I wonder if somebody had used the electronic (now digital) token generator, like the one the banks use.
I was asked to implement that in order to minimize the ability of impersonating the users in the system, beside the password.
How is it being addressed at this time on different companies?
What we're looking is to be able to bind the user to the login recorded on the system.
If you create a client-princpal object, that'll give you a sealed token you can use for an authorized user.
The CP object also has a SESSION-ID attribute you can then pass to the client and the client can pass back in on each API call. The SESSION-ID can then be used to get the CP object, verify that it hasn't expired, and then used to assert the user's ID for the duration of the call.
Thanks for a such detailed info... I'll check your deep info.
Did anyone create a native ABL library for this?