If your organisation uses LDAP (Active Directory) you could also validate users against that, then they can use their normal network login to access your application and don't require an IBM i user id.
The way we have tackled this problem is by using authority tokens and it works something like this. When a user logs on, the server validates the user id and password against the LDAP server and, if the credentials are correct, then a token is created which consists of the user id, role information, expiry time, some random data and a unique key to a row created for the login, this is all then encrypted and converted to base-64 and passed back to the client. On every request the token is sent back (we send it in the HTTP request header) and we set the SQL CLIENT USER_ID register with the token when a database connection is made. As we only ever call stored procedures and no other kind of SQL statement the stored procedure decrypts the token to find out the user id and role, which is then used to check access rights to the SP itself and the data as well as being used in the audit columns when data is changed. The stored procedures all use *OWNER authority and the generic user profile used to make the database connection has no data rights, the QZDASOINIT all run under this generic profile.
This forms part of an open-source JavaEE/Tomcat framework that I have developed which exposes stored procedures as a web-service, you can see the RPG code that does LDAP checking and token creation here if you're interested
https://bitbucket.org/fathert/webspi-ibmi/src/master/WSPAUTSRV/<
https://bitbucket.org/fathert/webspi-ibmi/src/master/>
Tim.
________________________________
From: WEB400 <web400-bounces@xxxxxxxxxxxx> on behalf of Steve Richter <stephenrichter@xxxxxxxxx>
Sent: 21 August 2018 17:53
To: Web Enabling the AS400 / iSeries
Subject: [WEB400] web app security - user profile or validation list?
not sure how users should login to a PHP web page and access the IBM i
database. Are there good solutions?
Initially I was using basic authentication. The browser would prompt for
user name and password. The PHP code would then store the user name and
pass in $_SERVER variables. PHP_AUTH_USER and PHP_AUTH_PW.
This worked. But the process is a bit confusing. But more so, what to do
when adding a web user who does not have an IBM i user profile?
So I changed to using validation lists. Which are easier to work with in a
SPA type web page. And the login prompt is a bootstrap modal that looks
better.
The problem with validation list is how to run code on the server under the
IBM i user profile of the web user? I know about the QSYGETPH and QWTSETP
APIs which allows a job to change its user profile. But you need the
password of the user to do this. Where to securely store the password? Or
give QTMHHTTP authority to switch to a user profile without the password.
Which means any code running in PHP can switch to another user profile?
Is there guidance from IBM on how to limit access to tables and programs to
specific user profiles when running PHP web code?
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.midrange.com%2Fmailman%2Flistinfo%2Fweb400&data=02%7C01%7C%7C4458f10f51ab4dac97cc08d6077e3734%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636704636007092112&sdata=Nqrk%2BmW7ICWPE2Y9EEVbLTecLgZQ1HmCPpnLjB4Kr7k%3D&reserved=0
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.midrange.com%2Fweb400&data=02%7C01%7C%7C4458f10f51ab4dac97cc08d6077e3734%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636704636007092112&sdata=fNIeK8XhVEdQPAIfdLIeKxLyev%2FTyc98VQuczYGDPOw%3D&reserved=0.
midrange.com
