Servlet Security

In this section:

Before a user can access a ReportCaster Servlet API application, a valid WebFOCUS Reporting Server logon must take place. This logon is typically accomplished with an HTML logon form.

Note: To create a schedule with the Servlet API, a valid Execution ID is required for the default ReportCaster Reporting Server.


Top of page

x
Creating Cookies for User Credentials

WebFOCUS cookies are established when a valid ReportCaster logon occurs using the WF_SIGNON action. A sample logon form, rbalogon.htm, is distributed with ReportCaster. This form navigates to an rbaindex.htm form, which has links to all other sample forms.

You can use the supplied logon form, or create your own custom form that assigns the value WF_SIGNON to the variable IBIWF_action. This causes the creation of the cookie containing the validated server credentials.


Top of page

x
Determining Ownership of Schedules and Distribution Lists

There are three options for assigning ownership with the ReportCaster Servlet API:


Top of page

x
Determining Execution Credentials for Schedules

Execution credentials are used at schedule execution time to log on to the default WebFOCUS Reporting Server and execute the job. Execution credentials are taken from the WebFOCUS cookie that is created when the user logs on to the ReportCaster Servlet API application. The WebFOCUS cookie may include credentials for multiple servers. However, Servlet API schedules can only run on the default WebFOCUS Reporting Server.

The ReportCaster Servlet API determines which WebFOCUS cookie credentials to use for validation as follows:

  1. Search for the default server as defined in the ReportCaster Server Configuration tool and use the credentials associated with that server.
  2. If the default server from the ReportCaster Distribution Server configuration file is not found, look for * in the WebFOCUS cookie, indicating that the logon form did not specify a server. Attempt to validate the user ID with the credentials associated with this non-specific server.
  3. If the default server and * are not located in the WebFOCUS cookie, an error message is issued.

Top of page

x
Default User in Configuration Tool

The Default User is set using the ReportCaster Server Configuration tool. In WebFOCUS Version 5 Release 2.3, if there is a value for the Default User parameter, this value is assigned as the owner of API-based schedules that are migrated from an earlier release. This value is also assigned as the owner of new schedules and Distribution Lists created by the ReportCaster Servlet API. Setting a value for the Default User parameter in the configuration tool causes behavior that is consistent with Version 5 Release 2.1.

If the Default User parameter is left blank in the configuration tool, ownership of migrated schedules is assigned to the Execution ID from the schedule. Leaving the Default User blank allows schedules and Distribution Lists to be distinguished as belonging to different users, as in Version 4 Release 3.6. Execution IDs must exist as valid ReportCaster users in the appropriate tables. Execution IDs can be created as ReportCaster users with the Managed Reporting User Administration tool, or they can be migrated and created as ReportCaster users with the Version 5 Release 2.3 migration tool.


Top of page

x
IBIB_user Parameter

Using the ReportCaster Servlet API, it is possible to run a schedule and maintain a Distribution List belonging to an owner other than the logged on user. To accomplish this, you must pass the IBIB_user parameter (through an HTML logon form) to the Servlet API as the alternate owner.

Note: If the ReportCaster user ID used to logon to the Servlet API application is a ReportCaster Administrator user ID, the IBIB_user parameter is ignored and access is provided to all schedules and Distribution Lists in the WebFOCUS repository.

The following table describes the use of the IBIB_user parameter by the servlets.

Servlet

IBIB_user Description

Notes

DSTDLBULK

Required if the user value in the WebFOCUS cookie is not the owner of the Distribution List, and the user is adding members to an existing Distribution List, replacing members in an existing Distribution List, or deleting an existing Distribution List. The owner of the scheduled job is the user ID from WF_COOKIE. For the copy function, IBIB_user can be supplied as an alternate owner ID for the target list.

The owner of the scheduled job is the user ID from WF_COOKIE.

Not used if creating a new Distribution List.

The user ID should not be specified and will be ignored if set.

DSTDLMEM

Optional.

Must supply a value only if the user is not the owner of the Distribution List.

DSTDLLIST

Not applicable.

No security checking. Any user can view any Distribution List.

DSTSCHED

Not applicable.

The owner of the scheduled job is the user ID from WF_COOKIE.

DSTACTIVE

Not applicable.

The user ID from WF_COOKIE is validated against the owner of the schedule. The ReportCaster Administrator ID can set the status of any particular job or for all jobs.

DSTRUNNOW

Required if you are not the owner of the schedule.

Optionally, an alternate execution ID can be supplied.

The user ID from WF_COOKIE is used. A supplied value overrides the user ID from WF_COOKIE.

DSTLOG

Not applicable.

Only retrieves log reports for jobs that are scheduled through the ReportCaster API and are owned by the current WebFOCUS Reporting Server user ID.


WebFOCUS