| Related Topics 
  
Web Server API Function Index 
 
  
    |   | May be used in Shadow/REXX |  
    |  | May be used from Other REXX Interpreters |  
    |  | High-Level Language entry point name is SWSCPSC |  This function provides a set of subfunctions which perform six types of security
authorization processing.   The SWSECURE function has one required parameter, which must be followed with various
other parameter arguments, depending on the requested function.      
The Operation ArgumentThe first argument of the SWSECURE function specifies the operation which is to be
performed. The first argument can be one of the following values: 
 
 
  
D Used to verify data set access privileges. 
F Used to fetch information about a logged-on user. 
I Used to return information about the security product installed on your MVS system. 
R Used to request generalized resource rule validation. 
P Enables you to validate a userid and password and/or set a new userid.   
 You can verify that the current user has authorization to access a data set. The
current user, for Web transactions is the Effective Userid.  Coding Data Set Access RequestsIssue the version of SWSECURE shown below to verify data set access privileges:  var = SWSECURE('D','dsname','accesstype','volser')  The arguments shown above, are coded as follows:
 
 
  dsname This argument specifies the dataset to be checked. The argument must be present or the
    function request is rejected.  accesstype Use the accesstype argument to specify the type of data set access you want to check. If
    you omit the accesstype argument, Shadow/REXX uses a default of R (Read access). The
    access type argument can be specified as one of:  
      'A' - Verify Alter access to a data set. 'C' - Verify Control access to a data set. 'R' - Verify Read access to a data set. 'U' - Verify Update access to a data set. volser The volser argument supplies the volser number to be validated. If you do not specify a
    volser, the argument is blank by default.  Return ValuesThe function returns the string "ALLOW" if the specified type
of access to the data set is allowed.  If the logon is not processed successfully, Shadow/REXX returns the error  message
generated by the MVS security subsystem, or if no message is returned by RACF, ACF/2,
TopSecret, one of the following messages:         RESOURCE NOT PROTECTED BY RACF
      RESOURCE ACCESS DENIED BY RACF 
 
Top  
 You can retrieve security subsystem information about the current user. The current
user for Web transactions is the Effective Userid.  Note: The Shadow OS/390 Web Server uses the MVS SAF router interface for processing
all security verification requests. This function will only operate correctly for field
values which are available on the ACEE control block. Because many security products build
only a skeletal ACEE block, some or all of the values may be unavailable if the underlying
security subsystem product is other than RACF.    Coding Fetch Data RequestsIssue the version of SWSECURE shown below to fetch field data from the current user's
ACEE:   
  var = SWSECURE('F','fieldname')   The fieldname argument is required. One of the following character
constants may be coded: 
  
    | Fieldname Constant | Format of Returned Data | Description |  
    | VERSION | Binary | ACEE Version code |  
    | INSTALLATIONDATA | Character | Contents of the Installation Data field |  
    | USERDATA | Character | Contents of the user data field |  
    | USERID | Character | Contents of the ACEE Userid field |  
    | GROUP | Character | Contents of the ACEE Group Field |  
    | SPECIAL | Bit | Special Attribute |  
    | AUTOMATIC | Bit | Automatic Attribute |  
    | OPERATIONS | Bit | Operations Attribute |  
    | AUDITOR | Bit | Auditor Attribute |  
    | LOG | Bit | Logging on for most operations |  
    | PRIVILEGED | Bit | Started task with privileged flag |  
    | RACF | Bit | RACF defined user flag |  
    | ALTER | Bit | Alter authority flag |  
    | CONTROL | Bit | Control authority flag |  
    | UPDATE | Bit | Update authority flag |  
    | READ | Bit | Read authority flag |  
    | NONE | Bit | None authority flag |  
    | GROUPLISTCONTAINS | Bit | Group list contents flag |  
    | DATE | Date | RACINIT Date |  
    | STCNAME | Character | Started task name |  
    | TERMINAL | Character | Terminal ID |  
    | DEFINEUSERS | Bit | Authorized to define users |  
    | PROTECTDASD | Bit | Authorized to protect DASD |  
    | PROTECTTAPE | Bit | Authorized to protect tape |  
    | PROTECTTERMINALS | Bit | Authorized to protect Terminals |  
    | APPLICATIONLEVEL | Binary | Application Level |  
    | PORTOFENTRYLEVEL | Binary | Port of entry level |  
    | PORTOFENTRYDATA | Character | Port of entry data |  
    | CLASSAUTHORIZATIONS | Binary | Class authorizations |  
    | APPLICATION | Character | Application name |  
    | APPLICATIONDATA | Character | Application data |  
    | USERNAME | Character | User name field |  
    | SURROGATEUSERID | Character | Surrogate userid |  
    | GROUPLIST | Group List | A list of groups |  Return Values
  Shadow/REXX does the following conversions depending on field format:  
      Binary fields are converted to signed decimal values without leading zeros or blanks.
        The number zero is returned as 0.  Character fields are returned as is, possibly truncated to the Shadow/REXX defined
        maximum valid string length.  Date fields are converted to the form yyyy/mm/dd with leading zeros kept (so
        that the result is always exactly ten non-blank characters). A zero date field is returned
        as the string ****/**/**.  Bit fields are converted to a 0 (FALSE or off) or a 1 (TRUE or on).  The group list field inquiry is handled separately. The function returns a integer count
        of the number of group entries found in the list. Each individual group name is returned
        as a separate entry in the external data queue. 
Top  
 To retrieve information about the security product itself (if any) on your system using
this form of the SWSECURE function:    Coding Information RequestsIssue the version of SWSECURE shown below to retrieve information about the security
subsystem in use: 
  var = SWSECURE('I', 'name')  The name argument is required. Code one of the constant values shown below:  
  
    | Name Constant | Returned Value |  
    | PRODUCT | Return the name of the security product. (e.g. RACF, ACF2, or
    "UNKNOWN SECURITY PRODUCT"). |  
    | MODE | Returns the CA-ACF2 operating mode: This value is only valid for systems running CA-ACF2.  |  
    | RELEASE | Causes Shadow/REXX to return the release and version number of CA-ACF2,
    CA-TOP SECRET, or RACF. For RACF and CA-TOP SECRET systems, this is a three-character
    string of the form v.r where v is the version number and r is the release number. |  Return ValuesThe function returns a string with the requested information. If the information cannot
be obtained, a NULL string is returned.     
 You can request that the Effective Userid for a Web transaction be validated against a
security subsystem generalized resource rule.  Coding Generalized Resource Rule ChecksTo request generalized resource rule validation, use this form of SWSECURE:  
  var = SWSECURE('R',class,resource,requestcode)  This function call verifies that the current user has access to a generalized resource.
Code each argument as follows:
 
 
  class The generalized resource class name (type name for ACF2). SAF processing is used for all
    resource rule checks. If your security subsystem is ACF2, you must define the ACF2
    resource type as a SAF class name.  resource The 1-to-39 byte resource entity name.  requestcode The requestcode argument specifies the type of access to be verified. If you omit this
    argument, Shadow/REXX uses the default value R (Read access). systems, the request code
    can be: The request code can be specified as one of:  
      'A' - Verify Alter access to resource 'C' - Verify Control access to resource 'R' - Verify Read access to resource 'U' - Verify Update access to resource  Returned ValuesFor any of the three security products, if the specified access to the resource is
allowed, Shadow/REXX returns the string ALLOW.   If the logon is not processed successfully, Shadow/REXX returns the error  message
generated by the MVS security subsystem, or if no message is returned by RACF, ACF/2,
TopSecret, one of the following messages:      RESOURCE NOT PROTECTED BY RACF
  RESOURCE ACCESS DENIED BY RACF
 
Top  
 This form of request causes the indicated Userid and password to be verified and logged
onto the system. If the userid and password are valid an ACEE is created and made active
for the current subtask. It remains active until explicitly reset, as described in the
warning box.   A logon processed using SWSECURE is handled internally in the same way as client logons
performed using browser-prompted userid/password information (i.e.the encoded userid and
password information passed for the 'Basic' authentication scheme via the HTTP
'Authorization:' request header.)  If any authorization data was passed by the
browser it is 'hidden' when the SWSECURE request completes successfully.  If the
browser information was previously used, during the course of the transaction, to perform
a client logon, a logoff of that userid is performed internally and is not restored even
if the SWSECURE request fails.   You can perform a SWSECURE logon operation without supplying a password on the request
if all the following conditions are met: 
 
 
  The SWSECURE request is being made either by an /*ATH rule, or by a /*WWW rule which is
    defined in the Master WWW Ruleset. The WWWRUNAUTHFORMATS startup parameter is set to "ALL". The WWWRUNAUTHLOCATION startup parameter is set to "ANYWHERE". You are not requesting that the password be changed (no new password is specified for
    the SWSECURE request.  
  
    |  | NOTE: If the SWSECURE Password Validation request
    fails for any reason (i.e. userid unknown, password invalid, new password invalid, etc.)
    the server's Web Transaction Default Userid is always made active for the
    current task. This applies even if some other userid was active before the
    failing password validation request. When you successfully perform a logon operation
    from within a Web transaction task, the newly logged on userid is handled internally as
    any other client logon, with the following exception: the newly   logged-on userid
    remains permanently in effect for the Web transaction (even across all URL
    RESCAN operations) until explicitly reset. The userid is only deactivated
    when:   
      Another SWSECURE Password Validation request is performed, or A /*WWW rule is matched which has RUNAUTH(proxy-id) or RUNAUTH(NONE) coded on the rule
        header, or The Web transaction ends.  Trace records generated following an SWSECURE logon operation reflect this userid persistence
    quality by including the text "Runauth(SWSECURE-Client-Logon)". |  Coding Password Validation RequestsTo validate a userid and password, use this form of the SWSECURE function:  
  var = SWSECURE('P','userid','password','newpassword')  The arguments shown above, are coded as follows:
 
 
  userid The userid to be validated  password The password associated with the userid  newpassword The new password value to be associated with the userid.  If you omit the newpassword argument, SWSECURE validates the userid and password. If you
    specify newpassword, SWSECURE changes the password.  Return ValuesFor all three security products, if the password was correct (and a new password was
assigned if specified), the returned value is the string ALLOW.   If the logon is not processed successfully, Shadow/REXX returns the error  message
generated by the MVS security subsystem, or if no message is returned by RACF, ACF/2,
TopSecret, one of the following messages:        INVALID SECURITY ENVIRONMENT
     USER PROFILE NOT DEFINED TO RACF
     PASSWORD IS NOT AUTHORIZED
     PASSWORD HAS EXPIRED
     USER NOT DEFINED TO THE GROUP
     REJECTED BY INSTALLATION EXIT
     ACCESS HAS BEEN REVOKED
     RACF IS NOT ACTIVE
     GROUP ACCESS HAS BEEN REVOKED
     NOT AUTHORIZED TO USE THIS TERMINAL
     INVALID DAY OR TIME OF DAY
     TERMINAL CANNOT BE USED
     NOT AUTHORIZED TO USE APPLICATION Note: For CA-ACF2, invalid password attempt calls increase the invalid password
violation counter for the specified user ID.  
 
 
Top
 |