August 30, 2014
Hot Topics:
RSS RSS feed Download our iPhone app

NakovDocumentSigner: A System for Digitally Signing Documents in Web Applications

  • January 12, 2004
  • By Svetlin Nakov
  • Send Email »
  • More Articles »

The Web Application Deployment Descriptor

In compliance with the J2EE platform standards for the functioning of the reference Web application, the configuration file web.xml (also called the Web application deployment descriptor) is also needed.

This file contains the application's configuration that *.do URL pattern to struts action servlet and sets the default application JSP page to /SignedFileUploadForm.jsp.

Struts Framework Configuration File

To use the Struts framework, the configuration file struts-config.xml is also needed:

This file configures the Struts forms and Struts actions that the application uses. It also configures the forwarding actions for each form.

The Ant Build Script

All the files described above constitute the reference We -application. We could use the Apache Ant build.xml script to compile and prepare it for execution.

The result from this script execution is the DocumentSigningDemoWebApp.war file that contains the compiled application in a form ready for execution that is in compliance with the Web application specifications of the J2EE platform.

Deploying and Running the Reference Web Application

To deploy and run the reference DocumentSigningDemoWebApp.war Web application, it is necessary that it is deployed on some J2EE server or some Java Web application server (Servlet container).

The deployment on Tomcat 4.x can be done just by copying the DocumentSigningDemoWebApp.war file into the "webapps" subdirectory of the Tomcat installation. The Tomcat server should be restarted after the initial deployment and after deployment of any changed version of the WAR archive.

Running the reference Web application can be performed by entering its URL in a Web browser. Under a standard deployment of the DocumentSigningDemoWebApp.war application on Tomcat 4.x server, this URL is: http://localhost:8080/DocumentSigningDemoWebApp/.

Tests Performed

We performed various tests of the framework to ensure that is it compatible with different operating systems, Web browsers, and Java virtual machines. Our tests showed that NakovDocumentSigner is platform-independent and browser-independent. It runs on several operating systems and Web browsers with an installed Java Plug-In.

During the testing of the NakovDocumentSigner framework on the server side, the Apache Tomcat 4.0.6 Web application server and Struts framework 1.0 were used.

On the client side, we have successfully run tests in the environments of the following browsers: Internet Explorer 5.0 and 6.0, Mozilla 1.2.1 and 1.3 (for Windows and Linux), Netscape 6.1, having installed Java Plug-In 1.4.1 and 1.4.2, working on operating systems Windows 98, Windows 2000, Windows XP, and Red Hat Linux 9.0 (with the GNOME 2.0 graphical desktop).

Due to aggressive security restrictions in Opera 7.11 for Windows, our signed applet failed to run with full permissions. Due to some JavaScript incompatibility, the signed applet also does not run in some very old Web browsers (such as Netscape Communicator 4.x and Internet Explorer 3.x and 4.x).

Conclusion

The NakovDocumentSigner framework is a working example that illustrates one particular approach for using digital signatures by Java-based Web applications. It deals with the problems that arises in signing documents on the client machine and verifying them on the server. It demonstrates how the standard functionality available in the Java platform can be exploited to sign files in Web, verify digital signatures, certificates, and certification chains. The framework is freeware and can be used in its original or modified form for any purposes, including as a part of commercial products.

The need for informational security in Web applications is constantly rising and this inevitably leads to development and improvement of the technologies connected with it. It is very likely that future versions of the most widespread Web browsers will have built-in features for signing documents and HTML forms using the certificates installed in them, but until such features occur and become standard, NakovDocumentSigner will most probably remain one of the few complete freeware solutions in this direction.

The complete source code of the NakovDocumentSigner framework, along with instructions how to compile and use it, is available at its home site: http://www.nakov.com/documents-signing/.

Future Work

In the most recent days, to increase security, some certification authorities provide their customers with smart cards instead of PFX certificate keystores. Smart cards are more secure because they cannot be duplicated and thus the private key stored in them cannot be stolen without the knowledge of their owner. It is a great idea to add support for signing documents on the Web with smart cards in DigitalSigninerApplet with the some version of NakovDocumentSigner. Due to a lack of standards for accessing smart cards' functionality, it is very hard to make a vendor-independent solution. We hope that one day smart cards will be strongly supported in the most popular operating systems and Web browsers and there will a standard API for accessing them from standalone and Web applications.

Contributors to the project are always welcome, especially for the smart cards functionality development.

Bibliographic Reference

  1. GlobalSign Certification Practice Statement, Chapter 21, Definitions
    http://www.globalsign.net/repository/GlobalSign_CPS_v42.pdf

  2. Introduction to Public-Key Cryptography
    http://www.ecs.ru.acad.bg/rk2/StProj/4/pgp/Eng/N1/contents.htm

  3. How PGP Works
    http://www.ecs.ru.acad.bg/rk2/StProj/4/pgp/Eng/1/pgpintro.html

  4. Java Glossary—Certificates
    http://mindprod.com/jgloss/certificate.html

  5. Digital Signatures: How They Work
    http://www.silicontrust.com/background/sp_digital-sig-2.asp

  6. Java Cryptography Architecture (JCA)—API Specification & Reference
    http://java.sun.com/j2se/1.4/docs/guide/security/CryptoSpec.html

  7. Trail: Security in Java 2 SDK 1.2—The Java Tutorial
    http://java.sun.com/docs/books/tutorial/security1.2/index.html

  8. Java Certification Path API Programmer's Guide
    http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html

  9. Java Security Evolution and Concepts, Part 5—Java CertPath API
    http://www.javaworld.com/javaworld/jw-12-2001/jw-1221-jdk4security-p2.html

  10. Java 2 Platform, Standard Edition, v 1.4.2—API Specification
    http://java.sun.com/j2se/1.4.2/docs/api/

  11. How to Sign Applets Using RSA-Signed Certificates
    http://java.sun.com/j2se/1.4.1/docs/guide/plugin/developer_guide/rsa_signing.html

  12. Java-to-JavaScript Communication
    http://java.sun.com/j2se/1.4.1/docs/guide/plugin/developer_guide/java_js.html

  13. Class netscape.javascript.JSObject—Documentation
    http://wp.netscape.com/eng/ ... /netscape.javascript.JSObject.html

  14. NakovDocumentSigner—Digital Document Signing Framework for Java-based Web Applications
    http://www.nakov.com/documents-signing/

  15. Struts Framework
    http://jakarta.apache.org/struts/

  16. Apache Ant
    http://ant.apache.org/

  17. Apache Tomcat
    http://jakarta.apache.org/tomcat/

About the Author

Svetlin Nakov is part-time computer science lecturer in Sofia University, Bulgaria. He has over 5 years of professional software engineering and training experience and currently works as IT consultant in a leading Bulgarian software company. His areas of expertise include Java and related technologies, .NET Framework, network security, data structures and algorithms, and programming code quality. More information on his research background, skills and work experience is available from his home site www.nakov.com.



Page 5 of 5



Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Sitemap | Contact Us

Rocket Fuel