ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

Using APIs to authenticate user from external (Web based) software

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Using APIs to authenticate user from external (Web based) software

    I'm not entirely sure this is the right Forum for this topic. I've found various examples, and know where to look on IBM.com to find information about API's, so I can get to the basics.

    We have a situation where we have a web-based program. Our warehouse users want to use it to perform inventory transactions on the iSeries. Our inventory transactions have to be carefully regulated because they are considered financial data. My local guru has suggested a method to do this. I'm just now investigating, but wonder if anyone has any suggestions or examples of something similar.
    1. Software will prompt user for their AS/400 userid and password
    2. Setup an API in iSeries application for Software to call with a read-only ID. (This will be hard coded in connection string)
      1. Software will pass userid and password as parameters to a stored procedure.
      2. The ID here is a "generic" ID that is used by the external software. It already exists and has read-only access to our files
    3. API will call a program that has *OWNER authority to authenticate userid and password (QSYGETPH)
      1. This is needed because you must have *USE to a profile to authenticate to it.
      2. If fails return failure with message
      3. If passes continue
    4. If validated then check the iseries application user group for that profile passed in PARM to see if they can do inventory transaction.
      1. If not: failed.
      2. If yes: continue
    5. Use (QWTSETP) to switch connection to run under the AS/400 id provided by Software. I'm assuming he means switch to the actual user's ID
    6. Perform the inventory transaction. (I've got this part handled )
    7. Use (QSYRLSPH) to release the id
    8. Return processing status to Software.

    Does this sound workable? Does anyone have any ideas to make this better or safer? The entire prospect makes me a little nervous.

    Thank you!
    Tags: None
  • #2
    It sounds like a reinvention of the wheel. What is wrong with just configuring Apache to use User Id/PW validation? Or if they don't all already use individual user Ids then use Authorization lists.

    There is some good basic free web security stuff on www.easy400.net including programs to manage authorization lists.
    • Likes 1

    Comment

    • #3
      OK, well, I don't think I explained myself quite right. This third party software is connecting to the ISeries using an ODBC connection. I'm not familiar with Apache. From the little I've read, I don't believe we use it right now.

      I've actually managed to get everything I needed to work with one exception: our files are secured by groups and I haven't quite figured out, once I have the user's group, how to check the authority on the inventory master file to see if they have either *ALL or *CHANGE access.

      I found QSYLUSRA ...but it looks like that is is for specific users only, not groups.

      Believe me, if I can find an example of something more straightforward, I will use it !

      Thank you for your response. I appreciate your time a lot!

      Comment

      Previous template Next
      Working...
      X