Deny website access to specific user?
Last Post 14 Jan 2013 11:11 AM by DAVID LINDEMUTH. 9 Replies.
AddThis - Bookmarking and Sharing Button Printer Friendly
  •  
  •  
  •  
  •  
  •  
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
DAVID LINDEMUTH
New Member
New Member
Posts:5

--
08 Jan 2013 08:10 AM

Is there a way to deny website access to a specific AS/400 user?

I am running an Apache HTTP server and using the AS/400 user ids and passwords for authentication.  I have one user id that should only ever be used to log-in to the green screen, but not the website.  Is there a way either in the http server or in the configuration of this user to prevent it from authenticating in the http server?

David Lindemuth

Chris Hird
Veteran Member
Veteran Member
Posts:2276

--
08 Jan 2013 01:13 PM
Maybe use a group profile and only allow access for members of the group? Unfortunately as the user is granted access to the IBMi the method of entry is more difficult to control. If this was a PHP application I would look specifically for the user and deny access. As this is a standard Apache Server perhaps the use of a .htaccess file would suffice?

Chris...

Chris Hird Shield Advanced Solutions Ltd Home of JQG4i, HA4i and DR4i. http://www.shieldadvanced.com
Gary Kaplan
New Member
New Member
Posts:26

--
08 Jan 2013 02:13 PM
How about using a validation list instead of user profiles to allow access?
DAVID LINDEMUTH
New Member
New Member
Posts:5

--
08 Jan 2013 03:25 PM

A validation list would require me to set-up a user id and password for everyone I want to access the website (over 500 users) and it's another thing to have to manage.  Seems extreme for the task of excluding one user profile.

The group profile is an idea.  Once again I'm creating a file with 500+ valid user ids less the one I want to exclude, but my users don't have another password to lose.  I could write a program to create the file and re-create it as users are added/removed.

Ringer
Veteran Member
Veteran Member
Posts:1759
Avatar

--
09 Jan 2013 07:33 AM
This might be a crazy idea, but you might be able to write a QPWDVLDPGM (SYSVAL Password validation program) program and examine that job, that CALL stack. If called in the context of the web and is that user ID, reject it. Perhaps the job name is ZENDSVR or the job user is QTMHHTTP. Something about that job will indicate Web not green screen.

Chris Ringer
DAVID LINDEMUTH
New Member
New Member
Posts:5

--
09 Jan 2013 03:20 PM

A QPWDVLDPGM is for adding additional restrictions to the creation of a new password.  But that does get me thinking about exit points. 

Follow up:

"Exit points do not exist for every possible way of access to data on your system. For example, the IBM HTTP Server (powered by Apache) does not have any exit points."  IBM System i Security Guide for IBM i5/OS Version 5 Release 4 (Red Book)

Henrik Rutzou
Advanced Member
Advanced Member
Posts:598
Avatar

--
10 Jan 2013 06:51 AM

David,


here is some code that validates against OS profiles ...

d IBMiUsr         s             10a       
d IBMiPwd         s             10a       
d IBMiHdl         s             12a       
d IBMiErr         s          32766a       
d IBMiLng         s             10i 0     
d IBMiCCSid       s             10i 0

d getProfile      pr                  extPgm('QSYGETPH')         
d  userID                       10a   const                      
d  password                     10a   const                      
d  handle                       12a                              
d  errorCode                 32766a   options(*varsize: *nopass) 
d  passLength                   10i 0 options(*nopass)           
d  passCCSid                    10i 0 options(*nopass)


IBMiUsr = userId;                                              
IBMiPwd = passWord;                                            
IBMiLng = %len(%trim(IBMiPwd));                                
IBMiCCSid = curOsCCSid;                                        
getProfile(IBMiUsr:IBMiPwd:IBMiHdl:IBMiErr:IBMiLng:IBMiCCSid); 
if IBMiHdl = *loval;                                           
  errorCode = '1004';                                          
  errorText = error1004 + %subst(IBMiErr:9:7);                 
  return pExtErrorHdl();                                       
endif;

Ringer
Veteran Member
Veteran Member
Posts:1759
Avatar

--
10 Jan 2013 07:13 AM
What does your httpd.conf look like? Does it force the HTTP 401 authentication challenge pop-up window, with something like this?

< Directory /QSYS.LIB/CGILIB.LIB >
Order Allow,Deny
Allow From all
SetEnv QIBM_CGI_LIBRARY_LIST "CGILIB;DATALIB;PGMLIB;UTILLIB"
Require valid-user
PasswdFile %%SYSTEM%%
AuthType Basic
AuthName "Development AS/400-iSeries-System i5: Sign-On"
UserID %%CLIENT%%
< /Directory >

Perhaps you could grant that user *EXCLUDE authority to one of those libraries. I believe Apache would respond with the 403 Forbidden status. And on the green screen, you could write an initial program that adopts authority so the user could still use that library.

Chris Ringer
DAVID LINDEMUTH
New Member
New Member
Posts:5

--
14 Jan 2013 09:46 AM

Thanks for the idea.

I have several directories that are being used for this site, but I'm only setting the library environment in those that actually use CGI.  I will experiment to see what happens if I add a library for which my excluded user doesn't have authority to the CGI and non-CGI directories.

Followup:  I created a library named WEBEXCLUDE and changed the object authority on that library to *EXCLUDE for my user.  I then added the directive  SetEnv QIBM_CGI_LIBRARY_LIST "WEBEXCLUDE" to each directory entry in the configuration file.  After a stop and restart, the result was no different.  Apparently the authority on the library only comes into play if an attempt is made to access an object in that library.

I went back and changed the user's authority to the library where my CGI programs are stored, and then I DID see a 401 Authorization Required message when I tried to access any CGI generated page.

 

DAVID LINDEMUTH
New Member
New Member
Posts:5

--
14 Jan 2013 11:11 AM
I believe I've reached a solution on my issue:

I changed the IFS library authority to 'Exclude' for my specific user on the top level folder for my website documents and the folder that contains the html for my CGI programs.
As soon as the restrcted user signs in, they receive a 401 Authorization Required message.

Thanks for all the suggestions.
David L.
You are not authorized to post a reply.

Acceptable Use Policy