Hi, 

I'd like to make a web application for some internal utilities, so thinking about authentication, I'd like to use for authentication the user and password of my IBMi, but I didn't find any API to check user password. 

I see this:

Check Encrypted User Password (QSYCUPWD) API

but it is only to check password from a signon display as I read.

Anyone have some experience about it?

Many thanks.

Hi Paolo,

I think what you need to use are profile handles. You use QSYGETPH to "get" one; this does your user profile / password validation. Once you've finished you use QSYRLSPH to "release" the profile handle. 

IBM provides a simple sample here: https://www.ibm.com/docs/en/i/7.5?topic=programs-example-using-profile-handles

Hope this helps.

Regards,

Keith

Hi Keith, I'll try many thanks 

The "normal" ways of doing this for web applications is either to use Apache's ability to validate via the normal User Id/PW or alternatively to use a validation list which handles cases where you don't want/need web users to have a conventional User Id. 

Far easier to let Apache handle it than mess with the APIs unless you have a specific need.

The Easy400.net web site has a bunch of documentation on all of this including utilities for validation list management.

Hello Paolo,

I think what you are looking for is fairly easy to set up with the Apache webserver that comes with your IBM i by default. My understanding is that when you want to do authentication using local user profiles/passwords for a web application served by the Apache webserver on IBM i, then that is referred to as "Basic authentication".  You should simply go to the HTTP Admin GUI ( http://server_name:2001/HTTPAdmin ) and under Manage / HTTP Servers / Server: your HTTP server / Edit Configuration file insert something like this for the directory you would like to protect with Basic Authentication: 

<Location /www/your_HTTP_server_path>   
  AuthName "Your web application" 
  AuthType Basic        
  PasswdFile %%SYSTEM%% 
  ProfileToken on       
  UserID %%CLIENT%%     
  Require valid-user    
</Location>             

Alternately, you can achieve the same lines added to your HTTP server config file using other GUI portlets on the HTTAdmin page, but I have not checked where that is exactly. You may want to check documentation details on the AuthType and PasswdFile directives on the IBM Documentation page ( IBM Documentation - IBM Documentation ) to find out more. 

Surely, if you want to do the authentication at the Web Application Server level for some reason, that would require a different setup. But as long as you have a standard Apache Webserver in front of your Web Application Server, then the above described configuration should work, I believe. 

Hope this helps.