Sun ONE Application Server 7 Developer's Guide to Web Applications |
Using CGICommon Gateway Interface (CGI) programs run on the server and generate a response to return to the requesting client. CGI programs can be written in various languages, including C, C++, Perl, and as shell scripts. CGI programs are invoked through URL invocation.
A myriad of information about writing CGI programs is available. A good starting point is "The Common Gateway Interface" at:
http://hoohoo.ncsa.uiuc.edu/cgi/overview.html
Sun ONE Application Server complies with the version 1.1 CGI specification.
Since the server starts up a process each time the CGI script or program runs, this is an expensive method of programming the server.
For security, CGI scripts depend on the server's security configuration. For more information, see "Security for SHTML and CGI" and the Sun ONE Application Server Administrator's Guide to Security.
This module includes the following topics:
- CGI and J2EE Web Applications
- Enabling CGI
- Creating Custom Execution Environments for CGI Programs (UNIX only)
- Adding CGI Programs to the Server
- Setting the Priority of a CGI Program
- Windows CGI Programs
- Shell CGI Programs for Windows
- The Query Handler
- Perl CGI Programs
- Global CGI Settings
- CGI Variables
CGI and J2EE Web Applications
In Sun ONE Application Server, CGI programs cannot interoperate with J2EE web applications. Specifically:
- Do not place CGI programs within web application context roots.
- Do not include the output of CGI programs in servlets or JSPs.
- Do not forward requests to CGI programs from servlets or JSPs.
- You cannot apply J2EE security-constraint and filter-mapping features to CGI programs.
Enabling CGI
Sun ONE Application Server provides these ways to identify CGI programs:
- Specifying CGI Directories. The server treats all files in CGI directories as CGI programs.
- Specifying CGI File Extensions. The server treats all files with the specified extensions as CGI programs.
Specifying CGI Directories
To specify directories that contain CGI programs (and only CGI programs):
- Create the CGI directory on your computer. This directory doesn't have to be a subdirectory of your document root directory. This is why you must specify a URL prefix in Step 7.
- Open the HTTP Server component under your server instance in the Administration interface.
- Go to the Virtual Servers page.
- Click on the name of the virtual server for which you are specifying a CGI directory.
- Click on the CGI tab.
- Click on the CGI Directory option.
- In the URL Prefix field, type the URL prefix to use for this directory. That is, the text you type appears as the directory for the CGI programs in URLs.
For example, if you type cgi-bin as the URL prefix, then all URLs to these CGI programs have the following structure:
- In the CGI Directory text field, type the location of the directory as an absolute path.
- Click on the OK button.
- Go to the server instance page and select the Apply Changes button.
The server treats all files in these directories as CGI programs.
To remove an existing CGI directory, click that directory's Remove button in the CGI Directory page. To change the URL prefix or CGI directory of an existing directory, click that directory's Edit button.
Copy your CGI programs into the directories you've specified. Remember that any files in those directories are processed as CGI files, so don't put HTML files in your CGI directory.
For each CGI directory, the file obj.conf contains a NameTrans directive that associates the name cgi with each request for a resource in that directory. These directives are automatically added to obj.conf when you specify CGI directories in the Administration interface, or you can manually add them to obj.conf if desired.
For example, the following instruction interprets all requests for resources in http://server-name/cgi-local as requests to invoke CGI programs in the directory C:/SunServer/docs/mycgi.
NameTrans fn="pfx2dir" from="/cgi-local" dir="C:/SunServer/docs/mycgi" name="cgi"
The obj.conf file must contain the following named object:
<Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
Service fn="send-cgi"
</Object>
Do not remove this object from obj.conf. If you do, the server will never recognize CGI directories, regardless of whether you specify them in the Administration interface or manually add more NameTrans directives to obj.conf.
Specifying CGI File Extensions
To instruct the server to treat all files with certain extensions as CGI programs, regardless of which directory they reside in:
- Open the HTTP Server component under your server instance in the Administration interface.
- Go to the Virtual Servers page.
- Click on the name of the virtual server for which you are specifying CGI file types.
- Click on the CGI tab.
- Click on the CGI File Type option.
- From the Editing picker, choose the resource you want this change to apply to.
- Click the Yes radio button under Activate CGI as a File Type.
- Click on the OK button.
- Go to the server instance page and select the Apply Changes button.
The default CGI extensions are .cgi, .bat and.exe.
To change which extensions indicate CGI programs, modify the following line in mime.types to specify the desired extensions. Be sure to restart the server after editing mime.types.
type=magnus-internal/cgi exts=cgi,exe,bat
When the server is enabled to treat all files with an appropriate extensions as CGI programs, the obj.conf file contains the following Service directive:
Service fn="send-cgi" type="magnus-internal/cgi"
Creating Custom Execution Environments for CGI Programs (UNIX only)
Before you can create a custom execution environment, you must install the suid Cgistub and run it as root:
- Log in as the superuser.
su
- Create the private directory for Cgistub:
cd instance_dir
mkdir private
- Copy Cgistub to the private directory:
cd private
cp install_dir/lib/Cgistub .
- Set the owner of private to the server user:
chown username .
- Set the permissions on private:
chmod 500 .
- Set the owner of Cgistub to root:
chown root Cgistub
- Set the permissions on Cgistub:
chmod 4711 Cgistub
- You can give each reference to the send-cgi function in obj.conf a user parameter. For example:
Service fn="send-cgi" user="username"
You can use variable substitution. For example, in server.xml, give a virtual-server element the following property subelement:
<property name="user" value="username"/>
This lets you write the send-cgi function line in obj.conf as follows:
Service fn="send-cgi" user="$user"
For more information about send-cgi and obj.conf, see the Sun ONE Application Server Developer's Guide to NSAPI. For more information about server.xml, see the Sun ONE Application Server Administrator's Configuration File Reference.
- Restart the server so these changes take effect.
Note It may not be possible to install the suid Cgistub program on an NFS mount. If you wish to use an suid Cgistub, you must install your server instance to a local file system.
Cgistub enforces the following security restrictions:
- The user the CGI program executes as must have a uid of 100 or greater. This prevents anyone from using Cgistub to obtain root access.
- The CGI program must be owned by the user it is executed as and must not be writable by anyone other than its owner. This makes it difficult for anyone to covertly inject and then remotely execute programs.
- Cgistub creates its UNIX listen socket with 0700 permissions.
After you have installed Cgistub, you can create custom execution environments in the following ways:
- Specifying a Unique CGI Directory and UNIX User and Group for a Virtual Server
- Specifying a Chroot Directory for a Virtual Server
Specifying a Unique CGI Directory and UNIX User and Group for a Virtual Server
To prevent a virtual server's CGI programs from interfering with other users, these programs should be stored in a unique directory and execute with the permissions of a unique UNIX user and group.
First, create the UNIX user and group. The exact steps required to create a user and group vary by operating system. For help, consult your operating system's documentation.
Next, follow these steps to create a cgi-bin directory for the virtual server:
- Log in as the superuser.
su
- Change to the virtual server directory.
cd vs_dir
- Create the cgi-bin directory.
mkdir cgi-bin
chown user:group cgi-bin
chmod 755 cgi-bin
You can set the virtual server's CGI directory, user, and group in one of these ways:
- Use the dir, user, and group parameters of the send-cgi function in the obj.conf file. For more information, see the Sun ONE Application Server Developer's Guide to NSAPI.
- Enter this information using the Administration interface:
Open the HTTP Server component under your server instance.
Go to the Virtual Servers page.
Click on the name of the virtual server for which you are specifying CGI directories.
Type values in the Directory, User, and Group fields.
Go to the server instance page and select the Apply Changes button.
For more information, see the Sun ONE Application Server Administrator's Guide.
Specifying a Chroot Directory for a Virtual Server
To further improve security, these CGI scripts should be prevented from accessing data above and outside of the virtual server directory.
First, set up the chroot environment. The exact steps required to set up the chroot environment vary by operating system. For help, consult your operating system's documentation. The man pages for ftpd and chroot are often a good place to start.
These are the steps required for Solaris versions 2.6 through 8:
- Log in as the superuser.
su
- Change to the chroot directory. This is typically the vs_dir directory mentioned in the previous section.
cd chroot
- Create tmp in the chroot directory:
mkdir tmp
chmod 1777 tmp
- Create dev in the chroot directory:
mkdir dev
chmod 755 dev
- List /dev/tcp, and note the major and minor numbers of the resulting output. In this example, the major number is 11 and the minor number is 42:
ls -lL /dev/tcp
crw-rw-rw- 1 root sys 11, 42 Apr 9 1998 /dev/tcp
- Create the tcp device using the major and minor numbers:
mknod dev/tcp c 11 42
chmod 666 dev/tcp
- Repeat steps 5 and 6 for each of the following devices (each device will have a different major and minor combination):
/dev/udp
/dev/ip
/dev/kmem
/dev/kstat
/dev/ksyms
/dev/mem
/dev/null
/dev/stderr
/dev/stdin
/dev/stdout
/dev/ticotsord
/dev/zero
- Set permissions on the devices in dev in the chroot directory:
chmod 666 dev/*
- Create and populate lib and usr/lib in the chroot directory:
mkdir usr
mkdir usr/lib
ln -s /usr/lib
ln /usr/lib/* usr/lib
You can ignore the messages this command generates.
If the /usr/lib directory is on a different file system, replace the last command with the following:
cp -rf /usr/lib/* usr/lib
- Create and populate bin and usr/bin in the chroot directory:
mkdir usr/bin
ln -s /usr/bin
ln /usr/bin/* usr/bin
You can ignore the messages this command generates.
If the /usr/bin directory is on a different file system, replace the last command with the following:
cp -rf /usr/bin/* usr/bin
- Create and populate etc in the chroot directory:
mkdir etc
ln /etc/passwd /etc/group /etc/netconfig etc
- Test the chroot environment:
chroot chroot bin/ls -l
The output should look something like this:
total 14
lrwxrwxrwx 1 root other 8 Jan 13 03:32 bin -> /usr/bin
drwxr-xr-x 2 user group 512 Jan 13 03:42 cgi-bin
drwxr-xr-x 2 root other 512 Jan 13 03:28 dev
drwxr-xr-x 2 user group 512 Jan 13 03:26 docs
drwxr-xr-x 2 root other 512 Jan 13 03:33 etc
lrwxrwxrwx 1 root other 8 Jan 13 03:30 lib -> /usr/lib
drwxr-xr-x 4 root other 512 Jan 13 03:32 usrYou can set the virtual server's chroot directory in one of these ways:
- Use the chroot parameter of the send-cgi function in the obj.conf file. For more information, see the Sun ONE Application Server Developer's Guide to NSAPI.
- Enter this information using the Administration interface:
Open the HTTP Server component under your server instance.
Go to the Virtual Servers page.
Click on the name of the virtual server for which you are specifying CGI directories.
Type a value in the Chroot field.
Go to the server instance page and select the Apply Changes button.
For more information, see the Sun ONE Application Server Administrator's Guide.
Adding CGI Programs to the Server
To add CGI programs to the Sun ONE Application Server, simply do one of the following:
- Drop the program file in a CGI directory (if there are any).
- Give it a file name that the server recognizes as a CGI program and put it in any directory at or below the document root (if CGI file type recognition has been activated).
For UNIX, make sure the program file has execute permissions set.
Setting the Priority of a CGI Program
To set the priority of a CGI program:
- Open the HTTP Server component under your server instance in the Administration interface.
- Go to the Virtual Servers page.
- Click on the name of the virtual server for which you are specifying CGI directories.
- Click on the General tab.
- Type a value in the Nice field. This increment determines the CGI program's priority relative to the server. Typically, the server is run with a nice value of 0 and the nice increment would be between 0 (the CGI program runs at same priority as server) and 19 (the CGI program runs at much lower priority than server). While it is possible to increase the priority of the CGI program above that of the server by specifying a nice increment of -1, this is not recommended.
- Click on the Save button.
- Go to the server instance page and select the Apply Changes button.
For more information, see the Sun ONE Application Server Administrator's Guide.
Windows CGI Programs
This section discusses how to install Windows CGI Programs. The following topics are included in this section:
- Overview of Windows CGI Programs
- Specifying a Windows CGI Directory
- Specifying Windows CGI as a File Type
Overview of Windows CGI Programs
Windows CGI programs are handled much as other CGI programs. You specify a directory that contains only Windows CGI programs, or you specify that all Windows CGI programs have the same file extension, or both.
Although Windows CGI programs behave like regular CGI programs, your server processes the actual programs slightly differently. Therefore, you need to specify different directories for Windows CGI programs. If you enable the Windows CGI file type, it uses the file extension .wcg.
Sun ONE Application Servers support the Windows CGI 1.3a informal specification, with the following differences:
- The following keywords have been added to the [CGI] section to support security methods:
HTTPS: its value is on or off, depending on whether the transaction is conducted through SSL.
HTTPS Keysize: when HTTPS is on, this value reports the number of bits in the session key used for encryption.
HTTPS Secret Keysize: when HTTPS is on, this value reports the number of bits used to generate the server's private key.
- The keyword Document Root in the [CGI] section might not refer to the expected document root because the server does not have a single document root. The directory returned in this variable is the root directory for the Windows CGI program.
- The keyword Server Admin in the [CGI] section is not supported.
- The keyword Authentication Realm in the [CGI] section is not supported.
- Forms sent with multi-part/form-data encoding are not supported.
Specifying a Windows CGI Directory
To specify directories that contain WinCGI programs (and only WinCGI programs):
- Create the Windows CGI directory on your computer. This directory doesn't have to be a subdirectory of your document root directory. This is why you must specify a URL prefix in Step 7.
- Open the HTTP Server component under your server instance in the Administration interface.
- Go to the Virtual Servers page.
- Click on the name of the virtual server for which you are specifying Windows CGI directories.
- Click on the CGI tab.
- Click on the WinCGI Directory option.
- In the URL Prefix field, type the URL prefix to use for this directory. That is, the text you type appears as the directory for the CGI programs in URLs.
For example, if you type cgi-bin as the URL prefix, then all URLs to these CGI programs have the following structure:
- In the WINCGI Directory text field, type the location of the directory as an absolute path.
- To enable script tracing, select the Yes radio button.
- Click on the OK button.
- Go to the server instance page and select the Apply Changes button.
To remove an existing Windows CGI directory, click that directory's Remove button in the WINCGI Directory page. To change the URL prefix or Windows CGI directory of an existing directory, click that directory's Edit button.
Copy your Windows CGI programs into the directories you've specified. Remember that any file in those directories is processed as a Windows CGI file.
Specifying Windows CGI as a File Type
To specify a file extension for Windows CGI files, perform the following steps:
- Open the HTTP Server component under your server instance in the Administration interface.
- Go to the Virtual Servers page.
- Click on the name of the virtual server for which you are specifying a Windows CGI file type.
- Note the name of the MIME Types File for the virtual server.
- Go to the MIME Type Files page.
- Click on the name that matches the name you noted in Step 4.
- Click on the MIME File... button.
- Add a new MIME type with the following settings:
Content-Type: magnus-internal/wincgi
File Suffix: Enter the file suffixes that you want the server to associate with Windows CGI. If you activated CGI, WinCGI, and shell CGI file types, you must specify a different suffix for each type of CGI. For example, you can't use the suffix .exe for both a CGI program and a shell CGI program. If you need to, you can edit the other MIME type fields on the page so that the suffixes are unique.
- Click on the New Type button.
- Go to the server instance page and select the Apply Changes button.
Shell CGI Programs for Windows
This section discusses how to install Shell CGI Programs for Windows. The following topics are included in this section:
- Overview of Shell CGI Programs for Windows
- Specifying a Shell CGI Directory (Windows)
- Specifying Shell CGI as a File Type (Windows)
Overview of Shell CGI Programs for Windows
Shell CGI is a server configuration that lets you run CGI applications using the file associations set in Windows.
For example, if the server gets a request for a shell CGI file called hello.pl, the server uses the Windows file associations to run the file using the program associated with the .pl extension. If the .pl extension is associated with the program C:\bin\perl.exe, the server attempts to execute the hello.pl file as follows:
c:\bin\perl.exe hello.pl
The easiest way to configure shell CGI is to create a directory in your server's document root that contains only shell CGI files. However, you can also configure the server to associate specific file extensions with shell CGI by editing MIME types from the Sun ONE Application Server.
Note For information on setting Windows file extensions, see your Windows documentation.
Specifying a Shell CGI Directory (Windows)
To specify directories that contain shell CGI programs (and only shell CGI programs):
- Create the shell CGI directory on your computer. This directory doesn't have to be a subdirectory of your document root directory. This is why you must specify a URL prefix in Step 7.
- Open the HTTP Server component under your server instance in the Administration interface.
- Go to the Virtual Servers page.
- Click on the name of the virtual server for which you are specifying shell CGI directories.
- Click on the CGI tab.
- Click on the Shell CGI Directory option.
- In the URL Prefix field, type the URL prefix to use for this directory. That is, the text you type appears as the directory for the CGI programs in URLs.
For example, if you type cgi-bin as the URL prefix, then all URLs to these CGI programs have the following structure:
- In the Shell CGI Directory text field, type the location of the directory as an absolute path.
- Click on the OK button.
- Go to the server instance page and select the Apply Changes button.
- Make sure that any files in the shell CGI directory also have file associations set in Windows. The server returns an error if it attempts to run a file that has no file-extension association.
To remove an existing shell CGI directory, click that directory's Remove button in the Shell CGI Directory page. To change the URL prefix or shell CGI directory of an existing directory, click that directory's Edit button.
Copy your shell CGI programs into the directories you've specified. Remember that any file in those directories is processed as a shell CGI file.
Specifying Shell CGI as a File Type (Windows)
You can use the Sun ONE Application Server's mime.types file to associate a file extension with the shell CGI feature. This is different from creating an association in Windows.
To associate a file extension with the shell CGI feature in the server, for example, you can create an association for files with the .pl extension. When the server gets a request for a file with that extension, the server knows to treat the file as a shell CGI file by calling the executable associated in Windows with that file extension.
To associate a file extension as a shell CGI file, perform the following steps:
- Open the HTTP Server component under your server instance in the Administration interface.
- Go to the Virtual Servers page.
- Click on the name of the virtual server for which you are specifying a Windows CGI file type.
- Note the name of the MIME Types File for the virtual server.
- Go to the MIME Type Files page.
- Click on the name that matches the name you noted in Step 4.
- Click on the MIME File... button.
- Add a new MIME type with the following settings:
Content-Type: magnus-internal/shellcgi
File Suffix: Enter the file suffixes that you want the server to associate with Windows CGI. If you activated CGI, WinCGI, and shell CGI file types, you must specify a different suffix for each type of CGI. For example, you can't use the suffix .exe for both a CGI program and a shell CGI program. If you need to, you can edit the other MIME type fields on the page so that the suffixes are unique.
- Click on the New Type button.
- Go to the server instance page and select the Apply Changes button.
The Query Handler
You can specify a default query handler CGI program. A query handler processes text sent to it via the ISINDEX tag in an HTML file.
ISINDEX is similar to a form text field in that it creates a text field in the HTML page that can accept typed input. Unlike the information in a form text field, however, the information in the ISINDEX box is immediately submitted when the user presses Return. When you specify your default query handler, you tell your server to which program to direct the input. For an in-depth discussion of the ISINDEX tag, see an HTML reference manual.
To set a query handler, perform the following steps:
- Open the HTTP Server component under your server instance in the Administration interface.
- Go to the Virtual Servers page.
- Click on the name of the virtual server for which you are specifying a query handler.
- Click on the CGI tab.
- Click on the Query Handler option.
- Use the Editing Picker to select the resource you want to set with a default query handler.
If you choose a directory, the query handler you specify runs only when the server receives a URL for that directory or any file in that directory.
- In the Default Query Handler field, enter the full path for the CGI program you want to use as the default for the resource you chose.
- Click on the OK button.
- Go to the server instance page and select the Apply Changes button.
Perl CGI Programs
You cannot run CGIs using Perl 5.6.x with the -w flag. Instead, include the following code in the file:
use warnings;
Global CGI Settings
To change global CGI settings:
- Open the HTTP Server component under your server instance in the Administration interface.
- Go to the HTTP Server page.
- Click on the Advanced tab.
- Click on the CGI option.
- You can change the following settings:
MinCGIStubs - Sets the number of CGIStub processes that are started by default. This value must be lower than MaxCGIStubs. The default is 2.
CGIExpirationTimeout - Specifies the maximum time in seconds that CGI processes are allowed to run before being killed. The default is 0, which means processes are allowed to run indefinitely.
CGIStubIdleTimeout - Kills any CGIStub processes that have been idle for this number of seconds. The default is 30.
MaxCGIStubs - Sets the maximum number of CGIStub processes the server can execute concurrently. The default is 10.
- Click on the OK button.
- Go to the server instance page and select the Apply Changes button.
For more information about these global CGI settings, see the description of the init.conf file in the Sun ONE Application Server Administrator's Configuration File Reference.
CGI Variables
In addition to the standard CGI variables, you can use the Sun ONE Application Server CGI variables in CGI programs to access information about the client certificate if the server is running in secure mode. The CLIENT_CERT and REVOCATION variables are available only when client certificate based authentication is enabled.
The following table lists the Sun ONE Application Server CGI variables. The left column lists the variables, and the right column lists descriptions of those variables.