AS400 login

[Joerg Hamacher]

Hi,

we have a web page running on IBMi. In a IBMi database we have an user based authority system to control which informations a user may see or not. This database is user by our IBMi applications, too.

Now I want to create a simulation of the IBMi login with username and password as starting point of the web application to verify that only allowed users get access to some informations.
How can I realize such a login function with Web Pages and get the information back from IBMi if the logon is correct or not? Built-in-functions like CONNECT_SERVER are not supported in web programming.

Many thanks in advance,
Joerg

[jyoung]

Hi Joerg,

We do authentication and authorization on the i with VLF-ONE using the user's IBM i credentials.
I "think" you may be able to the same in a normal VL WEB app.

LANSA ships with a UF_3GCHKPW program that handles the authentication (username and password).

We copy it into a different library and then call it from a Server Module. You cannot execute it from the client (Web Page) it must execute on the server.

Here is the ValidatePassword method, it is specific to VLF-ONE, but it may help.

Code: Select all

mthroutine name(ValidatePassword) options(*REDEFINE *RETURNS_MESSAGES) access(*PRIVATE)

* This is going to use shipped program UF_3GCHKPW
define field(#U3GUserProfile) type(*char) length(10)
define field(#U3GPassword) type(*char) length(128)
define field(#U3GReturnCode) type(*char) length(2)
define_com class(#prim_alph) name(#u3GErrorMessage)

#SYS_APPLN.TraceMessageData( "Validating Password - User:&1" #UserProfile )

* Default behaviour: the password conforms to the rules
#ValidationReturnCode := OK

if (*OSAPI = IBMI)

* IBM i servers like uppercase user profiles
#U3GUserProfile := #UserProfile.UpperCase
#U3GPassword := #Password.AsNativeString

#SYS_APPLN.TraceMessageText( "Calling UF_3GCHKPW" )

call pgm(UF_3GCHKPW LANSACFG) parm(#U3GUserProfile #U3GPassword #U3GReturnCode) if_error(*next)

#SYS_APPLN.TraceMessageData( "Returned from UF_3GCHKPW - Return Code:&1" #U3GReturnCode )

case (#U3GReturnCode)
when (= OK)
#u3GErrorMessage := ""
when (= IU)
#u3GErrorMessage := *MTXTUF_OLOGON_002
when (= IP)
#u3GErrorMessage := *MTXTUF_USRPASSW
when (= EX)
#u3GErrorMessage := *MTXTUF_USR_PSW_EXP
when (= UD)
#u3GErrorMessage := *MTXTUF_DIS_USERNAME
otherwise
#u3GErrorMessage := *MTXTUF_OLOGON_003 + *MTXTUF_FAILED
endcase

if (#u3GErrorMessage <> "")
#ValidationReturnCode := ER
message msgtxt(#u3GErrorMessage)

#SYS_APPLN.TraceMessageData( "ValidatePassword error message: &1" #u3GErrorMessage )
endif

endif

* Finished
#SYS_APPLN.TraceMessageData( "ValidatePassword completed - ValidationReturnCode:&1" #ValidationReturnCode )

endroutine

The important bit being this line and LANSACFG is the library where we copied the program into.

Code: Select all

call pgm(UF_3GCHKPW LANSACFG) parm(#U3GUserProfile #U3GPassword #U3GReturnCode) if_error(*next)

That handles Authentication,so regarding Authentication, we have a simple RPG program that we use to get the user's group profile and from there we can map permissions or roles.

Code: Select all

mthroutine name(GetIBMGroupProfile)
define_map for(*INPUT) class(#PRIM_ALPH) name(#userProfile)
define_map for(*RESULT) class(#PRIM_ALPH) name(#groupProfile)

define field(#pgm_user) reffld(#STD_TEXTS)
define field(#pgm_group) reffld(#STD_TEXTS)

#pgm_user := #userProfile

#SYS_APPLN.TraceMessageData( "Calling GETGRPPRF - User:&1" #pgm_user )

call pgm(GETGRPPRF PGMLIB) parm(#pgm_user #pgm_group) exit_used(*NEXT)

#SYS_APPLN.TraceMessageData( "Returned from GETGRPPRF - User:&1 Group:&2" #pgm_user #pgm_group )

#groupProfile := #pgm_group
endroutine

Hope this helps,
Joe

[MarkD]

The UF_3GCHKPW program that is called is a little CL program shipped with VLF.
If you use it it's best to change the name.
Source code is:

Code: Select all

             PGM        PARM(&USRID &PWD &STATUS)

/********************************************************/
/* Check that the passed User Id and Password are valid */
/* Status Codes Returned :                              */
/* OK = USER OK                                         */
/* IU = INVALID USER ID                                 */
/* IP = INVALID PASSWORD                                */
/* EX = PASSWORD EXPIRED                                */
/* UD = USER PROFILE DISABLED                           */
/* ER = UNEXPECTED ERROR                                */
/********************************************************/

/* Received Parms */
             DCL        VAR(&USRID) TYPE(*CHAR) LEN(10)
             DCL        VAR(&PWD) TYPE(*CHAR) LEN(128)

/* Returned Parms */
DCL        VAR(&STATUS) TYPE(*CHAR) LEN(2)

/* Other variables */
DCL        VAR(&PROGRAM) TYPE(*CHAR) LEN(10)
DCL        VAR(&MENU) TYPE(*CHAR) LEN(10)
DCL        VAR(&RTNVAR) TYPE(*CHAR) LEN(8) +
           VALUE(X'0000000000000000')
DCL        VAR(&HANDLE) TYPE(*CHAR) LEN(12)
DCL        VAR(&RELEASE) TYPE(*CHAR) LEN(6)

 /* MESSAGE FORWARDING VARIABLES */
    DCL  &ERRDS      *CHAR    4   VALUE(X'00000000')
    DCL  &MSGKEY     *CHAR    4   VALUE(' ')
    DCL  &MSGTYPECT  *CHAR    4   VALUE(X'00000004')
    DCL        VAR(&MSGTYPE) TYPE(*CHAR) LEN(40) +
    VALUE('*DIAG     *INFO     *ESCAPE   *COMP     ')
    DCL  &STKCT      *CHAR    4   VALUE(X'00000001')
    DCL  &STKSTRPOS  *CHAR   10   VALUE('*')
CHGVAR     VAR(&STATUS) VALUE('OK')

/* The following call to QSYGETPH needs to be coded */
/* differently depending on OS/400 version. Delete the */
/* variation that you do not need. */

CALL PGM(UF_3GGETRL) PARM(&RELEASE)

IF COND(&RELEASE *GE 'V5R3') THEN(DO)
 /* Check User and Password for OS/400 V5R3 onwards */
 /* Modified 30/05/12 - add support for long passwords */
   CALL       PGM(QSYGETPH) PARM(&USRID &PWD &HANDLE &RTNVAR X'00000080' +
                X'00000000')
 /* Invalid User                                             */
 MONMSG     MSGID(CPF2203 CPF2204) EXEC(CHGVAR VAR(&STATUS) +
             VALUE('IU'))

 /* Unable to check this user                               */
 /* MONMSG     MSGID(CPF22E9 CPF2213 CPF2217 CPF4AB8) +     */
 /*           EXEC(CHGVAR VAR(&STATUS) VALUE('UV'))         */


 /* Password is invalid */
 MONMSG     MSGID(CPF22E2) EXEC(CHGVAR +
             VAR(&STATUS) VALUE('IP'))

 /* This profile has no password */
 MONMSG     MSGID(CPF22E5) EXEC(CHGVAR +
             VAR(&STATUS) VALUE('NO'))

 /* Profile is disabled */
 MONMSG     MSGID(CPF22E3) EXEC(CHGVAR VAR(&STATUS) +
             VALUE('UD'))

 /* Password has expired */
 MONMSG     MSGID(CPF22E4) EXEC(CHGVAR VAR(&STATUS) +
             VALUE('EX'))

 /* Unspecified error */
    MONMSG     MSGID(CPF0000) EXEC(DO)
    CHGVAR VAR(&STATUS) VALUE('ER')
    CALL  PGM(QMHMOVPM) PARM(&MSGKEY &MSGTYPE &MSGTYPECT +
                             &STKSTRPOS &STKCT &ERRDS)
    ENDDO
 ENDDO
ELSE       CMD(DO)
 /* Check User and Password for OS/400 prior to V5R3 */
 CALL       PGM(QSYGETPH) PARM(&USRID &PWD &HANDLE)

 /* Invalid User                                             */
 MONMSG     MSGID(CPF2203 CPF2204) EXEC(CHGVAR VAR(&STATUS) +
             VALUE('IU'))

 /* Unable to check this user                               */
 /* MONMSG     MSGID(CPF22E9 CPF2213 CPF2217 CPF4AB8) +     */
 /*           EXEC(CHGVAR VAR(&STATUS) VALUE('UV'))         */


 /* Password is invalid */
 MONMSG     MSGID(CPF22E2) EXEC(CHGVAR +
             VAR(&STATUS) VALUE('IP'))

 /* This profile has no password */
 MONMSG     MSGID(CPF22E5) EXEC(CHGVAR +
             VAR(&STATUS) VALUE('NO'))

 /* Profile is disabled */
 MONMSG     MSGID(CPF22E3) EXEC(CHGVAR VAR(&STATUS) +
             VALUE('UD'))

 /* Password has expired */
 MONMSG     MSGID(CPF22E4) EXEC(CHGVAR VAR(&STATUS) +
             VALUE('EX'))

 /* Unspecified error */
    MONMSG     MSGID(CPF0000) EXEC(DO)
    CHGVAR VAR(&STATUS) VALUE('ER')
    CALL  PGM(QMHMOVPM) PARM(&MSGKEY &MSGTYPE &MSGTYPECT +
                             &STKSTRPOS &STKCT &ERRDS)
    ENDDO
 ENDDO


/* Possible error messages are:  (V5R1 to V5R4)             */

/* IU CPF2203 E User profile &1 not correct.                */
/* IU CPF2204 E User profile &1 not found.                  */
/* UV CPF2213 E Not able to allocate user profile &1.       */
/* UV CPF2217 E Not authorized to user profile &1.          */
/* ER CPF2225 E Not able to allocate internal system object.*/
/* ER CPF22AD E Group profile for user not found.           */
/* IP CPF22E2 E Password not correct for user profile &1.   */
/* UD CPF22E3 E User profile &1 is disabled.                */
/* EX CPF22E4 E Password for user profile &1 has expired.   */
/* NO CPF22E5 E No password associated with user profile &1.*/
/* ER CPF22E6 E Maximum number of profile handles have been generated.*/
/* ER CPF22E7 E Profile handle is not valid.                */
/* UV CPF22E9 E *USE authority to user profile &1 required. */
/* ER CPF24B4 E Severe error while addressing parameter list. */
/* ER CPF3BC7 E CCSID &1 outside of valid range.            */
/* ER CPF3BDE E CCSID &1 not supported by API.              */
/* ER CPF3C1D E Length specified in parameter &1 not valid. */
/* ER CPF3C36 E Number of parameters, &1, entered for this API was not valid.*/
/* ER CPF3C3C E  Value for parameter &1 not valid.          */
/* ER CPF3C90 E LITERAL VALUE CANNOT BE CHANGED.            */
/* ER CPF3CF1 E Error code parameter not valid.             */
/* UV CPF4AB8 E Insufficient authority for user profile &1. */
/* ER CPF9872 E Program or service program &1 in library &2 ended.*/


END:         ENDPGM 

[MarkD]

You can probably chop out the IBM OS being greater than V5R3 check:

Code: Select all

CALL PGM(UF_3GGETRL) PARM(&RELEASE)

IF COND(&RELEASE *GE 'V5R3') THEN(DO) 

[Joerg Hamacher]

Thank you Joe, thank you Mark,

this is a great support!

Best regards, Joerg