I like it. Just that I do not have a way to create tokens. Just using
validation list to authenticate users.

You can authenticate the user however you want (LDAP/validation list/IBM user profile), all you do after the authentication step, at its most basic, is put the user id and any other things that might be useful, such as expiry timestamp, into a data-structure (if you're doing it in RPG) and then use the encryption APIs to generate some random padding and to encrypt the token. Finally you need to convert it to base-64, again with another API. You can only pass 255 characters through the CLIENT USER_ID register so your token has to be smaller than than. All the source to do it is in the link I posted before.

You could also look at JSON Web Tokens (https://jwt.io/), I don't use them in our web app because the token part was written on a machine with 7.1 which didn't have any native support for parsing JSON so I felt using a data-structure as above would be more efficient, but at some point I will make an implementation of them. I've done it for MariaDb already and on the IBM i it's even easier I think and could be done with a couple of lines of SQL and a wrapper over this API https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/apis/qc3calhm.htm
Calculate HMAC (QC3CALHM, Qc3CalculateHMAC) API<https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/apis/qc3calhm.htm>
The Calculate HMAC (OPM, QC3CALHM; ILE Qc3CalculateHMAC) API uses a one-way hash function and a secret shared key to produce an authentication value.
www.ibm.com




________________________________
From: WEB400 <web400-bounces@xxxxxxxxxxxx> on behalf of Steve Richter <stephenrichter@xxxxxxxxx>
Sent: 21 August 2018 22:19
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] web app security - user profile or validation list?

On Tue, Aug 21, 2018 at 3:58 PM, Tim Fathers <X700-IX2J@xxxxxxxxxxx> wrote:

I'd agree with what's already been said, I don't think the right approach
is to try to change the user of the job, but to use a single database
connection profile. If you want non-IBM i users to be able to use the
system you will in any case have to have a shared user id that these people
use won't you?


yes, the non-IBM i users would use a share profile that had limited
rights. Then, those validation list users who were associated with a user
profile, they would run as their specific user profiles. But not possible,
since a validation list cannot be linked to the QSYGETPH API.



having the stored procedure check that the validation list user has
authority to a table also seems problematic in terms of making sure
malicious code is not calling the SP.

It's not problematic if you pass the token to the stored procedure and
then have the stored procedure validate it because only a previously
authenticated user would have a valid token. Of course, passing the user id
and having the stored procedure trust it blindly would be a bad idea!


I like it. Just that I do not have a way to create tokens. Just using
validation list to authenticate users.



For example, all our stored procedures have this line of code at the start:

set currentUser = WAA_UDF_CheckAuth(SYSIBM.ROUTINE_SCHEMA,
SYSIBM.ROUTINE_SPECIFIC_NAME,
CURRENT CLIENT_USERID);


The current CURRENT CLIENT_USERID is set during the database connect to
the token not the user id. With the JDBC driver it's done like this, but
it's a long time since I fiddle with PHP so Ican't remember how you'd do
the same thing.

con.setClientInfo("ClientUser", authToken);


good to know. Will be thinking about doing something similar. Just worry
that I will do something wrong or incomplete, with the result being
security holes in the application.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.midrange.com%2Fmailman%2Flistinfo%2Fweb400&amp;data=02%7C01%7C%7Cec540e8113d8408a383e08d607a3631f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636704795647050016&amp;sdata=o7RIF6NKjaW2AhckwOV53Mg5RObWQ7JN9qCoVvB8FO8%3D&amp;reserved=0
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.midrange.com%2Fweb400&amp;data=02%7C01%7C%7Cec540e8113d8408a383e08d607a3631f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636704795647050016&amp;sdata=35OVL1Dl4opjPPNMSN7aU2JMPbgNEKBzFmUMFIrY9KY%3D&amp;reserved=0.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.