from the user profile in positions 254 to 263 of the status data structure. It would be QTMHHTTP in this case. Any ideas?

I did it differently... instead of using the user profile that's listed in the PSDS, I actually grabbed a profile handle to the current userid BEFORE I switched, then I set that profile handle as active again after I was done.

I use a lot of utility subprocedures in service programs, so it's really hard to post my code in a manner that would allow you to actually compile and run it -- I'd have to send you all of my utilities as well, which could turn into a whole production...

But, here's a code snippet... hopefully it'll help you figure it out:

      *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      * CGI_RunWithUserAuthority(): Run procedure w/User's Authority
      *
      *  The HTTP Server (Powered by Apache) has the capability of
      *  verifying a user's login w/the iSeries password file and
      *  generating a profile token.  When that configuration is
      *  set up, this subprocedure can be called to run a subprocedure
      *  under the authority of the given user.
      *
      *    peFilename = (input) name of file that contains parameter
      *                 format of CGI data to send to callback.
      *
      *    peCallback = (input) Procedure to call back with this info.
      *
      * Returns *ON if successful, *OFF otherwise.
      *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
     P CGI_RunWithUserAuthority...
     P                 B                   export
     D CGI_RunWithUserAuthority...
     D                 PI             1N
     D   peCallback                    *   procptr value

     D Callback        PR                  extproc(peCallback)

     D wwHandle        s             12A
     D wwB64Token      s             64A   varying
     D wwToken         s             32A
     D wwErrMsg        s             80A   varying
     D wwErr           ds                  likeds(ErrorCode)
     D                                     inz(*likeds)
     D wwRC            s              1N

      /free

          //
          //  Check if we received a profile token from the Web server
          //  and if so, decode the base64.
          //

          if (mygetenv('HTTP_AS_AUTH_PROFILETKN') = *NULL);
             SetError(CGI_NOTOKEN: 'No Profile Token Provided.');
             return *OFF;
          endif;

          wwB64Token = %str(mygetenv('HTTP_AS_AUTH_PROFILETKN'));

          base64_decode( %addr(wwB64Token) + 2
                       : %len(wwB64Token)
                       : %addr(wwToken)
                       : %size(wwToken) );

          //
          // Save the current security settings in wwHandle,
          //  then switch to run with the authenticated user's
          //  authority.
          //

          QSYGETPH('*CURRENT': '*NOPWD': wwHandle);
          QSYSETPT(wwToken: wwErr);

          if (wwErr.BytesAvail > 0);
              util_compose('QCPFMSG   *LIBL'
                          : wwErr.MsgID
                          : wwErr.MsgData
                          : wwErrMsg
                          : %size(wwErrMsg));
              SetError(CGI_BADTKN: wwErrMsg);
              QSYRLSPH(wwHandle);
              return *OFF;
          endif;

          //
          //  Get the CGI parms & run the procedure
          //

          wwRC = *ON;
          monitor;
             Callback();
          on-error;
             wwRC = *OFF;
             SetError(CGI_PRCCRSH: 'Callback procedure crashed.');
          endmon;

          //
          //  Reset back to the original user profile
          //

          QWTSETP(wwHandle);
          QSYRLSPH(wwHandle);
          return wwRC;

      /end-free
     P                 E

So, the above routine is stored in a service program where it can be called by any/all of my CGI programs. Each CGI program's mainline looks like this:


     if CGI_RunWithUserAuthority(%paddr(DoRealWork)) = *OFF;
         ErrorMsg = CGI_Error();
         // call a subprocedure to send the error msg to
         // the support staff.
     endif;

     *inlr = *on; // if appropriate

That's the whole mainline... Everything else in the CGI program runs under the user's authority, and is placed in the DoRealWork() subprocedure (or another subprocedure that it calls...)

That way, no matter what goes wrong, the program will still complete normally and still switch back to the original user.

I know that this doesn't directly answer your question -- but since my service program seems to work okay, I thought maybe it'd help you to try my method.

Good Luck


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.