× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. JAVA400-L
  3. February 2005

Storing encrypted passwords on AS400

Brett,

In terms of securing external web users and passwords.

1.  Here is an interesting new feature in V5R3.  I don't think it helps you
as much since changing files is a pain for you given your customer base.  We
share similar constraints.

http://www.eservercomputing.com/iseries/articles/index.asp?id=950

2. Will standard OS400 file and object security help you in this case?
a. For example, could you secure the authentication/password file to only
authorized userid and even further you can create logical files or views
over the physical removing the password fields and then allowing userid the
use of the authentication file without seeing or using the password?  The
net is only authorized people will be able to see your passwords.  Your
connection pools uses an appropriate connection userid.   It is also
possible to "swap user profiles" using an API but I haven't tried this.

3. We also often use the JT400 JDBC against a DB2 file for authentication
for "self service" applications.  It works very well for menu based data
driven authorization to particular operations and as you mentioned, we can't
create user profiles for all web users since they are outside agents or the
public in cases.  It can make your application user aware and allow easy
integration for self service  (i.e.  when an insurance agent signons they
can only see the claims and policies that they are entitled to and NOT other
agent info.

4. We make use of the JT400 connection property  "access=read only; "  ( I
think that is the property) which ensures ONLY read or query activity can be
performed on this connection.

5. This to me is a particularly interesting topic since the majority of web
applications I see on the 400 are for "self service" where the user's don't
and can't have user profiles and therefore most applications require being
aware of the current user to restrict data.




Thanks,  Paul Holm

Business: 760-432-0600   Home: 760-432-6550
PlanetJ - Makers of WOW  (AKA... WebSphere on Steroids)
www.gotwebdata.net




--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.6 - Release Date: 2/7/2005

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.