RE: User Authentication -- WEB400

Beautiful, thank you very much.

I tested and got the SSL and DCM all going yesterday playing around. That 
was when I realized that I could by pass my login authentication. I will 
change my config file and see if that helps.

Thanks

    Dave Reiher
    System Analyst
    Prairie Farms Dairy - Corporate
    Ph: 217.854.2547 ext. 254
    dreiher@xxxxxxxxxxxxxxxx



"Haas, Matt" <Matt.Haas@xxxxxxxxxxx> 
Sent by: web400-bounces@xxxxxxxxxxxx
09/01/2005 09:01 AM
Please respond to
Web Enabling the AS400 / iSeries <web400@xxxxxxxxxxxx>


To
"Web Enabling the AS400 / iSeries" <web400@xxxxxxxxxxxx>
cc

Subject
RE: [WEB400] User Authentication






Dave,

You can edit the configuration file by hand. Assuming you're using the
Apache based server, the configuration file is in /www/your server
instance name/conf and is called httpd.conf. It's based on Apache 2.0 so
any info you find for it pretty much directly applies
(http://httpd.apache.org is a good place to start). You can use the
ENDTCPSVR and STRTCPSVR commands to start and stop the server.
WARNING!!! The defaults to these commands are to start and stop *ALL*
TCP/IP servers so be very careful with them (especially the ENDTCPSVR
command).

My guess to your authentication problem is that it's doing the access
control with a Directory container instead of a Location container.
Using Directory containers for access control doesn't work well for Java
apps and Net.Data. Something along the lines of this should get you
working:

<Location /AppDirectory>
   AuthName "Eat At Joes"
   AuthType Basic
   PasswdFile mylib/myvldl
   UserID %%SERVER%%
   Require valid-user
</Location>

For SSL, you will need to use the DCM (which is part of the admin GUI)
to do the SSL setup. You can access DCM directly by going to
http://yourhostname:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0. Note
that you'll need to have *SECADM special authority to use this. Also,
IBM has their own SSL implementation so information about OpenSSL
doesn't apply. Once you have the certificate set up, you'll need to add
the following lines to your httpd.conf:

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
SSLEngine On
SSLAppName app_name_from_dcm
SetEnv HTTPS_PORT 443

and add port 443 to your listen directive. You'll also need to go into
your app server and set it up so it listens on port 443 for connections.

Matt

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Dave Reiher/prairiefarms
Sent: Thursday, September 01, 2005 9:25 AM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] User Authentication

Actually what I am trying now is just using web facing. I wrote some RPG

ILE apps that will display the information to my users using sub files
and 
then put a web facing project on top of it. The bonus I see with this is

that every RGP die hard in our shop can do maintenance on the
applications 
or add new ones. This way the only thing that I am exclusively
responsible 
for is the web facing piece of it, this takes a little of the burden off

of me. It seems to work okay for my purposes, and it performs fairly
well 
when I try it from an OLD 98 machine with a dial up connection, this 
surprised me.

Now my issue is security.
If I put a web validation list for the / directory I would have thought 
this would prompt me for a user name when hitting my application. If I
hit 
the index page it does, but if I enter the entire address (i.e. 
server:1000/AppDirectory) I can get right to it with no prompt for user 
and password. Anyone tell me how I should set the security up for my 
application to use a validation list???
I will want to use SSL too, but will tackle that after I get this piece 
working.

Sorry, a bit new to this world. If it were .NET and IIS I could get in 
there and do all this, now I find myself fumbling around.
Is the Web Admin interface the only GUI type admin for this stuff?? I 
don't like it........

Thanks!

    Dave Reiher
    System Analyst
    Prairie Farms Dairy - Corporate
    Ph: 217.854.2547 ext. 254
    dreiher@xxxxxxxxxxxxxxxx



Tom Jedrzejewicz <tomjedrz@xxxxxxxxx> 
Sent by: web400-bounces@xxxxxxxxxxxx
08/31/2005 07:34 PM
Please respond to
Web Enabling the AS400 / iSeries <web400@xxxxxxxxxxxx>


To
Web Enabling the AS400 / iSeries <web400@xxxxxxxxxxxx>
cc

Subject
Re: [WEB400] User Authentication






Recapping and adding thoughts ...

On 8/29/05, Dave Reiher/prairiefarms <DReiher@xxxxxxxxxxxxxxxx> wrote:
> 
> For starters, they currently log in to an old web site using an ID we
> assigned to them and it is their account number. I can't use a number
as 
a
> user profile on the 400, can I?
> If I could do that, then I would just create each one of these as a 
usrprf
> and let that be my validation.


Better (as noted by several folks) to use validation lists. You can 
programmatically update the list from your list of users (or even
directly 

from your customer maintenance program). 

I would really like to do that and place each report in the users
folder,
> but then there are 2000 folders (2000 is a pretty static number),
would
> that be an issue on the IFS??
> They are small reports, most are one page. So I don't believe that
space
> would be a problem and each user would never have more than 4 reports
> which would always be overwritten each night or week or month.


If all of the reports are small, why not generate them on the fly, 
directly 
into HTML, using CGIDEV2 or one of the other CGI gateway simplifiers. 

The user connects to the site, is authenticated (against the validation 
list) and is presented with the "menu" page. When a report is selected,
a 
program generates the "report" in HTML and sends it back to the driver.
It 

is also possible (although I don't know how) to generate a PDF file on
the 

fly.

Then you don't have to worry about managing 2000 folders and 8000
reports.

Not real sure where I want to go from here.......


Ain't technology grand?!