mrc Documentation
michaels, ross & cole, ltd.
http://www.mrc-productivity.com/

 


mrc Security (For Classic R8 Web/Servlet Templates)

 

 

For information on how to upgrade to new Web 2.0 security, click here.

 

When using the mrcSignon security for classic Web/Servlet Templates, you get:

Now you get:

·         A Paintable signon screen

·         A Signoff feature

·         A Timeout feature

 

All mrc-generated Web applications can be secured via proper HTTP configuration as documented in the mrc manual. As of February 2004, Web/Servlet applications can also be secured another way: via mrc-supplied security.

The mrc-supplied security has the following advantages:

·         Professional, paint-able signon screen

·         Signoff without closing the browser, forcing user to signon again to run an application

·         Timeout feature

·         Simple specification of the various security parameters

 

One important difference between HTTP configuration security and mrc-supplied security is the manner in which it is accomplished. HTTP configuration protects a directory structure such as "/mrcjava/servlet/MRCWORKLIB/*" which means that any static HTML menu residing within that path is protected.

mrc-supplied security only protects mrc-generated applications. So, if users already access applications via a static menu, and you wish to switch to mrc-supplied security, you need to convert your static HTML menu to an application. This is easily done by painting any inquiry with the menu links.

The signon screen (mrcSignon.html) is paint-able and appears similar to this:



The application designer can specify the following items, by modifying the mrcSignon.xml file:

·         Validate against system profile or validation list

·         Validation list name and library

·         Start URL following successful signon

·         Fail URL following failed signon

·         Signoff URL

·         Number of invalid attempts

·         Case sensitivity (1=convert entered value to uppercase, 0=do not change entered value)

·         List applications not requiring authentication

 

 

The security configuration file (mrcSignon.xml) appears similar to this:



How to implement mrc security for new applications:

1.      Copy files mrcSignon.xml and mrcSignon.html from /mrcjava/mrcclasses/ into the Data Dictionary directory where your servlets reside: /mrcjava/web-inf/classes/MRCWORKLIB/ for example. (m-Power users will find these files in the /mrcjava/proddata/templates/ folder).

2.      Set the parameters in the XML configuration file and paint the HTML file if desired.

3.      Run the applications from the browser.


How to implement mrc security for existing applications:

1.      Follow steps 1 and 2 above

2.      Save the HTML skeletons for the existing applications

3.      Recompile the existing applications

4.      Copy the saved HTML skeletons back

5.      Remove the HTTP security you might already be using

6.      Run the applications from the browser


Timeout considerations:
Use this syntax for a timeout substitution:

<META HTTP-EQUIV="refresh" content="900;URL=http:/xxx.xxx.xxx.xxx/mrcjava/servlet/mrcSignon?lib=MRCWORKLIB&action=1">

This can be painted into the header file to affect all applications in a Data Dictionary or painted into an application HTML skeleton for single screens.

This will have these effects:

1.      Automatically redirect the user to signoff after 900 seconds

2.      The user will need to signon again to run another application A new Session ID is assigned to that browser instance


How to signon to applications in a Data Dictionary

Direct the user to this URL:

http:/xxx.xxx.xxx.xxx/mrcjava/servlet/mrcSignon?lib=MRCWORKLIB

where MRCWORKLIB is the Data Dictionary name. Upon successful signon, the user is redirected to the URL specified as the signon_pass parameter in the configuration file.

If the user directly invokes and application (I00010s, for example), then the user is redirected to the signon screen. Upon successful signon, the user is redirected back to the original application (I00010s, for example.)

How to signoff from a Data Dictionary

Direct the user to this URL:

http:/xxx.xxx.xxx.xxx/mrcjava/servlet/mrcSignon?lib=MRCWORKLIB&action=1

where MRCWORKLIB is the Data Dictionary name. Upon signoff, the user is redirected to the URL specified as the signoff parameter in the configuration file.

This signoff link could be painted into the header file for a Data Dictionary to be available on all applications.

Execute RPG Programs at Signon or Sign-off

If you would like to call an RPG program for each successful signon and/or signoff, just create the program named SIGNON/SIGNOFF in the same Data Dictionary. The program name is changeable in the mrcSignon.xml configuration file. Each program receives two parameters:

10 alphanumeric - User ID

40 alphanumeric - Session ID

 

Note: The RPG/CL program must receive parameters in this order:

10 alphanumeric - User ID

40 alphanumeric - Session ID

You also would need to define the signon/signoff program through mrc's interface for external objects. Please specify the program name, library name, object type equal to "R", and both parameters. The external object does not need to be used in any application. This will simply create the stored procedure that the signon/signoff servlet will execute.

Note: If you are running your application remotely from where your RPG logic is located, you will need to modify the rpglocal parameter’s value to 1.

Error Messages

The error messages for the signon screen are soft-coded. The mrcSignon.html skeleton points to message file /mrcjava/mrcclasses/servlet_errmsg.txt. Messages 60-69 are used by the signon logic. To change the message for a particular purpose, it is recommended to copy that message file and point mrcSignon.html to the new text file.

Exceptions

Inside the <applications> tag, you may specify individual applications that do not require user authentication. Specify dosignon="0" to allow an individual application to run without requiring the signon logic.