Access to WEB sensitive applications is generally implemented through some login procedure.
A login procedure requires user identification through
- a user name and
- a user password
An easy and inexpensive way to provide such login procedures is that of relying on the protection provided by the HTTP server.
Through some Apache directives one may require that some/all static/dynamic pages of a web application can be accessed
only after logging to the HTTP server.
Validation of the login data can be implemented through system user profiles or a validation list
(See Appendix C).
User profiles, while convenient for intranet applications accessed by a few people, are not appropriate when the number of users extends to dozens or hundreds of people:
- user profiles are rather expensive in terms of system resources
- there should be a different user profile for each different user (so that a CGI may establish who is who)
- user profiles are doors to the whole system that one may not want to open to too many people for obvious security management implications
Validation lists are rather more recent objects (dated V4R2) expecially designed to support internet users.
They look like small files, containing a some data (username, password, comment) for each internet user.
Actually they are not files, they are more like user spaces. There are no system commands or utilities to browse, print them or to change their contents.
The only access is through system API, which means that you must be a proficient iSeries programmer to create utilities to manage them.
The only IBM software able to maintain validation list is the HTTP wizard, that is the *ADMIN HTTP server instance that you may start on port 2001.
Library LOGINOUT provides an utility to maintain validation lists. This utility is discussed in "Defining users".
The only problem, when using this type of protection based on user profiles or validation list, may be with the logout procedure.
As a matter of fact in this case there is no logout procedure. Once your access to a protected applications has been validated, this validation is granted
for all the sessions of your browser. The only way to get rid of it (logout) is to close all the sessions of that browser.
This may rise a security issue. You are urgently called by your manager, no time to close all browser sessions, no immediate logout button, and ...
your PC is left unattended while able to access one of the most sensible company applications.
Some application designers do therefore require a different approach to application protection. They require a logout button that would cut off any further
possibility to access a protected application without logging in again.
Read about this approach on the next page.