[Progress Communities] [Progress OpenEdge ABL] Forum Post: RE: PASOE - Setting different environment vars per app

Status
Not open for further replies.
S

ssouthwe

Guest
I wanted to come back and share my solution/workaround to this, just in case someone else runs into it. Setting up WebRunPath (WEB_RUN_PATH) for WebSpeed in PASOE Background The WebRunPath, which in Classic WebSpeed was configured by setting an environment variable for the broker called WEB_RUN_PATH, is needed for security purposes. Similar to a propath, this setting tells WebSpeed what directories and/or file patterns are able to be run by request from the web. If WebRunPath is not set, then a remote user could pass in any filename as part of a WebSpeed request URL, and as long as that filename resolves as something in the application’s propath, WebSpeed will run it. All WebSpeed brokers should have WebRunPath setup properly as an extra precaution to ensure that access is limited to approved webobjects that are specifically intended to be run within your application. Failure to set up WebRunPath as part of the security of a WebSpeed application constitutes a security risk. Problem description With classic WebSpeed, each broker could have its own Propath and its own WebRunPath, which was set as an environment variable specific to that broker. With PASOE, environment variables are set at the instance level, and thus cannot be set specifically for each webapp. Trying to set webrunpath at the instance level by placing a *_setenv.bat file inside the instance’s bin directory will set the same webrunpath for both apps, potentially exposing one app’s webobjects under the security model of the other webapp. Ideal solution Since many web applications used the WebSpeed functionality of setting environment variables per broker, Progress should change the behavior of an instance’s multi-session agent launch, so that it reads in a set of environment variables specific to the application. For versions up to 12.1 (as of 10/9/2019) this is not a feature of PASOE. Workaround Internally, the PASOE version of WebSpeed stores what it reads in from WEB_RUN_PATH into a shared temp-table called ttAgentSetting. We can use the ability to specify sessionStartupProc and sessionStartupProcParam values for the application within openedge.properties to make PASOE put values in that temp-table and use the correct WebRunPath for the given application. Copy the attached file agentsettings.p into your PASOE project’s WEB-INF/openedge directory. (It can actually go anywhere in the propath.) Edit agentsettings.p to set your WebRunPath as needed for your project. WebRunPath is a comma-separated list of patterns that equate to paths and filenames, using the ABL’s matches syntax. For example, if you wanted to limit things running from the web so that they could only exist within the openedge/websrc directory within your project, you can list the fully qualified path to that directory, followed by the appropriate slash, followed by a wildcard. My version for a development instance looks like this: The last two entries allow for the use of the classic WebSpeed Workshop / Webtools, which are still handy for maintaining classic WebSpeed code. THESE ENTRIES FOR WEBSPEED WORKSHOP SHOULD NOT BE INCLUDED IN A PRODUCTION DEPLOYMENT. If you would like to have a single version of agentsettings.p with different settings for development versus production environments, you could have the code use os-getenv(“COMPUTERNAME”) to conditionally set this based on which host is running it. 4. If your application already included a sessionStartupProc, be sure to have agentsettings.p run it, or directly include that procedure’s functionality. 5. Edit openedge.properties to specify your sessionStartupProc and sessionStartupProcParam values Set sessionStartupProc to agentsettings.p Set sessionStartupProcParam to contain the ABLApp name, followed by a comma, followed by the WebApp name. For example, if your ABLApp is “ IngridABL ” and your WebApp is “ Ingrid ” then your openedge.properties file section for the ABLApp would look like this: If you are using tlr/Merge.template to have openedge.properties tailored upon deployment of your app, make the changes to the appropriate section of that file. Use the oeprop command’s -f option to apply it to your instance. Restart your application to allow it to load the startup procedure. You can test whether it was loaded correctly by running the following script within the WebTools scripting lab for your application: define new global shared temp-table ttAgentSetting field cKey as character field cSub as character field cName as character field cVal as character index SettingIdx is primary cKey cSub index NameIdx cName. for each ttAgentSetting: {&out} ttAgentSetting.cName ": " ttAgentSetting.cval " " skip. end. My result looks like this: You can also test this by placing a webobject (or any .p without parameters) somewhere in your app’s propath. Try to run the webobject by placing it in a URL for your application. Here’s an example of a test webobject you can try placing in your propath to test: When you attempt to run it, you should see a message like this in your browser: agentsettings . p : (with apologies for the poor formatting here) /*------------------------------------------------------------------------ File : agentsettings.p Purpose : Load up some configurations that used to be handled by environment variables. Since PAS only allows one set of environment variables per instance, Syntax : Description : Author(s) : S.E. Southwell - Progress Created : Fri Sep 27 11:55:19 PDT 2019 Notes : ----------------------------------------------------------------------*/ /* *************************** Definitions ************************** */ block-level on error undo, throw. define input parameter startupData as character no-undo. define variable hHdl as handle no-undo. /* Make this available in case anything else in the app needs to know what app this is */ define new global shared variable myABLApp as character no-undo. define new global shared variable myWebApp as character no-undo. define variable dlcpath as character no-undo. define variable catalinabase as character no-undo. define variable webrunpath as character no-undo. define variable apppath as character no-undo. /* Same as defined in web-util.p. Don't change this */ define new global shared temp-table ttAgentSetting field cKey as character field cSub as character field cName as character field cVal as character index SettingIdx is primary cKey cSub index NameIdx cName. function setAgentSetting returns logical (cInKey as character, cInSub as character, cInName as character, cInVal as character) forward. /* ******************** Preprocessor Definitions ******************** */ /* *************************** Main Block *************************** */ myABLApp = entry(1,startupData). if num-entries(startupData) > 1 then myWebApp = entry(2,startupData). assign dlcpath = os-getenv("DLC") catalinabase = os-getenv("CATALINA_BASE") apppath = catalinabase + "\webapps\" + myWebApp. /* Formerly the WEB_RUN_PATH environment variable */ setAgentSetting("path","","webrunpath", substitute("&1\WEB-INF\openedge\websrc\*,&2\tty\webtools\*.r,&2\tty\workshop.r", apppath,dlcpath )). /* */ /*hHDL = this-procedure. */ /*session:add-super-procedure(hHdl).*/ function setAgentSetting returns logical (cInKey as character, cInSub as character, cInName as character, cInVal as character): /*------------------------------------------------------------------------------ Purpose: Used to set the value of a Name/Value key to the user-specified agent setting temp-table. Inputs: cInKey: key name that the name/value is specified under cInSub: sub-key, provides for sub-type orginization. Not required cInName: name of 'variable' that is being requested cInVal: value that the 'variable' is to be set to Returns: Logical ERROR-STATUS:ERROR Notes: Stolen from web-util.p ------------------------------------------------------------------------------*/ define variable retVal as logical no-undo. SettingBLOCK: do on error undo SettingBlock, leave SettingBlock: find ttAgentSetting where ttAgentSetting.cKey eq cInKey and ttAgentSetting.cSub eq cInSub and ttAgentSetting.cName eq cInName exclusive-lock no-error. if not available ttAgentSetting then do: create ttAgentSetting. assign ttAgentSetting.cKey = cInKey ttAgentSetting.cSub = cInSub ttAgentSetting.cName = cInName NO-ERROR. end. /* name/value not available */ assign ttAgentSetting.cVal = cInVal. release ttAgentSetting. assign retVal = error-status:error. end. /* SettingBlock */ return retVal. end function. /* setValue */

Continue reading...
 
Status
Not open for further replies.
Top