Authentication Services

Classes are provided by the AS/400 Toolbox for Java that interact with the security services provided by OS/400. Specifically, support is provided to authenticate a user identity, someitmes referred to as a principal, and password against the OS/400 user registry. A credential representing the authenticated user can then be established. You can use the credential to alter the identity of the current OS/400 thread to perform work under the authorities and permissions of the authenticated user. In effect, this swap of identity results in the thread acting as if a signon was performed by the authenticated user.
Note: The services to establish and swap credentials are only supported for AS/400 systems at release V4R5M0 or greater.

Overview of support provided

The AS400 object now provides authentication for a given user profile and password against the AS/400 system. You can also retrieve credentials representing authenticated user profiles and passwords for the system. To do this, you use the getProfileToken() methods to retrieve instances of the ProfileTokenCredential class. Think of profile tokens as a representation of an authenticated user profile and password for a specific AS/400 system. Profile tokens expire based on time, up to one hour, but can be refreshed in certain cases to provide an extended life span.

Setting thread identities

You can establish a credential on either a remote or local context. Once created, you can serialize or distribute the credential as required by the calling application. When passed to a running process on the associated AS/400, a credential can be used to modify or swap the OS/400 thread identity and perform work on behalf of the previously authenticated user.

A practical application of this support might be in a two tier application, with authentication of a user profile and password being performed by a graphical user interface on the first tier (i.e. a PC) and work being performed for that user on the second tier (the AS/400). By utilizing ProfileTokenCredentials, the application can avoid directly passing user IDs and passwords over the network. The profile token can then be distributed to the program on the second tier, which can perform the swap() and operate under the OS/400 authorities and permissions assigned to the user.

Note: While inherently more secure than passing a user profile and password due to limited life span, profile tokens should still be considered sensitive information by the application and handled accordingly. Since the token represents an authenticated user and password, it could potentially be exploited by a hostile application to perform work on behalf of that user. It is ultimately the responsibility of the application to ensure that credentials are accessed in a secure manner.

Example

Refer to this code for an example of how to use a profile token credential to swap the OS/400 thread identity and perform work on behalf of a specific user.