He said he wants his journal to show the IBMi profile of the actual user, and that profile to be used for authority checking.
Yep, I know, but he also wants non-IBM i users to access the app, so neither will work if the web app user doesn't have an IBM i user profile, in which case they will use a generic profile. This, IMO, makes the whole concept break down because all your non-IBM i users will be journalled under the generic profile.
________________________________
From: WEB400 <web400-bounces@xxxxxxxxxxxx> on behalf of Justin Taylor <JUSTIN@xxxxxxxxxxxxx>
Sent: 22 August 2018 19:14
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] web app security - user profile or validation list?
He said he wants his journal to show the IBMi profile of the actual user, and that profile to be used for authority checking.
-----Original Message-----
From: Tim Fathers [mailto:X700-IX2J@xxxxxxxxxxx]
Sent: Tuesday, August 21, 2018 2:58 PM
To: Web Enabling the IBM i (AS/400 and iSeries) <web400@xxxxxxxxxxxx>
Subject: Re: [WEB400] web app security - user profile or validation list?
I'd agree with what's already been said, I don't think the right approach is to try to change the user of the job, but to use a single database connection profile. If you want non-IBM i users to be able to use the system you will in any case have to have a shared user id that these people use won't you?
having the stored procedure check that the validation list user has
authority to a table also seems problematic in terms of making sure
malicious code is not calling the SP.
It's not problematic if you pass the token to the stored procedure and then have the stored procedure validate it because only a previously authenticated user would have a valid token. Of course, passing the user id and having the stored procedure trust it blindly would be a bad idea!
For example, all our stored procedures have this line of code at the start:
set currentUser = WAA_UDF_CheckAuth(SYSIBM.ROUTINE_SCHEMA,
SYSIBM.ROUTINE_SPECIFIC_NAME,
CURRENT CLIENT_USERID);
The current CURRENT CLIENT_USERID is set during the database connect to the token not the user id. With the JDBC driver it's done like this, but it's a long time since I fiddle with PHP so Ican't remember how you'd do the same thing.
con.setClientInfo("ClientUser", authToken);
The function above decrypts the token, ensures it's valid and not expired then checks the real user's authority to the stored procedure itself (by checking our authority set-up) and returns the user id, which we can use in our audit columns and to filter the data according to the user's data rights. If the token is not valid then an exception is thrown and ultimately a 403 is sent back to the client.
________________________________
From: WEB400 <web400-bounces@xxxxxxxxxxxx> on behalf of Steve Richter <stephenrichter@xxxxxxxxx>
Sent: 21 August 2018 19:59
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] web app security - user profile or validation list?
On Tue, Aug 21, 2018 at 1:28 PM, Justin Taylor <JUSTIN@xxxxxxxxxxxxx> wrote:
I think the general MO, is to have web apps run as a fixed user.
thank you. good to know.
The fixed user does seem like a problem. Journaling does not show a meaningful user name. And, since the PHP code has to have authority to database tables you have to grant authority to the tables to the fixed
user. ( or go the SP only route. )
having the stored procedure check that the validation list user has authority to a table also seems problematic in terms of making sure malicious code is not calling the SP.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.midrange.com%2Fmailman%2Flistinfo%2Fweb400&data=02%7C01%7C%7C3c0bc7e29a6d4cb8fe6208d6078feb62%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636704712036555956&sdata=yBpnVZp3DV8NuNlkuDxhpMB0HBi0CizjnVR9cofkk5Q%3D&reserved=0
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.midrange.com%2Fweb400&data=02%7C01%7C%7C3c0bc7e29a6d4cb8fe6208d6078feb62%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636704712036555956&sdata=ZyAzak4d685oRrIZH%2BTCb4XVdjntPnZGWLAMux4sn80%3D&reserved=0.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.midrange.com%2Fmailman%2Flistinfo%2Fweb400&data=02%7C01%7C%7C86bd47a8ac9b4101e9b308d60852b8b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636705548703081137&sdata=hKAi5EqLRsytbMMDtGsLEZQjBD93sh%2FbFUlIxZ6tGv8%3D&reserved=0
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.midrange.com%2Fweb400&data=02%7C01%7C%7C86bd47a8ac9b4101e9b308d60852b8b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636705548703081137&sdata=CiDgnF%2BkCBxbc59%2FCzn%2Bm4P%2FKa5krKUXqioqWSmyBKg%3D&reserved=0.
midrange.com
