0
My scenario is the following: A php system authenticates the user and should call my application (Java) stating which user this is. My application does not authenticate this user, it only receives an identifier from him and loads the information you need. The question is: How to communicate between systems safely ? Today I have a Java Servlet that receives an http post call informing the user id, but anyone who intercepts this request can authenticate.
0
I know two ways to do this:
You can create a token, which is any string following some logic, both applications must know this logic to encrypt and decrypt.
Once done, apply the md5 on it to flip a random string, that string will be your token, which PHP should send to Java, and this in turn will decrypt to see if it was successfully authenticated, thus making it harder to intercept.
Even so, if you intercept this communication, you’ll need to figure out the logic used to circumvent new requests.
Thanks for the suggestions I will research more on the subject. For what I got information so far the best way is using an encryption even for example asymmetrical.
Exactly, I used md5 to encrypt but there are other means, will your preference and situation :)
0
Whether source and destination server are on different networks and access to each other is remote, via internet, the most recommended is to use authentication via certificate.
On the server, the certificate must be mapped to a special user who has the access that the remote system needs.
Thus, the connection is encrypted and the communication is secure. In addition you ensure that only the remote server with that certificate will have access.
If both systems coexist within an internal network, Intranet, you can use rules in the company’s proxy or firewall to filter permissible access.
An example would be to allow access to the URL of that service only from the server where the PHP system is located.
In both cases, I mentioned techniques that delegate data authentication and privacy to recognised and common security solutions.
Avoid reinventing the wheel (which usually doesn’t work right), for example by creating your own encryption mechanism.
Thanks for the suggestions and sorry for the lack of information. I found interesting the suggestions @Edson on asymmetrical encryption. I am researching more on the subject. Thank you.
@hebertrfreitas Asymmetric encryption is almost synonymous with using certificates.
Browser other questions tagged php java security-guard
You are not signed in. Login or sign up in order to post.
Hello, welcome to [en.so]! I think you need to be more precise in your question. These systems stay in the same internal network or live in separate places, being the communication via internet?
– utluiz
Sorry for the lack of details. The two systems are web, run in different networks and communication via internet only.
– hebertrfreitas