IBM httpd Server for z/OS: Forms-Based Authentication

Forms-Based Authentication for the IBM HTTPD Server for z/OS

We implemented forms-based authentication on our IBM HTTPD Server for z/OS via a GWAPI/REXX exit routine. Source code for the exit can be found here.

We needed to customize the login process for our web-based applications. The built-in Basic Authentication function lacks a couple of critical pieces:

It is not encrypted. Basic Authentication Base64-encodes the userid and password but sends that in the clear.
It does not allow for additional credentials.

We're an academic institution so our network tends to be open to just about anybody and our customers need to access our systems from all over the world. It's kinda important that our login information is encrypted. This exit forces SSL encryption (i.e. all URLs are "httpS://...").

We also need to use two-factor authentication tokens such as RSA's SecurID or PassGo's DigiPass. With this exit we're able to customize the content of our login information to support our needs.

Our shop has PassGo's NC-Pass product to support the security tokens.

This program runs as a pre-exit because a pre-exit is called all the time whereas an authentication or authorization exit only gets called if you have the appropriate directives included in your web configuration.

This is currently a work-in-progress. The interface is evolving. On our to-do list:

Convert the routine to a compiled DLL module to improve performance.
Generalize it to work seamlessly in an AJAXified (is that a word?) environment as we are experimenting with the Dojo/AJAX toolkit.
Generalize it to work seamlessly in an Eclipse Rich Client Framework based application.

In order to activate this code, the following needs to be added to the configuration file for the IBM httpd Server:

Protection ITS_User {
        ServerId        ITS_User
        AuthType        Basic
        PasswdFile      %%SAF%%
        Mask            All
}
Protect /its/docs/*        ITS_User %%CLIENT%%
Protect /MVSDS*            ITS_User %%CLIENT%%
Protect /RACFmaint*        ITS_User %%CLIENT%%

Service      /MVSDS*             /usr/lpp/internet/bin/mvsds.so:mvsdsGet*
Service      /RACFmaint*         /usr/lpp/internet/bin/IMWX00.so:IMWX00/its/gwapi/RACFmaint.rx

PreExit                   /usr/lpp/internet/bin/IMWX00.so:IMWX00/its/gwapi/RACFauthR.rx

Here are some screenshots of the code in action. First, if you connect to our web server without using SSL (i.e. just http vs https), you will get a page that looks like:

Pressing the "Continue" button will take you to the https version of the page:

After providing your RACF userid and password, if you are required to use a security token to login, you will get a prompt for that information:

Just fill in the number currently displayed on your security token ...

... and your login should be complete:

Clicking on the "Continue" button will get you to the first page of the application: