Secure authentication between different systems [closed]

0

My scenario is as follows: A system in php authenticates the user and should call my application (Java) informing which user is this. My application does not authenticate this user, only receives an identifier from it and loads the information they need. The question is: How to securely communicate between systems? Today I have a Servlet in Java that receives a http post call informing the user id, however anyone who intercepts this request can authenticate.     

asked by anonymous 30.12.2015 / 22:30

2 answers

0

I know two ways to do this:

  • using SSL in communication (more secure)
  • implementing security measures yourself (in case you do not know implement SSL and want to save time)

Implementing security measures yourself

You can create a token, which is any string following any logic, both applications must know this logic to encrypt and decrypt. After doing this, apply md5 to it to become a random string, this string will be your token, which PHP should send to Java, which in turn will decrypt to see if it has been successfully authenticated, so it becomes more difficult to intercept.

However, if you intercept this communication, you will need to find out what logic is used to circumvent new requests.

    
30.12.2015 / 23:02
0

Remote Access

If the source and destination server are in different networks and the access from one to the other is remote, via the internet, it is most advisable to use authentication via certificate.

On the server, the certificate must be mapped to a special user who has the accesses that the remote system needs.

In this way, the connection is encrypted and the communication secure. In addition you ensure that only the remote server with that certificate will have access.

Internal network

If both systems coexist within an internal Intranet network, you can use rules in your company's proxy or firewall to filter the allowed accesses.

An example would be to allow access to the URL of this service only from the server where the PHP system is located.

Considerations

In both cases, I mentioned techniques that delegate authentication and data privacy to recognized and common security solutions.

Avoid reinventing the wheel (which usually does not work right), for example by creating your own encryption mechanism.

    
31.12.2015 / 03:51