Finding the Requested Server Host Ip?

Question

I have an application(client application) hosted in a Tomcat server and this application has to be integrated as a Tab in another application(parent application). In the Parent application the user authentication is done. in the Parent application Html we are using iframe to integrate the client. Everything is working fine except this. The Problem is, if some one knows the URL they can access the client application. How can we avoid this.? we are using JAVA,SERVLET,HTML,Tomacat as technologies.

Thanks :)

Answer 1

You can also use x-frame-options in your header. I found this article with some quick googling: http://www.jtmelton.com/tag/x-frame-options/

This will prevent your app from loading in frames except for the domains which you allow permission. You might check into browser compatibility, I'm not sure when this was implemented in different browsers.

Also, you can check the 'host' and 'referrer' header fields to check that requests are coming from a domain you trust before sending a response.

OAuth is the standard for authorizing third party apps. You should check into that as an authentication approach.

None of these will give you a completely secure app. You should consider consulting with a security expert.

Answer 2

From parent application add cookie and from child application get that cookie and validate user.(if both are running on same domain).

Answer 3

One of possible solution is token based authentication. The parent application should add special token either as a URL parameter or as HTTP header. The token should contain authentication information in encrypted form. "Client" application should extract the information and decide whether authentication passed or failed. In order to guarantee that no-one can copy this token and then get unauthenticated access to your application you should make the token to be one-time or limited in time range.