2

I'm working on a spring(IoC/ MVC/ Security)/ JTOpen project backed up by DB2 over IBM System i (AS/400). For reasons I won't be able to discuss here, every user of the application was given an account on the IBM i (i5/OS) operating system so that his transactions get logged against his identity in the Journal (DB2 log files). In order to achieve that we have been establishing a connection once someone logs into the system using his credentials and accordingly getting his transactions against his name in the Journal.

Problem: Recently, we have been investigating on getting a connection pool in place instead of the status quo of connection per session. If the pool establishes these connections once the application starts using a generic i5/OS account, say: SystemAccount, then a user logs in a requests one of these connections, is there any way to execute transactions under the identity of the user although it was established using the generic system account?

Eyad
  • 327
  • 3
  • 10

2 Answers2

2

The com.ibm.as400.security.auth package provides classes that allow user profile swapping using IBM i profile token and credential classes when using the AS400 connection class.

If you are using JDBC you can call the Security-related APIs to adopt profiles on the connection.

  • Get Profile Handle (QSYGETPH) validates a user ID and password, and creates an encrypted abbreviation called a profile handle for that user profile.
  • Set Profile Handle (QWTSETP) switches the job to run under a new profile.
  • Generate Profile Token (QSYGENPT) verifies that the caller has authority to generate a profile token for the requested profile and then generates a profile token.
  • Set To Profile Token (QSYSETPT) validates the profile token and changes the current thread to run under the user and group profiles represented by the profile token.
Community
  • 1
  • 1
James Allman
  • 40,573
  • 11
  • 57
  • 70
  • Tried using `swap()` in `com.ibm.as400.security.auth.AS400Credential` class which is supposed to >swap the current thread identity based on this credential It throws back an exception with the following message: "swap() is supported only when running natively on IBM i". Same message is used as a note in the [JavaDoc of the swap function](http://javadoc.midrange.com/jtopen/index.html?com/ibm/as400/security/auth/AS400Credential.html). Does that mean that the swap command has to come from a program hosted on the AS/400, or that my whole application has to be hosted locally on the AS/400? – Eyad Mar 17 '14 at 04:39
  • @Eyad That may be a limitation of the auth classes. I have used the API methods to adopt profiles over remote connections. – James Allman Mar 17 '14 at 05:36
  • Seems like it. The API methods worked like a charm. So I guess the only option left is to write a program to switch the identity and call it from my application which doesn't really feel right (from a security point of view). – Eyad Mar 17 '14 at 06:54
0

Have you verified that the transactions are actually being improperly logged? I wouldn't expect them to be.

user2338816
  • 2,163
  • 11
  • 11