I'd agree with what's already been said, I don't think the right approach is to try to change the user of the job, but to use a single database connection profile. If you want non-IBM i users to be able to use the system you will in any case have to have a shared user id that these people use won't you?

having the stored procedure check that the validation list user has
authority to a table also seems problematic in terms of making sure
malicious code is not calling the SP.

It's not problematic if you pass the token to the stored procedure and then have the stored procedure validate it because only a previously authenticated user would have a valid token. Of course, passing the user id and having the stored procedure trust it blindly would be a bad idea!

For example, all our stored procedures have this line of code at the start:

set currentUser = WAA_UDF_CheckAuth(SYSIBM.ROUTINE_SCHEMA,
SYSIBM.ROUTINE_SPECIFIC_NAME,
CURRENT CLIENT_USERID);


The current CURRENT CLIENT_USERID is set during the database connect to the token not the user id. With the JDBC driver it's done like this, but it's a long time since I fiddle with PHP so Ican't remember how you'd do the same thing.

con.setClientInfo("ClientUser", authToken);

The function above decrypts the token, ensures it's valid and not expired then checks the real user's authority to the stored procedure itself (by checking our authority set-up) and returns the user id, which we can use in our audit columns and to filter the data according to the user's data rights. If the token is not valid then an exception is thrown and ultimately a 403 is sent back to the client.





________________________________
From: WEB400 <web400-bounces@xxxxxxxxxxxx> on behalf of Steve Richter <stephenrichter@xxxxxxxxx>
Sent: 21 August 2018 19:59
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] web app security - user profile or validation list?

On Tue, Aug 21, 2018 at 1:28 PM, Justin Taylor <JUSTIN@xxxxxxxxxxxxx> wrote:

I think the general MO, is to have web apps run as a fixed user.


thank you. good to know.

The fixed user does seem like a problem. Journaling does not show a
meaningful user name. And, since the PHP code has to have authority to
database tables you have to grant authority to the tables to the fixed
user. ( or go the SP only route. )

having the stored procedure check that the validation list user has
authority to a table also seems problematic in terms of making sure
malicious code is not calling the SP.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.midrange.com%2Fmailman%2Flistinfo%2Fweb400&amp;data=02%7C01%7C%7C3c0bc7e29a6d4cb8fe6208d6078feb62%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636704712036555956&amp;sdata=yBpnVZp3DV8NuNlkuDxhpMB0HBi0CizjnVR9cofkk5Q%3D&amp;reserved=0
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.midrange.com%2Fweb400&amp;data=02%7C01%7C%7C3c0bc7e29a6d4cb8fe6208d6078feb62%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636704712036555956&amp;sdata=ZyAzak4d685oRrIZH%2BTCb4XVdjntPnZGWLAMux4sn80%3D&amp;reserved=0.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.