Try OpenEdge Now
skip to main content
WebSpeed Essentials
Running and Deploying WebSpeed Applications : WebSpeed security : Securing your WebSpeed application : Modifying web-disp.p
 
Modifying web-disp.p
By default, the agents run web/objects/web-disp.p as their startup program. Each request that is issued to an agent runs through this code. This is the best place to control what happens to each request.
Modify web-disp.p to:
*Make sure that certain r-code can only be run by certain users
*Turn off the PING or DEBUG facilities
*Connect to a database every time a request comes through
*Check for a user timing out
Because each request must go through this code, any changes made to web-disp.p are system wide.
If you want to change this code, you should move it into your application's source tree and rename it. This way, when a service pack installs a newer version of web-disp.p, your changes are not overwritten. You should also compare your code with the new code shipped in the service pack to make sure you also incorporate any bug fixes or enhancements.
The following shows a simplified version of the default WebSpeed web-disp.p.
Default web-disp.p
/* Set the web-request trigger. */
ON "WEB-NOTIFY":U ANYWHERE DO:
  OUTPUT {&WEBSTREAM} TO "WEB":U.
  /* Parse the request/CGI from the web server. */
  RUN init-cgi IN web-utilities-hdl.
  /* Initialize for web-request. */
  RUN init-request IN web-utilities-hdl.
  AppProgram = (IF AppProgram = "debug":U THEN "webutil/debug.p":U ELSE
(IF AppProgram = "ping":U THEN "webutil/ping.p":U ELSE
(IF AppProgram = "reset":U THEN "webutil/reset.p":U ELSE
AppProgram))).
  RUN run-web-object IN web-utilities-hdl (AppProgram) NO-ERROR.
  /* Run clean up and maintenance code */
  RUN end-request IN web-utilities-hdl NO-ERROR.
  /* Output any pending messages queued up by queue-message() */
  IF available-messages(?) THEN
    output-messages("all", ?, "Messages:").
  OUTPUT {&WEBSTREAM} CLOSE.
END. /* ON "WEB-NOTIFY" */

/* Wait for a web-request to come in */
WAIT-FOR-BLOCK:
REPEAT ON ERROR UNDO WAIT-FOR-BLOCK, LEAVE WAIT-FOR-BLOCK
ON QUIT UNDO WAIT-FOR-BLOCK, LEAVE WAIT-FOR-BLOCK
ON STOP UNDO WAIT-FOR-BLOCK, NEXT WAIT-FOR-BLOCK:
  WAIT-FOR "WEB-NOTIFY":U OF DEFAULT-WINDOW.
END. /* WAIT-FOR-BLOCK: REPEAT... */
Note: Default web-disp.p and Secure web-disp.p do not run. Much of the code has been removed. The purpose of these examples is to show program flow.
Secure web-disp.p shows a simplified, secure web-disp.p. You insert the bold text into the original web-disp.p replacing the "AppProgram = ..." code.
This code stops PING, DEBUG, and RESET, changes the extension of any requested program into r-code, checks that the r-code file exists, and verifies if this r-code is valid for this user by looking up a database table called UserPrograms. You must create a table called UserPrograms containing (at least) both these fields. Also, UserID is a variable that you must instantiate.
You usually use a cookie, hidden fields, or URL parameters to hold the user's ID. This should be encrypted in a suitable manner. See Parameter passing for an example of encrypting this ID.
Secure web-disp.p
/* Set the web-request trigger. */
ON "WEB-NOTIFY":U ANYWHERE DO:
  DEFINE VARIABLE vLocn AS INTEGER NO-UNDO.  
OUTPUT {&WEBSTREAM} TO "WEB":U.
  /* Parse the request/CGI from the web server. */
  RUN init-cgi IN web-utilities-hdl.
  /* Initialize for web-request. */
  RUN init-request IN web-utilities-hdl.
  /* Remove current extension */
  vLocn = R-INDEX (AppProgram, ".").
  IF vLocn > 0 THEN
    AppProgram = SUBSTR (AppProgram, 1, vLocn - 1).
  /* Add a .R */
  AppProgram = AppProgram + ".r".
  /* Can this User run this program OR does it exist? */
  IF NOT CAN-FIND (UserPrograms WHERE UserPrograms.UserID = UserID
AND UserPrograms.Program = AppProgram)
    OR SEARCH (AppProgram) = ? THEN
    AppProgram = "NotValidProgram.r".
  RUN run-web-object IN web-utilities-hdl (AppProgram) NO-ERROR.

/* Run clean up and maintenance code */
RUN end-request IN web-utilities-hdl NO-ERROR.

/* Output any pending messages queued up by queue-message() */
IF available-messages(?) THEN
output-messages("all", ?, "Messages:").
OUTPUT {&WEBSTREAM} CLOSE.

END. /* ON "WEB-NOTIFY" */
After creating your new-web-disp.p, you must change the agent parameters to reference it.