Connection pooling + Impersonating queries

Question

I'm working on a spring(IoC/ MVC/ Security)/ JTOpen project backed up by DB2 over IBM System i (AS/400). For reasons I won't be able to discuss here, every user of the application was given an account on the IBM i (i5/OS) operating system so that his transactions get logged against his identity in the Journal (DB2 log files). In order to achieve that we have been establishing a connection once someone logs into the system using his credentials and accordingly getting his transactions against his name in the Journal.

Problem: Recently, we have been investigating on getting a connection pool in place instead of the status quo of connection per session. If the pool establishes these connections once the application starts using a generic i5/OS account, say: SystemAccount, then a user logs in a requests one of these connections, is there any way to execute transactions under the identity of the user although it was established using the generic system account?

Answer 1

The com.ibm.as400.security.auth package provides classes that allow user profile swapping using IBM i profile token and credential classes when using the AS400 connection class.

If you are using JDBC you can call the Security-related APIs to adopt profiles on the connection.

• Get Profile Handle (QSYGETPH) validates a user ID and password, and creates an encrypted abbreviation called a profile handle for that user profile.
• Set Profile Handle (QWTSETP) switches the job to run under a new profile.
• Generate Profile Token (QSYGENPT) verifies that the caller has authority to generate a profile token for the requested profile and then generates a profile token.
• Set To Profile Token (QSYSETPT) validates the profile token and changes the current thread to run under the user and group profiles represented by the profile token.

Answer 2

Have you verified that the transactions are actually being improperly logged? I wouldn't expect them to be.