File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Integrating Digital Signatures into J2EE Web App

 
Chris Nappin
Ranch Hand
Posts: 36
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a requirement to add digital signature functionality to a J2EE web application. Our customers would like to press a �sign� button on a web page, be prompted to connect their hardware security token (e.g. USB device or smart card), and the signatures stored inside our system for later verification (e.g. in court).

The main issue I can see is that when using hardware-based tokens the private key can never leave the device, so the device itself does the signing. Whereas our J2EE Web Application has all the code on the app server tier, and the data is located on the database (and in our architecture cannot be exported to client PCs for security reasons).

Does anyone know of any solutions to this kind of requirement? Any vendor toolkits that allow this? From what I�ve read from researching this subject the pieces are all there but most web-based security solutions only implement application login authentication of one sort or another.
 
Ulf Dittmer
Rancher
Pie
Posts: 42966
73
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does the certificate have to be read off the device every time? I'm asking because web browsers know how to deal with certificates, and if the certificate was imported to the browser, it would be sent to the server automatically, where it could be processed further.

Any interaction of a web page with a hardware device would have to happen through some kind of native code, e.g. ActiveX. Maybe the manufaturer has something like that available.
 
Chris Nappin
Ranch Hand
Posts: 36
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, the private key has to be read every time for two reasons:

1. The electronic signature proves that a particular officer must have been present at the time.

2. The private key must never leave the hardware token.
 
Hung Tang
Ranch Hand
Posts: 148
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is your requirement?

You want your web app to create and store signature?

Unless the hardware itself has built-in software to create the signature and submit it, it's going to be a difficult task. Like Ulf said, maybe there's a native API from the manufacturer that may allow you to access such services
[ April 03, 2007: Message edited by: Hung Tang ]
 
Amol Chavan
Greenhorn
Posts: 28
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Chris Nappin,
I also want to implement the same functionality.are you through with this?
Can you guide me in this case?

Thanks in advance.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic