1

I have a web PHP web application that has a link to a java web application. The php application has a login page, and a link to the the java application, but not every user has permission to access the java web application. What I was trying to do is send user credentials from the php application to the java application, and then the java application checks the credentials and if correct logs in the user. I was thinking of using http headers to do this.

So my question is what is how to send user credentials from a PHP application to a java application?

If it helps I am using a Java web framework called Vaadin.

Improve this question
2
  • What's this "link" between the two applications? Commented Sep 19, 2013 at 19:32
  • I am not sure. I created the java application, and someone wants to add a link in their php application that directs to my application. My application is running on a tomcat server, so I believe that the link will have the url to my application. Commented Sep 19, 2013 at 19:39

2 Answers 2

Reset to default
3

Do a normal POST request from the PHP application to the java application. This can be done as simply as having a normal HTML form in the PHP application, set the form's method to "POST" and action to the java application's URL. If you want to catch HTTP parameters in a Vaadin application, you can do it by using request handlers (https://vaadin.com/book/vaadin7/-/page/advanced.requesthandler.html).

Then a few words of advice or something to at least consider. If your login page is in the PHP application and your "admin" application is the Vaadin application, then I discourage you from doing the credential checking in the Vaadin application. This is because when you enter the Vaadin application, a new application instance is created. This means that your UI will be initialized and whatever else you do in the UI's init method. What you probably want to do, is to hinder the user from entering the Vaadin application unless she is logged in - which means that you need to do the credential checking somewhere else - for example, have a separate servlet whose only responsibility is to log in the user. If login is granted, then give access to the Vaadin application, if access is denied, forward the user to the PHP login screen. The next question is, how do you hinder the user from accessing the Vaadin application until she is logged in? Typically, this is done using servlet filters.

I highly encourage you to use a 3rd party framework for doing the authentication and authorization. Take a look at http://shiro.apache.org/, it's easy to install and seems to work nicely together with Vaadin. All you need to do is to configure it and implement a login screen, the framework will take care of the rest.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

If I understood your question, you want to be able to provide an "auto-login-link" to some specific users that are logged in to the PHP application. This link should automatically login the user to the java application, right?

Without knowing any details about this case, like are both apps running on the same domain or do they use the same database (same user credentials in both apps), etc., I would propose the following solution:

Create an action (link) on the java application, which receives the necessary parameters (as GET) needed for creating the session (probably userId is sufficient), timestamp and a signature of all parameters. For example:

http://javaapp.example.com/autologin?userId=123&timeStamp=123456789&sign=hj23kh4j234jk324h

Where the signature is calculated with some strong encryption algorithm. Then you verify that the signature is correct at the receiving end (java app). If it is correct, you create the session. Signature calculation could be something like:

$signature = sha1($userId . $timeStamp . 'some salt' . $sharedSecretBetweenBothApps);

With the timeStamp you are able to check that an old link is not used. For example not allow older than 15 min old links and store used links in the java app to make sure they are never re-used. You do not have to keep history of links older than the expiration time.

Another idea, as discussed in the comments, is creating an API on the java side, which is able to provide a one-time link.

The sha1 algorithm is probably not strong enough, but shows the idea and is simple to implement.

Does this answer your question?

Improve this answer

2 Comments

This approach has a security vulnerability, the signature used is almost equivalent in sending the password in the URL - anyone who obtains the token at any point, can log in with it at any other point of time. You are also sending the token as a GET parameter, which means that it gets logged in the browser history and in server logs. Anyone having access to those could log in with your credentials. Using login tokens is ok, but they need to be secure - meaning, you cannot use one toke more than once. This can be achieved by using some one time passwords shared between the applications.
Right, in practice you probably would have a timestamp in the URL and included in the signature. Or even better would be to build an API on the java app that can create these one-time login links. API would of course be used from the server side only. One-time links would also expire after some time if they are not used.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.