vThe default fail rule means that only requests that are authorized by the web
administrator are honored; other requests will fail.
vExplicit CGI enablement means that no CGI programs will run unless
specifically authorized
vOnly CGI programs are run
vOnly the read HTTP methods GET, POST,and HEAD are supported
The default fail ruleThe server rejects, by default, all incoming requests unless the URL, as translated
by any preceding Map directives, matches a Pass, Redirect, or Exec directive that
has been explicitly coded by the server administrator:
vA match with a Pass directive enables the server to serve a document.
vA match with a Redirect directive causes the server to return a 302 response,
found in the HTTP response to the client application. This HTTP response
header field contains a location with the redirect request. The HTTP request that
matches a Redirect directive causes no data to be accessed. A subsequent request
generated by a client could cause data to be accessed.
vA match with an Exec directive enables the server to run a CGI program on
behalf of the client.
vA match with a Service directive enables the server to run a server API program
on behalf of the client.
Explicit CGI enablementThe server will not run a user-defined CGI program unless the server
administrator has explicitly enabled it by coding an Exec directive. The server
administrator can, for example, limit CGI requests to a specific library in QSYS.LIB.
Important!
It is the server administrator’s responsibility to verify that any CGI program
that is enabled does not violate the customer’s security policies for the
AS/400 system on which the server is running.
IBM recommends that the HTTP administrator move the DB2WWW *PGM
(the Net.Data CGI program) from the QHTTPSVR library to its own CGI
library. This allows users to run the CGI programwhile limiting access to the
QHTTPSVR library. Do not move any Include files from the QHTTPSVR
library.
Server runs only CGI programsTo run properly, programs that are called by the server must conform to the server
CGI interface. When the server is enabled to call a particular program on behalf of
a remote HTTP client application, the program is called and the output is returned
through the server CGI interface.
CGI program considerationsYou need to understand that the security environment defined by the server
configuration directives that apply to your CGI programs.
Chapter5. Enabling your AS/400 to run CGI programs 87