Communication between JAVA reporting software and main software in PHP

Navigation
3

I thought a lot if it would open the question or not (it may be out of scope or broad or based on opinions), but as I have many questions regarding the use of a correct structure and that meets my need I decided to open.

Let's get my need.

Reporting system:

We have reporting software ( JAVA ), it does not have API to render the report in PHP. All clients will have access to it. (each customer will be differentiated by a unique key)
We need to access these reports via%% passing parameters, which could lead to inconvenience due to attempts to access undue information ...

Security:

When the user logs in to the system in PHP he will get a unique key that would be stored in a URL table and when that key is deleted, that key would be deleted.

Every time he accesses a report this key would be passed for validation on the other system before opening the report. After all, the user would not like to log in again when they entered this system ... and also passed the unique key to each client.

That is until now we have three parameters:
MEMORY

The main issue:

  • Would not you have a better way to implement security between these two software without having to use parameters by the URL?
  • If you used the url, in the question of storing the key in a exemplo.com/relatorios?relatorio=teste&cliente=teste&chave_acesso=teste table, what would be its advantages / disadvantages?
    • asked by anonymous 19.03.2015 / 18:31

    1 answer

    4

    Yes, there are better ways, after all anyone could see the parameter in the URL in the browser or in a log of accesses and would know the "secret" of that user, which ends up functioning as a password.

    A simple but not yet 100% secure way is to generate a new random key per report, because even if someone can see that report by copying the URL, the security breach will be much smaller than allowing access to all reports .

    Another alternative would be for the Java system to expose a web service to the system in PHP. Then the user would request the report for the system in PHP, which would invoke the corresponding web service and return the report to the user.

    There are two basic ways to review report content:

  • Instruct the Java system to store the report to disk, then you read from PHP and throw the stream of bytes as a return to the user. This is relatively simple because PHP implements a ready function: fpassthru .
  • Webservice Java directly returns the stream of bytes and PHP only passes it on to the user.
    • The main advantage of this approach is that the second system is transparent to the user, it will not be aware of its existence, so it does not have to be open to external access and would be a less knot to worry about the security issue . In short: less exposure.

    The disadvantages include a bit more work to implement and a greater burden on the system in PHP, as it will need to call the web service, retrieve the feedback, and pass it on to the user. If the server is already overloaded this may not be an option.

        
    19.03.2015 / 19:38
    How do I save read-only data? Should I use SQLite in this case? How to remove a Visual Studio 2010 extension?