Paul, What's the best way to manage the user id / password that Java uses to connect to the iSeries (AS400, i5)? JAAS? I believe the WDSC Web Service Wizard will use ProgramCallDocument with PCML to call the RPG program. Doesn't that make the whole web service a bit fragile? If a user learns that user id, can't they disable the whole web service by disabling that profile (typing invalid passwords on a green screen sign on)? Do you then make the user id 10 "hard to guess" characters? Security through obscurity? Or can you specify *current *current if the Java class and the RPG program on the same LPAR? What happens if someone changes the user password? Does that break the web service? Where in the EAR or WAR do I fix that? Is the password encrypted in a config file? I'm serious... I personally haven't read a good article that discusses the connection user id / password management. Here's your chance! Regards, Chris
Unconfigured Ad Widget
Collapse
Web Services for the Traditional RPG Programmer, Part I
Collapse
X
-
Web Services for the Traditional RPG Programmer, Part I
** This thread discusses the Content article: Web Services for the Traditional RPG Programmer, Part I **
0
-
-
Web Services for the Traditional RPG Programmer, Part I
Hi Chris, Advance apologies if this long overdue reply meanders a bit - I'm recovering from a not too pleasant transatlantic crossing :-( I'm afraid I am no expert on security or the best way of implementing it (especially when it needs to be embedded in code) but I am not sure it is that much of an issue for web services (very, very much open to correction here). When you are connecting to web services you are not connecting directly to the System i (iSeries) nut to a HTTP server. Since access to web services is through a HTTP server, therefore "normal" web security applies. For me, this means that I would not be using i5OS user profiles as my log on - more likely using a validation list. I don't really want anyone logging on to my system over the internet - whether that be through HTTP or telnet. If I am concerned about "sniffing" etc. I would use SSL. Web services are a form of application to application programming, therefore the user id/password is provided to an application developer - not a user. Most of the web services I have seen simply have the user-id and password as part of the XML sent in the request (e.g. UPS).
Comment
-
Comment