Handling Multiusers in PHWEB ( the late shift )

Thu, 4 Nov 2004 17:19:16 -0000

This is a multi-part message in MIME format.

------=_NextPart_000_0036_01C4C292.69A43740
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Jon,

I notice that you specifically mentioned 'encrypted password' and I also
wondered how wise this was when I saw that the password was being sent, but
then I see that the call is as below, so presumably it cannot be seen by
unwanted eyes ( can it ? )

let t_get_vars_string = "/usr/bin/phwrscripts/get_user_vars.sh " + f_userid
+ " " + f_passwd 

run command t_get_vars_string

As for the file/record update, I would go for a key based on the userid +
ascii(sysdate,8) + ascii(systime,8), set before the script was called from
the web page ( also stored in a temp for record retrieval ) and sent as a
third parameter; having passwords as a key segment is probably unwise.

Regards, Joe.

  _____  

From: powerh-l-admin@lists.sowder.com
[mailto:powerh-l-admin@lists.sowder.com] On Behalf Of Bickel, Jon
Sent: 04 November 2004 16:38
To: powerh-l@lists.sowder.com
Subject: RE: Handling Multiusers in PHWEB ( the late shift )

Joe, 

You are correct, my solution does only simulate the actual user.  In my
situation, my only concern was correctly identifying the true user to
present them with their individual menu - the process owner was not
relevant.  However, I believe that a large part of my solution would also
apply to the rlogin approach since the true username and encrypted password
do get passed from browser to webserver to Unix.

jb

-----Original Message-----
From: Joe Boyle [mailto:joeboyle_adt@hotmail.com]
Sent: Thursday, November 04, 2004 10:11 AM
To: 'Bickel, Jon'; powerh-l@lists.sowder.com
Subject: RE: Handling Multiusers in PHWEB ( the late shift )

Hi Jon ( all ),

from Brian's suggested script I am guessing that he wants to run the process
actually logged in as the user concerned, which is a solution I would be
interested in myself.

I have looked at your email again and your comment below, which suggests
that your solution only simulates actually being logged in ( which is also
great if that is what you want :-)

'The actual logonid of the session is still the web server administrator,
but the temp space is effectively that of the true userid (and the true
userid is available as an environmental variable for  all downstream
processes).'

I like the rlogin idea and wonder if it isn't possible to put the $2
variable on the second line, to be picked up by the password request prompt,
as below ? ( it's a while since I ran a rlogin call and I am assuming that
there is a password prompt at this point )

rlogin theserver -l $1

$2

Regards, Joe.

This e-mail and all information contained in it is confidential and may be
legally privileged. If you are not the intended recipient, your access to
this e-mail is unauthorized. Any use, dissemination, distribution,
publication or copying by you of this e-mail or any of the information
contained within it is prohibited and may be unlawful. Do not open any
attachments, delete it immediately from your system and notify the sender
promptly by e-mail that you have done so. The content of this 

e-mail and any attachments sent with it may have been altered without the
consent or knowledge of the author.

------=_NextPart_000_0036_01C4C292.69A43740
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p
	{mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:72.0pt 77.95pt 72.0pt 77.95pt;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Jon,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

I notice that you specifically =
mentioned &#8216;encrypted password&#8217; and =
I also wondered how wise this was when I saw that the =
password was being sent, but then I see that the call is as =
below, so
presumably it cannot be seen by unwanted eyes ( can it ? =
)<o:p></o:p>

<p class=3DMsoNormal><font size=3D2 color=3D"#003366" face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:#003366'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:36.0pt;text-autospace:none'><font size=3D2
color=3D"#003366" face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:#003366'>let t_get_vars_string =3D
&quot;/usr/bin/phwrscripts/get_user_vars.sh &quot; + f_userid + &quot; =
&quot; +
f_passwd</span></font><font size=3D2 color=3D"#003366" =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:#003366'> =
</span></font><font
size=3D2 color=3D"#003366" face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:#003366'><o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'margin-left:36.0pt'><font size=3D2 =
color=3D"#003366"
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:#003366'>run
command t_get_vars_string</span></font><font size=3D2 color=3D"#003366" =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:#003366'><o:p></o:p></s=
pan></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>As for the file/record update, I =
would go for
a key based on the userid + ascii(sysdate,8) + ascii(systime,8), set =
before the
script was called from the web page ( also stored in a temp for record =
retrieval
) and sent as a third parameter; having passwords as a key segment is =
probably
unwise.<o:p></o:p></span></font></p>

<div>

<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Regards, Joe.</span></font><font color=3Dnavy><span
style=3D'color:navy'><o:p></o:p></span></font></p>

</div>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D3 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>
powerh-l-admin@lists.sowder.com [mailto:powerh-l-admin@lists.sowder.com] =
<b><span
style=3D'font-weight:bold'>On Behalf Of </span></b>Bickel, Jon<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> 04 November 2004 =
16:38<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
powerh-l@lists.sowder.com<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: Handling =
Multiusers
in PHWEB ( the late shift )</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>Joe, </span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>You are correct, my solution does =
only
simulate the actual user.&nbsp; In my situation, my only concern was =
correctly
identifying the true user to present them with their individual menu - =
the
process owner was not relevant.&nbsp; However, I believe that a large =
part of
my solution would also apply to the rlogin approach since the true =
username and
encrypted password do get passed from browser to webserver to =
Unix.</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>jb</span></font><o:p></o:p></p>

</div>

</div>

<blockquote =
style=3D'margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Joe Boyle
[mailto:joeboyle_adt@hotmail.com]<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, November =
04, 2004
10:11 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> 'Bickel, Jon';
powerh-l@lists.sowder.com<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: Handling =
Multiusers
in PHWEB ( the late shift )</span></font><o:p></o:p></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Hi Jon ( all ),<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>from Brian's suggested script I am guessing that he wants to run =
the
process actually logged in as the user concerned, which is a solution I =
would
be interested in myself.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>I have looked at your email again and your comment below, which
suggests that your solution only simulates actually being logged in ( =
which is
also great if that is what you want :-)<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText style=3D'margin-left:36.0pt'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt'>'The actual logonid of the session is still =
the web
server administrator, but the temp space is effectively that of the true =
userid
(and the true userid is available as an environmental variable for =
&nbsp;all
downstream processes).'<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

I like the rlogin idea and wonder if it isn't possible to put =
the $2
variable on the second line, to be picked up by the password request =
prompt, as
below ? ( it's a while since I ran a rlogin call and I am assuming that =
there
is a password prompt at this point )<o:p></o:p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>rlogin theserver -l $1<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>$2<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Regards, Joe.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

This e-mail and all information contained in it is confidential =
and may
be legally privileged. If you are not the intended recipient, your =
access to
this e-mail is unauthorized. Any use, dissemination, distribution, =
publication
or copying by you of this e-mail or any of the information contained =
within it is
prohibited and may be unlawful. Do not open any attachments, delete it
immediately from your system and notify the sender promptly by e-mail =
that you
have done so. The content of this <o:p></o:p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>e-mail and any attachments sent with it may have been altered =
without
the consent or knowledge of the author.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>&nbsp;</span></font><font color=3Dblue face=3DArial><span =
style=3D'font-family:
Arial;color:blue'><o:p></o:p></span></font></p>

</blockquote>

</div>

</body>

</html>

------=_NextPart_000_0036_01C4C292.69A43740--