Skip to main content  
        iSeries home   |   Easy400     |   CGIDEV2  
Public Source
 
Introduction
LogInOut approach
Defining users
Application development
Appendix A - Installation
Appendix B - LOGINOUT service program
Appendix C - HTTP-based login technique
 
Download
 
 

 
Appendix C -
HTTP-based login technique


Though the login technique based on HTTP directives is not the objective of these pages, we though it could be useful to present some details on it.

  1. Base directives
    Assume that you have some CGI application running on iSeries. The Apache directives in Figure 1 could be used to run this application under the iSeries HTTP server.
    These directives are usually enough to allow execution of a CGI application.

    #========== Application in library MYLIB ==============
    ScriptAliasMatch /mylibp/(.*)  /qsys.lib/mylib.lib/$1
    Alias /mylib/ /mylib/
    <Directory /mylib>
       AllowOverride None
       Options None
       order allow,deny
       allow from all
    </Directory>
    <Directory /qsys.lib/mylib.lib>
       Options +ExecCGI
       CgiConvMode %%EBCDIC/EBCDIC%%
       AllowOverride None
       Options None
       order allow,deny
       allow from all
    </Directory>
    Figure 1 - Base Apache HTTP directives for this application
    (For Apache directives, see this page)

    • The directive ScriptAliasMatch ... maps the pseudo path used in the URI's to invoke the server programs in library MYLIB
    • The next directive Alias ... alerts Apache that IFS directory /mylib will be used. This directory may contain static pages, images or other objects linked from html pages.
    • The container <Directory /mylib> ... </Directory> allows Apache to access IFS directory /mylib .
    • The container <Directory /qsys.lib/mylib.lib> ... </Directory> allows Apache to access library MYLIB (for loading the CGI programs). In this container
      • directive Options +ExecCGI tells that CGI programs from library MYLIB can be executed
      • directive CgiConvMode %%EBCDIC/EBCDIC%% specifies the conversion mode that the server must use when processing CGI programs from this library.

  2. Restricted access through user profiles
    Assume the need to restrict the access to all CGI programs in library MYLIB.
    An HTTP-based login procedure should allow access only to the existing user profiles.
    That could be implemented by adding the following directives:
    <LocationMatch ^/mylibp/(.*)$>
       AuthType Basic
       AuthName "Application MYLIB"
       PasswdFile %%SYSTEM%%
       UserID %%CLIENT%%
       Require valid-user
    </LocationMatch>
    Figure 2 - Implementing an HTTP-based login procedure through user profiles
    • The regular expression ^/mylibp/(.*)$ intercepts any attempt to invoke a CGI from library MYLIB, and applies to this request all the directives of this container.
    • The directive PasswdFile %%SYSTEM%% indicates that the server should use the iSeries User Profile support to validate username/password.
    • The directive UserID %%CLIENT%% tells HTTP to run the requested CGI program under the user profile specified by the user when logging in.

  3. Restricted access through a validation list
    If you want instead to restrict the access only to the users documented in validation list MYVLDL in library MYLIB, you may use the following directives:
    <LocationMatch ^/mylibp/(.*)$>
       AuthType Basic
       AuthName "Application MYLIB"
       PasswdFile MYLIB/MYVLDL
       UserID MYUSRPRF
       Require valid-user
    </LocationMatch>
    Figure 3 - Implementing an HTTP-based login procedure through a validation list
    • The directive PasswdFile MYLIB/MYVLDL indicates that the server should use the validation list MYVLDL in library MYLIB to validate username/password.
    • The directive UserID MYUSRPRF tells HTTP to run the requested CGI program under user profile MYUSRPRF (where MYUSRPRF is an existing user profile. Note that user profile QTMHHTTP must have *USE authority over this user profile).


    Contact