how do I authorize a request coming from a valid user of another application
https://stackoverflow.com/questions/11756467
-
24-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have two web applications, app-A and app-B (both will be hosted on different servers). Now for a particular event in app-A, I need to call an URL to app-B so that app-B can do some processing. Inside app-A, I am following login/logout for authorizing users. So at app-A, everything is secure.
But if the URL is exposed to someone, they can play with my app-B. So how I can validate in app-B, that the request is coming from an authorized user of app-A ?
I am using Java (Spring MVC). Thanks in advance for your time.
UPDATE :
- app-A and app-B both will be hosted and exposed to public.
- app-A and app-B have different set of users (tables) in database and login mechanism.
- the scenario is with app-A the admin logs in, and does some activity. This fires a call to an unprotected url of app-B. Question is - how do I make sure in app-B that the call is coming form the admin of app-A only, not from any outside users.
No correct solution
OTHER TIPS
You need single sign on server, like CAS is the good one .
You have to create link that will have included specify request and, some custom text (for example: session id) and digital signature of this text signed with private key that will be shared for both your aplication. app-B can validate the signature, and if its pass, then fire the request.
[edit]: You have to remember that that passing token have to have limited live time, otherwise if someone caught the link he will be able to use it later. So you can add to your 'custom text' (mentioned above) date and time of token creation and let app-B do not fire request that where created more than 5 min ago.
