There is a sample Zowe Spring Boot micro service that can stand alone with no external Zowe dependencies which you can use to decouple access control/authentication from your application.
> On 21 Feb 2022, at 9:08 pm, David Crayford <dcrayf...@gmail.com> wrote: > > You can do all of that in C code using the __passwd() and > __check_resource_auth_np library functions. You will need to be program > controlled which means Python and it's runtime will also need to be platform > controlled. Most modern services do this using an API like the Zowe > authenication API. If you're writing a web application in Flask you should > consider using JWTs. If it were me, I would prefer to use a Spring Boot Java > application instead of Python. There is a much richer set of SAF APIs and the > entire Java JRE is program controlled. > >> On 21/2/22 8:38 pm, Erik Janssen wrote: >> Hello List, >> >> We are creating some APIs with python flask running on z/os (some in >> combination with z open automation utilities in order to drive existing rexx >> / ispf edit macro logic) and that is looking very promising. In order to >> properly protect those APIs I am trying to create a authorization API, that >> would call a module that can verify a RACF user/password/appl combination so >> that it can return a token with which - for some time - you can then call >> the actual API's. I've managed to create an assembler DLL that works with >> that principe, calling the neccessary RACROUTE's. But, since this module >> needs APF authorisation I can only see a way to call the module as a >> subprocess through an - apf authorized - c main wrapper program. In this >> case it will return the SAF RC and the actual wto message as stdout. But, >> specifying a password this way as a cmdline parm means that it would show up >> in ps screen in SDSF for example. >> Loading the assembler DLL in python through CDLL technically works, but >> actually will get a S683 abend, since it lost its APF authorisation. >> My idea was that the module will check if the caller is authorized to >> actually check the specified user/password by some custom racf profile, so >> that I can prevent it from generally being allowed to check all >> user/password combinations. >> Apart from the obvious risks involved in APF authorized routines, giving >> this principe that I would like to create a routine that - in a controlled >> way - could do password checking for unauthorized callers, what options are >> there to do so? >> As far as I can see, the only option would be to provide some PC routine, >> with a unauthorized stub that can call the authorized running PC 'backend', >> but I'm not even sure if that would be a proper way to use a PC routine (let >> alone the fact if I would ever manage to - securely - create one). >> >> Kind regards, >> Erik. >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
