Re: ADO.NET provider and iSeries security

Scott,

My original idea was going to be that the .NET provider would 
establish its connection with a "generic" iSeries user and then 
switch to the query user using the handle.

Dangerous. Unless you take great care to disable all the connection
pooling that's on by default (if you even can, never thought to try) you
don't want to connect as one "generic" user and then switch to another
on the back end. There's one connection pool per unique connection
string. Since all your connections would have the same connection string
there'd be one pool. If you ever neglected to swap profiles you'd be
running as the last user id to use that connection. Ensuring security
would be a nightmare. 

Why not just have the app ask the user for their user id and then form
the connection string appropriately? Or are you trying to emulate the
integrated security concept from SQLServer?

Anyway, here is my initial thought: Use a _small_ iSeries web app to do
the authentication. Have it generate a security token (UUID perhaps) and
write that token, along with the authenticated user id into a table on
the iSeries (and perhaps the client IP). Then redirect to your web app
passing the UUID on the connection string. The .NET app then reads the
table on the iSeries and gets the userid for that UUID (and deletes the
row so it can't be reused). The .NET app then knows the user profile it
should adopt. 

Here's the problem with that approach. To swap to a user profile w/out
knowing the password you have to have *Use rights to the target profile.
Are you willing to give the generic login user *Use rights to all the
target profiles? If so, it should work.

-Walden