Re: web app security - user profile or validation list?

I think the general MO, is to have web apps run as a fixed user.

I know that CGI allows you to run as the logged in user, but that wouldn't work with validation list authentication and I don't know about PHP.

IBM does profile swapping, but I'd be reluctant to put a DIY method into production.




-----Original Message-----
From: Steve Richter [mailto:stephenrichter@xxxxxxxxx]
Sent: Tuesday, August 21, 2018 10:53 AM
To: Web Enabling the AS400 / iSeries <web400@xxxxxxxxxxxx>
Subject: [WEB400] web app security - user profile or validation list?

not sure how users should login to a PHP web page and access the IBM i database. Are there good solutions?

Initially I was using basic authentication. The browser would prompt for user name and password. The PHP code would then store the user name and pass in $_SERVER variables. PHP_AUTH_USER and PHP_AUTH_PW.

This worked. But the process is a bit confusing. But more so, what to do when adding a web user who does not have an IBM i user profile?

So I changed to using validation lists. Which are easier to work with in a SPA type web page. And the login prompt is a bootstrap modal that looks better.

The problem with validation list is how to run code on the server under the IBM i user profile of the web user? I know about the QSYGETPH and QWTSETP APIs which allows a job to change its user profile. But you need the password of the user to do this. Where to securely store the password? Or give QTMHHTTP authority to switch to a user profile without the password.
Which means any code running in PHP can switch to another user profile?

Is there guidance from IBM on how to limit access to tables and programs to specific user profiles when running PHP web code?