wood burning stoves*
The moose likes Security and the fly likes Integrating Digital Signatures into J2EE Web App Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Integrating Digital Signatures into J2EE Web App" Watch "Integrating Digital Signatures into J2EE Web App" New topic
Author

Integrating Digital Signatures into J2EE Web App

Chris Nappin
Ranch Hand

Joined: Aug 04, 2005
Posts: 36
I have a requirement to add digital signature functionality to a J2EE web application. Our customers would like to press a �sign� button on a web page, be prompted to connect their hardware security token (e.g. USB device or smart card), and the signatures stored inside our system for later verification (e.g. in court).

The main issue I can see is that when using hardware-based tokens the private key can never leave the device, so the device itself does the signing. Whereas our J2EE Web Application has all the code on the app server tier, and the data is located on the database (and in our architecture cannot be exported to client PCs for security reasons).

Does anyone know of any solutions to this kind of requirement? Any vendor toolkits that allow this? From what I�ve read from researching this subject the pieces are all there but most web-based security solutions only implement application login authentication of one sort or another.


Technical Architect, SCJP, SCWCD
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41134
    
  45
Does the certificate have to be read off the device every time? I'm asking because web browsers know how to deal with certificates, and if the certificate was imported to the browser, it would be sent to the server automatically, where it could be processed further.

Any interaction of a web page with a hardware device would have to happen through some kind of native code, e.g. ActiveX. Maybe the manufaturer has something like that available.


Ping & DNS - my free Android networking tools app
Chris Nappin
Ranch Hand

Joined: Aug 04, 2005
Posts: 36
Yes, the private key has to be read every time for two reasons:

1. The electronic signature proves that a particular officer must have been present at the time.

2. The private key must never leave the hardware token.
Hung Tang
Ranch Hand

Joined: Feb 14, 2002
Posts: 148
What is your requirement?

You want your web app to create and store signature?

Unless the hardware itself has built-in software to create the signature and submit it, it's going to be a difficult task. Like Ulf said, maybe there's a native API from the manufacturer that may allow you to access such services
[ April 03, 2007: Message edited by: Hung Tang ]
Amol Chavan
Greenhorn

Joined: Sep 04, 2005
Posts: 28
Hi Chris Nappin,
I also want to implement the same functionality.are you through with this?
Can you guide me in this case?

Thanks in advance.


Thanks n Regards,<br />Amol
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Integrating Digital Signatures into J2EE Web App
 
Similar Threads
Security for web services
Securing a Web Service
Use JAAS for access control.
Security on hand held devices.
Securing a Web Service