We have an application under development that initially sends around 35 to 40 AJAX requests to retrieve information from the System i.

All the requests work fine for users with *ALLOBJ authority, but for users without *ALLOBJ, most the HTTP threads fail and/or they receive a message about being disconnected from the HTTP server.

Please can you help.

The user must have object access through the traditional authority mechanisms on i, just like when running through the green screen. When you make an AJAX request, the CGI job is switched on the fly to the user who is logged in for that session and the request is executed under that profile. So you may need to grant authority to those users who need access to the objects in question.

If you're running under VALENCE profile mode you could cross reference all your Valence user names to a single System i profile that does have access, but that's not a great solution in my opinion because from the i's perspective you loose the auditing level of what user is doing what.

If managing this object access is problematic for some reason, you could also explore compiling your Valence programs with USRPRF(*OWNER). This will cause the programs to run under the authority level of the person who compiled them rather than the person calling them. If you do this, be sure you fully understand the security ramifications, and also make sure that any existing object that exists for the program is deleted before you recompile. If you compile with USRPRF(*OWNER) and an object already exists it will not work, although it will look like it has.

The users that are encountering the problem have all the authority they need on the system i, as access is required to perform their daily job.

We are currently running under the Valance profile mode and have these users linked to a single profile that has *ALLOBJ authority to allow them to perform some testing, ideally we want to change this back to their actual system i profile.

Going down the route of compiling the programs with USRPRF(*OWNER) is something we know about, but are reluctant to consider, and authority to the objects is not the problem.

Something happens to the AJAX calls if you do not have *ALLOBJ authority and we are unable to find out what it is.

Ok, let's dig a little deeper into the problem then. Can you post up the job log where it shows the error details so we can analyze it?

It does not look like an error occurs for this problem on the system i, but I have attached a joblog for one of the jobs that was used by the web page and ended.

Even more strange is that when I use Firebug to view what's happening to one of the grids causing a problem, if you refresh the grid it works, refresh again it fails with the following:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>500 Internal Server Error</TITLE>
</HEAD><BODY>
<H1>Internal Server Error</H1>
Cannot read script output pipe.
</body></html>

Then you refresh again, it's OK. Refresh again, it fails, again, it's OK and the pattern continues.

Once you start having these problems, others can start losing connection to the HTTP server too.

Ok, I think I know the problem now. In your Apache server instance configuration you have the OVERRIDE_JOB_USER set on, like:

SetEnv OVERRIDE_JOB_USER Y

If you're running at system security level 30 or higher, you will also need to have the RESET_JOB_USER set on, like:

SetEnv RESET_JOB_USER Y

I bet your RESET_JOB_USER is turned off. This causes Valence to change to a certain user profile on the first request but then not have the ability to change to another user at a later point when you're running at system security level 30 or higher.

Let's look at what happens when RESET_JOB_USER is off. Say user JOE makes the first request. Valence switches the CGI job from profile QTMHHPT1 to JOE and the request is handled fine. Then user MIKE makes a request to the same CGI job which is currently running under user JOE and the request fails. This is because user MIKE has no object authority to user JOE to make the profile switch.

Now let's look at what happens when RESET_JOB_USER is on. User JOE makes the first request. Valence switches the CGI job from profile QTMHHPT1 to JOE, handles the request, then because RESET_JOB_USER is on, switches the profile back to QTMHHTP1 when done. Next, user MIKE makes a request to the same CGI job and is able to make the switch from QTMHHTP1 to MIKE and everything works fine.

So, try switching on RESET_JOB_USER in your Apache server instance configuration and let us know if this fixes the problem.

That has solved the problem.

Thanks for your help.