File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Integrating Digital Signatures into J2EE Web App Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Integrating Digital Signatures into J2EE Web App" Watch "Integrating Digital Signatures into J2EE Web App" New topic

Integrating Digital Signatures into J2EE Web App

Chris Nappin
Ranch Hand

Joined: Aug 04, 2005
Posts: 36
I have a requirement to add digital signature functionality to a J2EE web application. Our customers would like to press a �sign� button on a web page, be prompted to connect their hardware security token (e.g. USB device or smart card), and the signatures stored inside our system for later verification (e.g. in court).

The main issue I can see is that when using hardware-based tokens the private key can never leave the device, so the device itself does the signing. Whereas our J2EE Web Application has all the code on the app server tier, and the data is located on the database (and in our architecture cannot be exported to client PCs for security reasons).

Does anyone know of any solutions to this kind of requirement? Any vendor toolkits that allow this? From what I�ve read from researching this subject the pieces are all there but most web-based security solutions only implement application login authentication of one sort or another.

Technical Architect, SCJP, SCWCD
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
Does the certificate have to be read off the device every time? I'm asking because web browsers know how to deal with certificates, and if the certificate was imported to the browser, it would be sent to the server automatically, where it could be processed further.

Any interaction of a web page with a hardware device would have to happen through some kind of native code, e.g. ActiveX. Maybe the manufaturer has something like that available.
Chris Nappin
Ranch Hand

Joined: Aug 04, 2005
Posts: 36
Yes, the private key has to be read every time for two reasons:

1. The electronic signature proves that a particular officer must have been present at the time.

2. The private key must never leave the hardware token.
Hung Tang
Ranch Hand

Joined: Feb 14, 2002
Posts: 148
What is your requirement?

You want your web app to create and store signature?

Unless the hardware itself has built-in software to create the signature and submit it, it's going to be a difficult task. Like Ulf said, maybe there's a native API from the manufacturer that may allow you to access such services
[ April 03, 2007: Message edited by: Hung Tang ]
Amol Chavan

Joined: Sep 04, 2005
Posts: 28
Hi Chris Nappin,
I also want to implement the same functionality.are you through with this?
Can you guide me in this case?

Thanks in advance.

Thanks n Regards,<br />Amol
I agree. Here's the link:
subject: Integrating Digital Signatures into J2EE Web App
It's not a secret anymore!