Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1298791
  • 博文数量: 287
  • 博客积分: 11000
  • 博客等级: 上将
  • 技术积分: 3833
  • 用 户 组: 普通用户
  • 注册时间: 2007-08-16 08:43
文章分类
文章存档

2013年(15)

2012年(17)

2011年(17)

2010年(135)

2009年(85)

2008年(18)

分类: 系统运维

2010-06-04 16:46:18

Security-related APIs ** Program . . : CBX117 ** Description : Profile Token APIs ** Author . . : Carsten Flensburg ** Published . : Club Tech iSeries Programming Tips Newsletter ** Date . . . : April 29, 2004 ** ** ** Program summary ** --------------- ** ** Security-related APIs: ** QsyGetProfileHandle Validates the user profile and password ** passed to the API and generates a profile ** handle. ** ** The profile handle can be used to set the ** current user profile of the job running. ** ** Invalid passwords will increase the ** incorrect password count and possibly ** disable the specified user profile. ** ** A maximum of approximately 20,000 handles ** can be created in one job. ** ** QsySetToProfileHandle Validates the profile handle, locks the ** user profile, and changes the current ** job (or thread) to run under the user and ** group profiles represented by the profile ** handle. ** ** The qualified job name does not change to ** reflect the new user profile. Any objects ** created while running under the new user ** profile will be owned by this user profile. ** ** Spooled files created during the profile ** swap will be put under a QPRTJOB job. ** ** QsyReleaseProfileHandle Validates a given profile handle and then ** releases it. To use the user profile ** represented by the deleted profile handle ** again, you must generate a new profile ** handle for the user profile. ** ** QsyGenPrfTknE Verifies that the caller has authority to ** generate a profile token for the requested ** profile and then generates a profile token. ** ** This profile token can be passed to one or ** more additional processes which can then ** use it to perform tasks on behalf of the ** authenticated user. ** ** A maximum of approximately 2,000,000 ** profile tokens can be generated on a ** system. At that point further profile ** tokens can only be generated after one ** or more tokens have been removed. ** ** APIs are available to remove all profile ** tokens generated for a specific user or ** systemwide: QsyRemoveAllPrfTknsForUser ** respectively QsyRemoveAllPrfTkns. ** ** Introduced on V5R1, the QsyGenPrfTkn API ** is available on V4R5. ** ** QsySetToPrfTkn Validates the profile token and changes ** the current job (or thread) to run under ** the user and group profiles represented ** by the profile token. ** ** The qualified job name does not change to ** reflect the new user profile. Any objects ** created while running under the new user ** profile will be owned by this user profile. ** ** Spooled files created during the profile ** swap will be put under a QPRTJOB job. ** ** QsyChkPrfTknUser Verifies that the user profile associated ** with the token is the same as the current ** user profile. Introduced on V5R1. ** ** QsyGenPrfTknFromPrfTkn Generates a profile token based on an ** existing profile token. ** ** The existing profile token must be a valid, ** multiple-use, regenerable profile token. ** The new profile token will represent the ** same user and group information as the ** original profile token. ** ** The existing profile token will be ** invalidated by this process. ** ** QsyGetPrfTknTimeOut Gets the number of seconds until a profile ** token is no longer valid. ** ** QsyRemovePrfTkn Removes the specified profile token. The ** profile token will no longer be valid for ** use with other profile token APIs. ** ** QsyInvalidatePrfTkn Invalidates a profile token. The profile ** token is no longer usable for other ** profile token APIs except the Remove ** Profile Token API. ** ** User interface manager APIs: ** QUILNGTX Display long text Displays the text string passed ** to the API in a pop-up window. ** Optionally a panel title can be ** retrieved from a message file. ** ** Maximum string length is 15360k. ** ** C library function: ** system Run system command Executes a system command. In the ** event of an resulting error the ** error message ID is exported in ** the _EXCP_MSGID variable. ** ** Programmer's notes: ** The majority of the Profile Token APIs were introduced on V4R5. ** ** A profile token can be passed between processes and jobs, so a ** profile token created in one job can be passed to and activated ** in another job. The time-out value, multiple-use and regenerable ** token attributes enables the creating process to stay in control ** of the further use of a profile token. ** ** A profile handle can only be used in the job that created it. ** ** According to Memo to Users V5R2 a number of changes is going to be ** introduced in a future release to the following of the APIs in this ** example: ** ** QsyGetProfileHandle - Special values will not be allowed for the ** password value. The QSYGETPH API should be ** used instead. ** ** QsyGenPrfTknE - Special values will not be allowed for the ** password value. The QsyGenPrfTkn API should ** be used instead. ** ** The following changes are pending for the replacement APIs mentioned ** above: ** ** QSYGETPH - When specifying a password for the password ** parameter, the password length and CCSID ** parameters will be required. When specifying ** a special value for the password parameter, ** the password length and CCSID parameters will ** not be allowed. ** ** QsyGenPrfTkn - Password values will not be allowed for the ** password parameter, only password special ** values. The QsyGenPrfTknE API should be used ** if password values are to be specified. ** ** To run this API Example program issue the following command from ** a command line: ** ** Call Pgm( CBX117 ) Parm( 'user profile' ) ** ** The user profile specified as the parameter is the one being swapped ** to during the Profile Token API demonstration performed by this ** program. ** ** The process of user profile swapping and restore is demonstrated and ** commented in a message display window and also documented using the ** DSPJOB (Display job) and DSPMSGD (Display message description) ** commands. To this process, extra steps have been added to show the ** use of the APIs that regenerates profile tokens, validates the user ** profile and profile token correlation as well as checks the profile ** token time-out value. ** ** Please note that only allowing this program to complete normally and ** execute all program statements will ensure that the initial current ** job user profile is restored correctly. ** ** ** Authority and security restrictions: ** To get a profile handle or token using special values *NOPWD or ** *NOPWDCHK, *USE authority is required to the user profile for which ** the handle is requested. ** ** If appropriate, the required authority can be obtained by means of ** adopted authority - se Compile options and Runtime requirement ** below. ** ** Profile handles or tokens will not be generated for user profiles ** that are disabled or whose passwords have expired. This restriction ** can, however, be circumvented if the special value *NOPWDCHK is ** specified for the password - and the requesting user profile has ** *ALLOBJ and *SECADM special authority. There are also a number of ** system supplied user profiles that cannot have profile handles or ** tokens generated. ** ** ** Compile options: ** CrtBndRpg Pgm( CBX117 ) ** ** Runtime requirement: ** ChgObjOwn Obj( CBX117 ) ** ObjType( *PGM ) ** NewOwn( QSECOFR ) ** ** **-- Control spec: -----------------------------------------------------** H Option( *SrcStmt ) UsrPrf( *Owner ) H DftActGrp( *No ) ActGrp( 'QILE' ) BndDir( 'QC2LE' ) **-- System information: -----------------------------------------------** D PgmSts SDs D PsPgmNam *Proc D PsSts 5a Overlay( PgmSts: 11 ) D PsCurJob 10a Overlay( PgmSts: 244 ) D PsUsrPrf 10a Overlay( PgmSts: 254 ) D PsJobNbr 6a Overlay( PgmSts: 264 ) D PsCurUsr 10a Overlay( PgmSts: 358 ) **-- API error data structure: -----------------------------------------** D ApiError Ds D AeBytPrv 10i 0 Inz( %Size( ApiError )) D AeBytAvl 10i 0 D AeExcpId 7a D 1a D AeExcpDta 128a **-- system function error id: -----------------------------------------** D SysError s 7a Import( '_EXCP_MSGID' ) **-- Global variables: -------------------------------------------------** D PrfHdlCur s 12a D PrfTkn s 32a D PrfTknNew s 32a D PrfChk s 10i 0 D TknTmo s 10i 0 **-- Get profile handle: -----------------------------------------------** D GetPrfHdl Pr ExtProc( 'QsyGetProfileHandle' ) D GpPrfHdl 12a D GpUsrPrf 10a Const D GpPwd 512a Const Options( *VarSize ) D GpPwdLen 10i 0 Value D GpPwdCcsId 10u 0 Value D GpError 32767a Options( *VarSize ) **-- Set profile handle: -----------------------------------------------** D SetPrfHdl Pr ExtProc( 'QsySetToProfileHandle' ) D SpPrfHdl 12a Const D SpError 32767a Options( *VarSize: *NoPass ) **-- Release profile handle: -------------------------------------------** D RlsPrfHdl Pr ExtProc( 'QsyReleaseProfileHandle' ) D RpPrfHdl 12a Const D RpError 32767a Options( *VarSize: *NoPass ) **-- Generate profile token extended: ----------------------------------** D GenPrfTknE Pr ExtProc( 'QsyGenPrfTknE' ) D GtPrfTkn 32a D GtUsrPrf 10a Const D GtPwd 512a Const Options( *VarSize ) D GtPwdLen 10i 0 Value D GtPwdCcsId 10u 0 Value D GtTimOutInt 10i 0 Value D GtPrtTknTyp 1a Value D GtError 32767a Options( *VarSize ) **-- Set to profile token: ---------------------------------------------** D SetPrfTkn Pr ExtProc( 'QsySetToPrfTkn' ) D StPrfTkn 32a Const D StError 32767a Options( *VarSize ) **-- Check profile token user: -----------------------------------------** D ChkPrfTkn Pr ExtProc( 'QsyChkPrfTknUser' ) D CtChkRes 10i 0 D CtPrfTkn 32a Const D CtError 32767a Options( *VarSize ) **-- Generate profile token from profile token; ------------------------** D GenPrfTknFt Pr ExtProc( 'QsyGenPrfTknFromPrfTkn' ) D GtNewTkn 32a D GtFrmTkn 32a Const D GtTimOutInt 10i 0 Const D GtPrtTknTyp 1a Const D GtError 32767a Options( *VarSize ) **-- Get profile token time out: ---------------------------------------** D GetTknTmo Pr ExtProc( 'QsyGetPrfTknTimeOut' ) D GtTknTmo 10i 0 D GtPrfTkn 32a Const D GtError 32767a Options( *VarSize ) **-- Remove profile token: ---------------------------------------------** D RmvPrfTkn Pr ExtProc( 'QsyRemovePrfTkn' ) D RtPrfTkn 32a Const D RtError 32767a Options( *VarSize ) **-- Invalidate profile token: -----------------------------------------** D InvPrfTkn Pr ExtProc( 'QsyInvalidatePrfTkn' ) D ItPrfTkn 32a Const D ItError 32767a Options( *VarSize ) **-- Display long text: ------------------------------------------------** D DspLngTxt Pr ExtPgm( 'QUILNGTX' ) D DtLngTxt 1024a Const Options( *VarSize ) D DtLngTxtLen 10i 0 Const D DtMsgId 7a Const D DtMsgF 20a Const D DtError 10i 0 Const **-- Run system command: -----------------------------------------------** D system Pr 10i 0 ExtProc( 'system' ) D command * Value Options( *String ) **-- Display message window: -------------------------------------------** D DspMsgWdw Pr D PxMsgStr 512a Const Varying **-- Parameter: --------------------------------------------------------** D PxUsrPrf s 10a ** C *Entry Plist C Parm PxUsrPrf ** **-- Mainline: ---------------------------------------------------------** ** C CallP DspMsgWdw ( 'Step 1: Save profile handle ' + C 'to original user profile ' + C %TrimR( PsUsrPrf ) + C ' to enable a subsequent ' + C 'restore - press Enter to ' + C 'continue.' C ) ** C CallP GetPrfHdl( PrfHdlCur C : '*CURRENT' C : '*NOPWD' C : 6 C : *Zero C : ApiError C ) ** C If AeBytAvl > *Zero ** C CallP DspMsgWdw ( 'Save of profile handle ended' + C ' in error - test terminated.' + C ' Press Enter.' C ) ** C Else C CallP DspMsgWdw ( 'Step 2: Generate a profile ' + C 'token for requested user ' + C 'profile: ' + C %TrimR( PxUsrPrf ) + C '. The token will be a ' + C 'multiple-use, regenerable ' + C 'profile token with a default' + C ' time-out value of 3600 ' + C 'seconds. Press Enter to ' + C 'continue.' C ) ** C CallP GenPrfTknE( PrfTkn C : PxUsrPrf C : '*NOPWD' C : 6 C : *Zero C : -1 C : '3' C : ApiError C ) ** C CallP DspMsgWdw ( 'Step 3: Generate a profile ' + C 'token from the previously ' + C 'obtained profile token for ' + C %TrimR( PxUsrPrf ) + C '. The new token will be a ' + C 'single-use, non-regenerable ' + C 'profile token with a time-' + C 'out value of 100 seconds. ' + C 'Press Enter to continue.' C ) ** C CallP GenPrfTknFt( PrfTknNew C : PrfTkn C : 100 C : '1' C : ApiError C ) ** C CallP DspMsgWdw ( 'Step 4: Set current profile ' + C 'of this job using the profile'+ C ' token from step 3. Please ' + C 'note "Current user profile" ' + C 'in the Display Job Status ' + C 'panel to follow. ' + C 'Press Enter to continue.' C ) ** C CallP SetPrfTkn( PrfTknNew C : ApiError C ) ** C If AeBytAvl > *Zero ** C CallP DspMsgWdw ( 'Setting of current profile ' + C 'ended in error. Press Enter ' + C 'to terminate test.' C ) ** C Else C CallP system( 'DSPJOB JOB(*) OPTION(*STSA)' ) ** C CallP ChkPrfTkn( PrfChk C : PrfTknNew C : ApiError C ) ** C CallP DspMsgWdw ( 'Step 5: Check of token and ' + C 'user profile correlation ' + C 'returned result code: ' + C %Char( PrfChk ) + C ' (0=Different, 1=Same) ' + C '- press Enter to continue.' C ) ** C Reset ApiError ** C CallP GetTknTmo( TknTmo C : PrfTkn C : ApiError C ) ** C CallP DspMsgWdw ( 'Step 6: Check of token time' + C '-out for initial profile ' + C 'token from step 2 returned ' + C 'error message ID: ' + C %Trim( AeExcpId ) + C '. Press Enter to continue.' C ) ** C CallP system( 'DSPMSGD ' + AeExcpId ) ** C CallP GetTknTmo( TknTmo C : PrfTknNew C : ApiError C ) ** C CallP DspMsgWdw ( 'Step 7: Check of token time' + C '-out for new profile token ' + C 'from step 3 returned: ' + C %Char( TknTmo ) + C ' seconds. Press Enter to ' + C 'continue.' C ) ** C CallP InvPrfTkn( PrfTknNew C : ApiError C ) ** C CallP DspMsgWdw ( 'Step 8: New profile token ' + C 'has been invalidated. ' + C 'Press Enter to continue.' C ) ** C CallP RmvPrfTkn( PrfTkn C : ApiError C ) ** C CallP RmvPrfTkn( PrfTknNew C : ApiError C ) ** C CallP DspMsgWdw ( 'Step 9: Both profile tokens ' + C 'have been removed. ' + C 'Press Enter to continue.' C ) ** C CallP DspMsgWdw ( 'Step 10: Set current profile '+ C 'of this job using the profile'+ C ' handle from step 1. Please ' + C 'note "Current User profile" ' + C 'in the Display Job Status ' + C 'panel to follow. ' + C 'Press Enter to continue.' C ) ** C CallP SetPrfHdl( PrfHdlCur C : ApiError C ) ** C CallP system( 'DSPJOB JOB(*) OPTION(*STSA)' ) ** C EndIf ** C CallP RlsPrfHdl( PrfHdlCur C : ApiError C ) ** C CallP DspMsgWdw ( 'Step 11: The profile handle ' + C 'from step 1 has been released'+ C '. Press Enter to end test ' + C 'normally.' C ) ** C EndIf ** C Return ** **-- Display message window: -------------------------------------------** P DspMsgWdw B Export D Pi D PxMsgStr 512a Const Varying ** C CallP(e) DspLngTxt( PxMsgStr C : %Len( PxMsgStr ) C : *Blanks C : *Blanks C : *Zero C ) ** P DspMsgWdw E Thanks to Carsten Flensburg and Club Tech iSeries Programming Tips Newsletter
阅读(757) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~