I am wondering the java card with jsp. let me assume the clinet has java card read/write machine connected, when the client want to log in some sensitive page and get the maxium security, the JSP file can access the java card data and check them.
I think this solution has some securiy, because it has to have a physical card and machine. Based on this, we add more security to it if the card can combine with a traditional log-in form.
But jsp can access java card. It seem like "NO". because the JSP is located in web server in server side. it doesn't know the client side. I check the web, java card can have its own APPLET, so we can use applet to access it. This is just my thinking. Please correct me.
By the way, I found javaranch doesn't have a forum to discuss the hardware with java. for example, java card, java comm, TINI, how a java application to access / control a sensor if we have the sensor driver installed, how to remotely control a web camera? I hope future here have a specific forum just for java-hardware.
Joined: Sep 10, 2002
You can check for the card, sort of. If you are using a security card with the machine, then you can use an https connection that is set for requiring both client and server security certificates. For the Apache web server, you set the client auth setting to required. This will make sure the user has a certificate.
If you have a card reader, you will install the certificate into the browser. When you go to a site with https, if the server requires a certificate, the browser will ask you which one to send. You choose the one from the card.
In your servlet, you examine the request for the X509 certificate array. This will hold the security certificate the user sent from the browser. You can then examine the different attributes to decide if you want to let them in or not.
If you do a search you will come across another way of doing it with applets. IBM did something with banks and a java applet and the article gives some info on it.