AS/400 Toolbox for Java \
Security classes \
Authentication
Authentication Services
Classes are provided by the
AS/400 Toolbox for Java that interact with the security services
provided by OS/400. Specifically, support is provided to
authenticate a user identity, someitmes referred to as a
principal, and password against the native OS/400 user
registry. A credential representing the authenticated user can then
be established. You can use the credential to alter the identity of
the current OS/400 thread to perform work under the authorities and
permissions of the authenticated user. In effect, this swap of
identity results in the thread acting as if a signon was performed
by the authenticated user.
Note: The services to establish and swap
credentials are only supported for AS/400 systems at release V4R5M0
or greater.
|
Overview of support provided
The AS400 object now provides
authentication for a given user profile and password against the
AS/400 system. You can also retrieve credentials representing
authenticated user profiles and passwords for the system. To do
this, you use the
getProfileToken() methods to retrieve instances of the
ProfileTokenCredential class. Think of profile tokens as a
representation of an authenticated user profile and password for a
specific AS/400 system. Profile tokens expire based on time, up to
one hour, but can be refreshed in certain cases to provide an
extended life span.
Setting thread identities
You can establish a credential on either a remote or local
context. Once created, you can serialize or distribute the
credential as required by the calling application. When passed to a
running process on the associated AS/400, a credential can be used
to modify or swap the OS/400 thread identity and perform
work on behalf of the previously authenticated user.
A practical application of this support might be in a two tier
application, with authentication of a user profile and password
being performed by a graphical user interface on the first tier
(i.e. a PC) and work being performed for that user on the second
tier (the AS/400). By utilizing ProfileTokenCredentials, the
application can avoid directly passing user IDs and passwords over
the network. The profile token can then be distributed to the
program on the second tier, which can perform the swap()
and operate under the OS/400 authorities and permissions assigned
to the user.
Note: While inherently more secure than
passing a user profile and password due to limited life span,
profile tokens should still be considered sensitive information by
the application and handled accordingly. Since the token represents
an authenticated user and password, it could potentially be
exploited by a hostile application to perform work on behalf of
that user. It is ultimately the responsibility of the application
to ensure that credentials are accessed in a secure manner. |
Example
Refer to this code for an example of how
to use a profile token credential to swap the OS/400 thread
identity and perform work on behalf of a specific user.