The purpose of this document is to describe how to use the OpenSign applets. The document contains all information that you will need to use an OpenSign applet on a website.
Please note that this document is work-in-progress, and therefore not yet complete.
Sometimes, you can learn much from just an example. We would therefore like to turn your attention on the demonstration setupthat we have implemented. All html pages and source code used in the demonstration setup is included in the OpenSign source distribution. The files in the following directories of the source distribution provide a good starting point for learning how the demonstration example works.
opensign-<version>/src/org/openoces/opensign/demo/servlets/
opensign-<version>/data/demo/html/
The rest of this guide is divided into three logically separate parts. The first part describes how the OpenSign applets being executed on a client communicates with the server, that is, it describes the flow of information to and from the applets in general terms. The next part deals with all the gory details of how to pass information to the applets and how the applets pass information back to the server. This part describes three different modes in which the OpenSign applets can operate. The last part of the guide contains two reference sections listing all parameters that can be passed to the applets and describing the structure of the xml document returned by the applets respectively.
It is crucial to understand how information flows between the server and the OpenSign applets. The OpenSign applets can operate in two different modes, commonly referred to as
When operating in 2-step mode the second and last step is initiated when the user either signs or refuses to sign the text. In this step the signed document or an indication of that the user refused to sign the text is transferred to the server and the server responds with a new html page based on the information being passed.
When operating in 3-step mode the second step is also initiated when the user either signs or refuses to sign the text. If the user refuses to sign the text, he is simply redirected to an URL that was passed to the applet in the first step. If however, the user signs the text, the signed text is posted to another configurable URL commonly referred to as the verification URL.
The third and last step is started immediately after the signed text has been posted to the verification URL. In this step the user is simply redirected to one of two different URLs. Both URLs are configurable and have been defined in step 1. The URLs are commonly referred to as the verified-ok URL and verified-error URL. Which of the two is chosen depends on whether the result returned by the post to the verification URL was positive or negative.
Make sure that you noticed the crucial difference between the two modes. In 2-step mode the signed document and the redirection of the user happened at the same time. The user was redirected to an URL that also received the signed document if it existed. This is different from the 3-step mode, where the signed document is sent to the server in the 2nd step and control then is returned to the applet. Then afterwards, in the 3rd step, the user is redirected to an URL, but this URL is not being passed the signed document.
The 2-step mode is the original mode that has been supported from the beginning, whereas the 3-step mode was introduced in the v1.1.x series. The 3-step mode is supported by more browsers than the 2-step mode, as it does not depend on the live-connect technology being supported by the browser executing the applet. Because of this, it is generally recommended that you use 3-step mode.
In this mode, the implementation is naturally divided into 3 individual components. The first component launches the applet by generating a html document that launches the OpenSign applet. The second component is the serverside component that receives the signed document after it has been properly signed. The third component is the webpage to which the user is directed when the applet is exited. A description of how each of these components is implemented is described in the following subsections.
The html page containing the applet is typically generated dynamically, eg. using a servlet. Using a static html document has obvious disadvantages that in most cases makes it unfit for use.
A minimal html page launching the logon applet is listed here.
<html> <body> <applet name="openoces_opensign_applet" code="org.openoces.opensign.client.applet.Logon" width="500" height="200" codebase="/demo" archive="/demo/applet/OpenSign.jar"> <param name="locale" value="en,US"> <param name="cabbase" value="/demo/applet/OpenSign.cab"> <param name="opensign.doappletrequest" value="true"> <param name="opensign.verifieruri" value="/demo/servlet/Verifier?id=42"> <param name="opensign.canceluri" value="/demo/servlet/Display?result=cancel"> <param name="opensign.erroruri" value="/demo/servlet/Display?result=error"> <param name="opensign.alerturi" value="/demo/servlet/Display?result=alert"> <param name="opensign.verifiedokuri" value="/demo/servlet/Display?result=ok&id=42"> <param name="opensign.verifiederroruri" value="/demo/servlet/Display?result=error"> </applet> </body> </html>
The code attribute of the applet tag shown is for the OpenSign logon applet. Change this to org.openoces.opensign.client.applet.Sign to launch the sign applet instead. The codebase attribute must contain a path to a directory where the Microsoft cryptoapi wrapper library is located. The applet will try to download the library from this location if it has not been downloaded previously or the existing library is corrupt. The param tag with name attribute opensign.doappletrequest indicates that the applet must operate in 3-step mode.
The param tags with name attributes with suffix uri must all contain relative urls. The opensign.verifieruri is the url to which the signed xml document is being passed in the 2nd step. The opensign.verifiedokuri and opensign.verifiederroruri are the urls to which the user is redirected in the 3rd step in case of succesful and errorous completion of the 2nd step, respectively. The opensign.canceluri, opensign.erroruri and opensign.alerturi are used to redirect the user to in case of user initiated cancellation of signing process and occurences of fatal errors.
For a complete description of all possible parameters please consult the applet parameters reference. Especially note that the Sign applet takes an additional parameter containing the text that is to be signed. The text must be base64 encoded. The following is an example of the use of that parameter with the base64 encoded text "foobar".
<param name="signtext" value="Zm9vYmFy">
This concludes the description of a minimal 1st step. The result is that the user can now launch the applet. Note that if cookies are being used, you need to manually pass all the cookies to the applet. A detailed description of how to accomplish this is described in this section.
As explained above, in the 2nd step the signed xml document is being passed to a server component for validation. A sample servlet receiving and verifying the xml document is listed here. It is a stripped down version of the demonstration servlet included in the source distribution.
package org.openoces.opensign.demo.servlets;
import org.openoces.opensign.utils.Base64;
import org.openoces.opensign.demo.utils.XML;
import org.w3c.dom.Document;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import java.io.IOException;
import java.io.File;
import java.io.FileWriter;
public class Verifier extends HttpServlet {
public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
try {
String xmldoc, xmldoc_b64;
xmldoc_b64 = request.getParameter("message");
xmldoc = new String(Base64.decode(xmldoc_b64.getBytes("UTF-8")), "UTF-8");
Document doc = XML.getDocument(xmldoc);
if (XML.verifySignature(doc)) {
// make the fact that the signature has been verified persistent
} else {
// we were unable to verify the signature
throw new Exception();
}
} catch (Exception e) {
throw new ServletException();
}
}
}
This section is work-in-progress.
To be written.
The html page containing the applet is typically generated dynamically, eg. using a servlet. Using a static html document has obvious disadvantages that in most cases makes it unfit for use.
A minimal html page launching the sign applet is listed here.
<html>
<head>
<title></title>
</head>
<body bgcolor="white">
<applet name="signing_applet"
code="org.openoces.opensign.client.applet.Sign"
width="600"
height="400"
codebase="/archive/opensign/opensign-1.2.2-bin"
archive="/archive/opensign/opensign-1.2.2-bin/OpenSign.jar"
mayscript>
<param name="locale" value="en,US">
<param name="cabbase"
value="/archive/opensign/opensign-1.2.2-bin/OpenSign.cab">
<param name="signtext" value="INSERT TEXT TO BE SIGNED HERE">
</applet>
<form name="signedForm" method="post" action="INSERT URL HERE">
<input type="hidden" name="signature">
<input type="hidden" name="result">
</form>
<script language="JavaScript">
function onSignOK(signature) {
document.signedForm.signature.value=signature;
document.signedForm.result.value='ok';
document.signedForm.submit();
}
function onSignCancel() {
document.signedForm.result.value='cancel';
document.signedForm.submit();
}
function onSignError(msg) {
document.signedForm.result.value=msg;
document.signedForm.submit();
}
</script>
</body>
</html>
This section is work-in-progress.
To be written.
To be written.
This section describes all parameters that can be passed to the applets
| Name | Value type | Default value | Description |
|---|---|---|---|
| cabbase | An url | n/a | Contains an url to the proprietary Microsoft cabinet version of the OpenSign applet. This parameter should only be used if support for the Microsoft native java virtual machine is required. This parameter is not specific to OpenSign. |
| locale | {"en,US","da,DK","ca,ES"} | "da,DK" | Sets the locale of the applet. |
| opensign.alerturi | An url | n/a | Configures the url to which the user is directed if an unexpected situation occurs while executing the applet. This parameter is only relevant when the applet operates in 3-step mode. |
| opensign.canceluri | An url | n/a | Configures the url to which the user is directed if the user refuses to sign the document by cancelling the applet. This parameter is only relevant when the applet operates in 3-step mode. |
| opensign.doappletrequest | {"true","false"} | "false" | Configures the applet to use either the 2-step mode or the 3-step mode. If the parameter is set to true, the 3-step mode is used. |
| opensign.doappletrequestonmac | {"true","false"} | "false" | Configures the applet to use either the 2-step or the 3-step mode on MacOS X. If the parameter is set to true, the 3-step mode is used when the applet is run on the MacOS X platform. |
| opensign.verifiederroruri | An url | n/a | Configures the url to which the user is directed upon unsuccesful completion of step 2. This parameter is only relevant when the applet operates in 3-step mode. |
| opensign.verifiedokuri | An url | n/a | Configures the url to which the user is directed upon succesful completion of step 2. This parameter is only relevant when the applet operates in 3-step mode. |
| opensign.verifieruri | An url | n/a | Configures the url to which the signed document is posted using the http protocol. This parameter is only relevant when the applet operates in 3-step mode. |
This section is currently work-in-progress.
This section describes the xmldsig document returned by the OpenSign applets.
To be written.
We would like the following individuals for their contributions to this documentation: