 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / October 2005How to do form signing with Certificates?
To all, I've come acrossed in form signing issues using eCerts in web applications; so actually how should I implement these things? Should I use an applet to handling the cert logics (like verification, authentication, encrypt, decryt etc) or just include a jsp file encapsulating the logics??? Also are there tutorials or guides on these topics?? Even on Java Sun, I can't find much useful information. Thanks! >From Jason (Kusanagihk) Hello, You cannot use JSP since, as the name implies Java Server Page, all inline Java code is executed on the server, and you must access your certificates and private keys on your client. Using an applet will be fine for you. A good book about the security subject is: http://www.oreilly.com/catalog/javasec2/ Anther hint is also to look at the Javadoc descriptions for the classes Signature, KeyStore and Cipher. Regards, Tommy Grändefors www.pheox.com >A good book about the security subject is: >http://www.oreilly.com/catalog/javasec2/ There are couple of free Java security online books on http://kickjava.com/freeBooks.html Java & Internet Security Java 2 Network Security Java Security David J -------------------------------------------------------------- http://KickJava.com/news - Daily Java news and articles, updated continuously from 100+ sources Hello, What are you trying to achieve ? You want the user to sign the HTML form he submits with a personnal certificate ? If so, then SSL can do it for you: you can require Client Certificate authentication, so that all communication is encrypted and guaranteed to come from the certificate owner and from the certified server. I'm not sure that all browsers support however Client Certificate authentication. To Ben and Tommy Grändefors The actual thing I would like to achieve is that: 1) I've got a HTML form with some sensitive information (such as address and bank a/c id etc) 2) now I would like the client to use his/her eCert to signed the form (or the data from the form) and then submit to the server 3) before processing, the server should check if the form (or the data) are correctly signed (using the client's public key to verify etc) 4) if ok, continue to process, if not return some error code etc >From Tommy's reply, most likely I would need a client side program / applet to do the signing, so applet may be a good choice. So I will drill into these topics if possible Thx for all your replies! >From Jason (Kusanagihk) OK, it's clearer to me what you want to do. Strictly speaking, if you want to sign the data (and, say, post a field with the signature in the request along with the data), then you would need a client-side program (and an applet can do this). But I would solve this a bit differently if your requirements permits. By using an SSL connection and enforcing the use of Client Certificate, there will be a ServletRequest attribute with the Certificate. So, there is no need for the user to "sign", because the SSL connection will require that the user presents a valid Certificate, and your application can then inspect all the details of the certificate if needed. You'll require SSL anyway to protect the "sensitive information", so if the browsers you have to support support SSL authentication themselves you have very few development. My 2ç... To Ben Is SSL connection refers to the connection provided by the webserver (like Netscape or WebLogic etc); or is it also a programmable connection from Java APIs?? On the point, SSL connection will require that the user presents a valid Certificate; does it mean that user's certs are requested automatically? If so, then should I need to store these user certs in a place or how can I obtain their certs' information?? Thanks >From Jason (Kusanagihk) > OK, it's clearer to me what you want to do. > [quoted text clipped - 14 lines] > > My 2ç... > Is SSL connection refers to the connection provided by the webserver > (like Netscape or WebLogic etc); or is it also a programmable > connection from Java APIs?? I was referring to the web server (when you turn on SSL, you then have to access the application with the https protocol). There are APIs to establish SSL connections programmatically, but it's not what I was referring to. > On the point, SSL connection will require that the user presents a > valid Certificate; does it mean that user's certs are requested > automatically? If so, then should I need to store these user certs in a > place or how can I obtain their certs' information?? I don't know for all browser... With IE, you import your personnal certificate. When you connect to the web site, you're then prompted to select a certificate from a list. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.