× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. OPENSOURCE
  3. October 2017

Re: [IBMiOSS] Node in-house auth?

That's sounds like a disaster waiting to happen.

-----Original Message-----
From: Mark Ford [mailto:Mark.Ford@xxxxxxxxxxx]
Sent: Tuesday, October 24, 2017 3:30 AM
To: IBMi Open Source Roundtable <opensource@xxxxxxxxxxxx>
Subject: Re: [IBMiOSS] Node in-house auth?

If the Kerberos routine that performs the authorisation returns you the user name (id@REALM) you can permit or deny actions in your application code via some sort of application authorisation/permissions file.

If you prefer to further authenticate the user has an actual IBM i ID you can use the eimGetTargetFromSource API to lookup the target ID from the source ID and verify it exists and is enabled.

If you actually want to perform the function under the authority of the IBM i user you could potentially perform a profile switch to the user, do the work, then switch back. Or in the case of database operations through the IBM API you might want to make the connection to the database as the user, issue the requests then disconnect. I should imagine there would be overhead with both of these approaches and there may be issues with async type operations and blocking. You wouldn't want the node process to start servicing a request for another user whilst still switched to the previous.

It makes you realise how much Apache is doing for you as it can take care of all of this by itself.

Disclaimer. I'm a sysadmin, not a developer, so these are just my thoughts/suggestions on an approach and these may or may not be practical.

Mark

nd think before you print this email.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.