Jon, I do not know enough about the apache config file. Don't think I am
totally dense.

where is the user entered that apache is talking about? Is that a basic
authentication user name?
https://httpd.apache.org/docs/2.4/howto/public_html.html

I am writing SPA apps, using vue.js, where 95% of the code of the web app
is written in javascript and runs in the browser. Even the user login is a
bootstrap modal that drops down on the web page and prompts for user name
and password. I have had trouble using basic authentication in this type
of setting. So instead I handle the user name and pass prompt the same as
any other prompt. Send the data to the server as an $.ajax request. Only
the URL is a specific PHP file which validates the password against the
validation list and stores the values in $_SESSION variables.

What I want is to route both user profile users and validation list users
thru the same login and authentication process. Users in the office have
an IBM i profile. Sales reps might not. But sales reps are given access to
customer and orders web pages, same as users in the marketing and customer
service depts.

I want work done thru the web by user profile users to show up in database
journals under their user profile name. If they are running spooled
reports from the web that are being *SAVED, I want those spooled files to
be found under their profile. Same with messages sent to message queue.
And of course, authority to database tables controlled by object authority.

As far as validation list being less than a user profile - why? The
password is just as secure. There is attribute info that can be stored
along with the entry id and password in the validation list entry. ( have
not tested this )
https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/apis/qsyavle.htm
If that attribute info stores the user profile name, why not set the user
profile password to the same as the validation list entry? Then when I
authenticate against the validation list I can switch to the user profile
name stored as a validation list attribute.

If programmers were writing IBM i apps from scratch today there would be no
green screen login. Minimal batch work. All web apps. Would all that work
be running thru just a handful of user profiles?





On Wed, Aug 22, 2018 at 1:34 PM, Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:

It seems as if you are making this WAY more complicated than it need be
Steve.

We don't (and wouldn't) use a regular user profile in a validation list.
Validation list users do not use the system in the normal sense. It is just
a way of grouping together web users who have no need for a conventional
sign on with all the associated security considerations. For a given group
of web users we assign a specific user profile (identified in the apache
config) to the group. That controls what they can do. Apache takes care of
the switch.

When the user signs in we store the user Id in the session. No need to
store the password - we don't need it. If we need to log any of the actions
as specific to a user we use the stored user Id.

That's it. All security is via the user Id associated with the validation
list group.

What more do you need?


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Aug 22, 2018, at 11:03 AM, Steve Richter <stephenrichter@xxxxxxxxx>
wrote:

is it secure to have a user profile name associated with a validation
list
entry name, and then have the user enter the same password in the
validation list as they do for their IBM i user profile.

The PHP code of a web site could store the validation list user and
password in $_SESSION variables. Then as part of validating to the
validation list, check if the validation list user name has an IBM i user
profile associated with it.

If it does, call QSYGETPH with that user profile name and the validation
list password. If the password is accepted, call QWTSETP to switch to
run
the PHP code as that user profile.

assuming you are running HTTPS, what are security problems with doing
this?

thanks,
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.