Re: Prompting for iseries user ID and password on a web application -- JAVA400-L

Hi,

Excuse my Americanism, I don't know if your first name is Lim or
Hock-Chai.

While I don't disagree with Matt's response on downsides, I understand
the reasoning for a single set of credentials, and if it's a user
requirement, there you go.

If your app server versions support JSR-196, there's a project that allows you to use form based and other container managed security with any method(s) of authentication and authorization that you want:

http://code.google.com/p/authenticroast/

I used it in a situation where US employees were validated from Active
Directory, and employees of other subsidiaries used a different method to
validate credentials. Since most containers are set up for a single type of
authentication, it really looked like trouble, but was a user requirement.

AuthenticRoast worked out really well for me. The container notifies
your method, you do whatever to validate and send back the result, and
that's pretty much it. In your case, you can use JTOpen methods to vaildate
AS/400 credentials. You could also simulate what I did by first using your
"normal" method, then trying the AS/400 if the first way fails.

The downside, of course, is that you have to provide the code for actual
authentication. For me, that meant learning code to deal with Active
Directory, which was previously handled by the container; I only had to give
configuration info. Still, I would suggest looking into it, and the
developer respionds to questions (at least for me.)

HTH,

Joe Sam

Joe Sam Shirah - http://www.conceptgo.com
conceptGO - Consulting/Development/Outsourcing
Java Filter Forum: http://www.ibm.com/developerworks/java/
Just the JDBC FAQs: http://www.jguru.com/faq/JDBC
Going International? http://www.jguru.com/faq/I18N
Que Java400? http://www.jguru.com/faq/Java400

----- Original Message ----- From: "Haas, Matt (CL Tech Sv)" <matt.haas@xxxxxxxxxxx>
To: <java400-l@xxxxxxxxxxxx>
Sent: Friday, June 11, 2010 1:16 PM
Subject: RE: Prompting for iseries user ID and password on a web application

The easiest way is to set up your HTTP server to use Basic Authentication
to password protect things. Once that is done, the user name that was
entered will be available in the remote user environment variable.

That said, it's generally not good to use user profiles for web sites
because you open the system up to hacking by providing credentials that
mean something to the base OS.

Also, there isn't a way to change passwords when they expire or reset
profiles when they get disabled from too many invalid login attempts which
will likely result in additional support calls.

Matt

----------------------------------------------------------------------

message: 1
date: Fri, 11 Jun 2010 10:12:00 -0500
from: "Lim Hock-Chai" <Lim.Hock-Chai@xxxxxxxxxxxxxxx>
subject: Prompting for iseries user ID and password on a web
application

There is a new business requirement where I've to make modification to
one of our web-app to now prompt for iseries user ID and password before
allowing user to access the application. Does any know if there is
already a pre-built tool (in jt400?) that can already do that for me or
I've to pretty much create one?

Thanks

--
This is the Java Programming on and around the iSeries / AS400 (JAVA400-L)
mailing list
To post a message email: JAVA400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/java400-l.