How would it supplement OS security? If your server program is running as a named user, that will be the user the OS uses for authorization regardless of the end-user (unless it does user swapping like CGI).
-----Original Message-----
From: Nathan Andelin [mailto:nandelin@xxxxxxxxx]
Sent: Friday, December 23, 2016 12:51 PM
To: Web Enabling the IBM i (AS/400 and iSeries) <web400@xxxxxxxxxxxx>
Subject: Re: [WEB400] In-house authentication & authorization
So your app/framework stands in for the OS for
authentication/authorization?
I view the app/framework as a supplement to OS authentication/authorization
- not a replacement. I hope that makes sense. Green-screen applications often supplement with rules which are outside the scope of IBM i object authorities (i.e. which users can run a menu item, User A may see employee SSN - not User B).
The first problem being another set of credentials for every user.
Web App/frameworks often include a variety of options for authenticating
users:
1. Against a database of users.
2. Against IBM i user profiles and authentication rules (including disabled profiles, expired passwords, etc.).
3. Against LDAP directories.
4. Against oAuth realms.
My company provides multi-tenant hosting for K-12 schools and school districts. My user profile is authenticated against my IBM i user profile.
However, we don't set up IBM i user profiles for students and parents (for example), because they have no need for services such as ACS, telnet, ssh, ftp, etc. They're only using browser user interfaces. We set up a user profile for them in an IBM i table, and authenticate against that.
midrange.com
