Home/ Questions/Q 8520763
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T06:37:20+00:00

I am developing WebApplication written in Java (JSF 1.2) and I need to implement

  • 0

I am developing WebApplication written in Java (JSF 1.2) and I need to implement new functionality which open other 3rd party WebApplication (in other domain) in new browser window.
I need to login to this 3rd party WebApplication using form POST request.
User in my application should only see a button which should log him to this 3rd party web application.
The problem is, that the user in my web application can not know credentials on which he is login to this 3rd party system.

This is my first dummy solution to this problem:

I added some JavaScript and a button:

<script type='text/javascript'>
  function login(username, password) {
    var action = "https://some.portal.at.other.domain/login.jsp";
    var data = "";
    data = data + "<form name='loginform' action='" + action + "' method='post'>";
    data = data + "  <input id='username' name='username' type='hidden' value='" + username + "' />";
    data = data + "  <input id='password' name='password' type='hidden' value='" + password + "' />";
    data = data + "</form>";
    data = data + "<sc" + "ript type='text/javascript'>";
    data = data + "  document.loginform.submit();";
    data = data + "</sc" + "ript>";
    newWindow=window.open("", "_blank");
    newWindow.document.write(data);
    newWindow.document.close();
  }
</script>

...

<a4j:commandButton id="Login"
                   value="Login"
                   onclick="login('#{user.login}', '#{user.password}')"/>

This works like a charm, but … when i view html source in a browser, i can see:

<input id="form:Login" name="form:Login" onclick="login('john', 'secret')" value="Login" type="button" />

because JSF evaluate #{user.login} and #{user.password} when page is rendered, so the security is broken 🙂

My question is:
Is it possible to secure this functionality in any way?

I know that if someone have tools like FireBug or WireShark, then he can easily see this POST request if he want, so i feel that this can not be secured in general.
I want to secure this in a way, that it would require more effort to break than simply viewing page source.

I think that i should do something like:
Execute on onclick some ajax request which would return this JavaScript generated in the server side and then evaluate this JavaScript, but i don`t know exactly how to do this.

So guys please send me some advice
Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The only way to secure this type of process is to perform it on the server-side. That is: if the login is happening on the client-side, you must assume that the client has full access to all credentials which are used in the login.

    The standard way to handle this type of situation, where a client-side request is required, but a secret login must happen first, is to have the login happen on the server-side, behind the user’s back, and returning a token which the client can use to authorise a specific request which they are definitely allowed to make.

    • 0