ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahh_5.4.0.1/secauth.htm

144 lines
8.7 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Authentication services" />
<meta name="abstract" content="" />
<meta name="description" content="" />
<meta name="DC.Relation" scheme="URI" content="security.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="secauth" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Authentication services</title>
</head>
<body id="secauth"><a name="secauth"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Authentication services</h1>
<div><p></p>
<div class="section"><p>Classes are provided by the IBM<sup>®</sup> Toolbox for Java™ that interact with the security services
provided by i5/OS™.
Specifically, support is provided to authenticate a user identity, sometimes
referred to as a <em>principal</em>, and password against the i5/OS user registry.
A credential representing the authenticated user can then be established.
You can use the credential to alter the identity of the current i5/OS thread
to perform work under the authorities and permissions of the authenticated
user. In effect, this swap of identity results in the thread acting as if
a signon was performed by the authenticated user.</p>
<div class="note"><span class="notetitle">Note:</span> The services to
establish and swap credentials are only supported for servers at release
V5R1M0 or greater. </div>
</div>
<div class="section"><h4 class="sectiontitle">Overview of support provided</h4><p>The <a href="as400obj.htm#as400obj">AS400</a> object
provides authentication for a given user profile and password against the
server. You can also retrieve Kerberos tickets and profile tokens that represent
authenticated user profiles and passwords for the system.</p>
<div class="note"><span class="notetitle">Note:</span> Using
Kerberos tickets requires that you install J2SDK, v1.4 and configure the Java General
Security Services (JGSS) Application Programming Interface. For more information
about JGSS, see the <a href="http://java.sun.com/j2se/1.4/docs/guide/security/index.html" target="_blank">J2SDK, v1.4 Security Documentation</a> <img src="www.gif" alt="Link outside information center" />.</div>
<p>To use Kerberos tickets,
set only the system name (and not the password) into the AS400 object. The
user identity is retrieved through the JGSS framework. You can set only one
means of authentication in an AS400 object at a time. Setting the password
clears any Kerberos ticket or profile token.</p>
<p>To use profile tokens,
use the <a href="javadoc/com/ibm/as400/access/AS400.html#GETPROFILETOKEN(INT, INT)"> getProfileToken()</a> methods to retrieve instances of the <a href="javadoc/com/ibm/as400/security/auth/ProfileTokenCredential.html"> ProfileTokenCredential</a> class. Think of profile tokens
as a representation of an authenticated user profile and password for a specific
server. Profile tokens expire based on time, up to one hour, but can be refreshed
in certain cases to provide an extended life span.</p>
<div class="note"><span class="notetitle">Note:</span> If you use the
ProfileTokenCredential class, make sure to review the information at the bottom
of this page that discuss the methods for setting tokens.</div>
<p>The following
example creates a system object and uses that object to generate a profile
token. The example then uses the profile token to create another system object,
and uses the second system object to connect to the command service:</p>
<pre> AS400 system = new AS400("mySystemName", "MYUSERID", "MYPASSWORD");
ProfileTokenCredential myPT = system.getProfileToken();
AS400 system2 = new AS400("mySystemName", myPT);
system2.connectService(AS400.COMMAND); </pre>
</div>
<div class="section"><h4 class="sectiontitle">Setting thread identities</h4><p>You can establish a credential
on either a remote or local context. Once created, you can serialize or distribute
the credential as required by the calling application. When passed to a running
process on the associated server, a credential can be used to modify or <em>swap</em> the i5/OS thread
identity and perform work on behalf of the previously authenticated user.</p>
<p>A
practical application of this support might be in a two tier application,
with authentication of a user profile and password being performed by a graphical
user interface on the first tier (i.e. a PC) and work being performed for
that user on the second tier (the server). By utilizing ProfileTokenCredentials,
the application can avoid directly passing user IDs and passwords over the
network. The profile token can then be distributed to the program on the second
tier, which can perform the <em>swap()</em> and operate under the i5/OS authorities
and permissions assigned to the user.</p>
<div class="note"><span class="notetitle">Note:</span> While inherently more secure
than passing a user profile and password due to limited life span, profile
tokens should still be considered sensitive information by the application
and handled accordingly. Since the token represents an authenticated user
and password, it could potentially be exploited by a hostile application to
perform work on behalf of that user. It is ultimately the responsibility of
the application to ensure that credentials are accessed in a secure manner.</div>
</div>
<div class="section"><h4 class="sectiontitle">Methods for setting tokens in ProfileTokenCredential</h4><p>The
methods for setting tokens in ProfileTokenCredential class require that you
distinguish different ways to specify passwords:</p>
<ul><li>As a special value, such as *NOPWD or *NOPWDCHK, by using a defined special
value integer</li>
<li>As the password for the user profile by using a String that represents
the password</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> In V5R3, IBM Toolbox for Java deprecates the setToken methods that
do not require you to distinguish how to specify the password.</div>
<p>Additionally,
the setToken methods allow remote users to specify password special values
and allow longer user profile passwords of up to 128 characters.</p>
<p>To
specify a password special value integer, such as *NOPWD or *NOPWDCHK, use
one of the following methods:</p>
<ul><li>setToken(AS400Principal principal, int passwordSpecialValue)</li>
<li>setToken(String name, int passwordSpecialValue)</li>
</ul>
<p>The ProfileTokenCredential class includes the following static constants
for password special value integers:</p>
<ul><li>ProfileTokenCredential.PW_NOPWD: indicates *NOPWD</li>
<li>ProfileTokenCredential.PW_NOPWDCHK: indicates *NOPWDCHK</li>
</ul>
<p>To specify a user profile password as a String, use one of the following
methods:</p>
<ul><li>setTokenExtended(AS400Principal principal, String password)</li>
<li>setTokenExtended(String name, String password)</li>
</ul>
<p>The setTokenExended methods do not allow you to pass password special
value strings as the password parameter. For example, these methods do not
allow a password string of *NOPWD.</p>
<p>For more information, see the following
Javadoc reference information:</p>
<blockquote><a href="javadoc/com/ibm/as400/security/auth/ProfileTokenCredential.html"> ProfileTokenCredential</a></blockquote>
</div>
<div class="section"><h4 class="sectiontitle">Example</h4><p>Refer to this <a href="sectknex.htm#sectknex">code</a> for
an example of how to use a profile token credential to swap the i5/OS thread
identity and perform work on behalf of a specific user.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="security.htm" title="">Security classes</a></div>
</div>
</div>
</body>
</html>