Communication between JAVA reporting software and main PHP software

Asked

Viewed 87 times

3

I thought a lot if I would open the question or not (it may be out of scope or broad or based on opinions), but as I am with many doubts regarding the use of a correct structure and that meets my need I decided to open.

Let’s go to my need.

Reporting system:

We have a reporting software (JAVA), it does not have API for rendering the report in PHP.
All customers will have access to it. (each client will be differentiated by a single key)
We need to access these reports through a URL passing parameters, which could bring disorders by attempts to access improper information...

Security:

When the user logs into the PHP system he will get a unique key that would be stored in a table MEMORY and on leaving that key would be eliminated.

Every time he accesses a report this key would be passed for validation on the other system before opening the report. After all the user would not like to login again when entering this system... and we also passed the single key to each customer.

So far we have three parameters:
exemplo.com/relatorios?relatorio=teste&cliente=teste&chave_acesso=teste

The main issue:

  1. There would be no better way to implement security between these two softwares without using parameters by URL?
  2. If you used the url, when it comes to storing the key in a table MEMORY, what would be its advantages/disadvantages?
php java

  • I strongly recommend this lib: https://github.com/geekcom/phpjasper

1 answer

4


Yes, there are better ways, after all anyone could see the parameter in the URL in the browser or in a login log and know the "secret" of that user, who ends up working as a password.

One simple but not yet 100% secure way is to generate a new random key per report, because even if someone can see that report by copying the URL, the security breach will be much smaller than allowing access to all reports.

Another alternative would be for the Java system to expose a web service to the system in PHP. Then the user would request the report for the PHP system, which would invoke the corresponding web service and return the report to the user.

There are two basic ways to pass on the content of the report:

  1. Instruct the Java system to store the report on disk, then you read from PHP and play the byte stream as a return to the user. This is relatively simple because PHP implements a ready-made function: fpassthru.
  2. The Java webservice directly returns the byte stream and PHP just passes it on to the user.

The main advantage of this approach is that the second system is transparent to the user, he will not be aware of its existence, therefore he does not need to be open for external access and would be one node less to worry about the security issue. In short: less exposure.

Disadvantages include a little more work to implement and a bigger load for the system in PHP, as this will need to call the web service, recover the return and pass it on to the user. If the server is already overloaded this may not be an option.

  • 1

    Thank you very much, opened up my range of possibilities, in addition to presenting options that I had not thought of before. I’ll look into it and see if I can implement the solution here.

Browser other questions tagged php java

You are not signed in. Login or sign up in order to post.