*web-eid-authtoken-validation-java* is a Java library for issuing challenge nonces and validating Web eID authentication tokens during secure authentication with electronic ID (eID) smart cards in web applications.
@@ -48,7 +48,7 @@ Implement the session-backed challenge nonce store as follows:
import org.springframework.beans.factory.ObjectFactory;
import eu.webeid.security.challenge.ChallengeNonce;
import eu.webeid.security.challenge.ChallengeNonceStore;
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpSession;
public class SessionBackedChallengeNonceStore implements ChallengeNonceStore {
@@ -79,7 +79,7 @@ public class SessionBackedChallengeNonceStore implements ChallengeNonceStore {
## 3. Configure the challenge nonce generator
-The validation library needs to generate authentication challenge nonces and store them for later validation in the challenge nonce store. Overview of challenge nonce usage is provided in the [Web eID system architecture document](https://github.com/web-eid/web-eid-system-architecture-doc#authentication-1). The challenge nonce generator will be used in the REST endpoint that issues challenges; it is thread-safe and should be scoped as a singleton.
+The validation library needs to generate authentication challenge nonces and store them for later validation in the challenge nonce store. Overview of challenge nonce usage is provided in the [Web eID system architecture document](https://github.com/web-eid/web-eid-system-architecture-doc#authentication-1). The challenge nonce generator will be used in the filter that issues challenges; it is thread-safe and should be scoped as a singleton.
Configure the challenge nonce generator as follows:
@@ -99,7 +99,7 @@ import eu.webeid.security.challenge.ChallengeNonceStore;
## 4. Add trusted certificate authority certificates
-You must explicitly specify which **intermediate** certificate authorities (CAs) are trusted to issue the eID authentication and OCSP responder certificates. CA certificates can be loaded from either the truststore file, resources or any stream source. We use the [`CertificateLoader`](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/src/main/java/eu/webeid/security/certificate/CertificateLoader.java) helper class to load CA certificates from resources here, but consider using [the truststore file](./blob/example/main/src/main/java/eu/webeid/example/config/ValidationConfiguration.java#L104-L123) instead.
+You must explicitly specify which **intermediate** certificate authorities (CAs) are trusted to issue the eID authentication and OCSP responder certificates. CA certificates can be loaded from either the truststore file, resources or any stream source. We use the [`CertificateLoader`](src/main/java/eu/webeid/security/certificate/CertificateLoader.java) helper class to load CA certificates from resources here, but consider loading the truststore file (see [loadTrustedCACertificatesFromTrustStore](example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java#L104-L123)) instead.
First, copy the trusted certificates, for example `ESTEID2018.cer`, to `resources/cacerts/`, then load the certificates as follows:
@@ -134,36 +134,86 @@ import eu.webeid.security.validator.AuthTokenValidatorBuilder;
...
```
-## 6. Add a REST endpoint for issuing challenge nonces
+## 6. Add a filter for issuing challenge nonces
-A REST endpoint that issues challenge nonces is required for authentication. The endpoint must support `GET` requests.
+Request Filters that issue challenge nonces for regular Web eID and Web eID for Mobile authentication flows are required for authentication.
+The filters must support POST requests.
-In the following example, we are using the [Spring RESTful Web Services framework](https://spring.io/guides/gs/rest-service/) to implement the endpoint, see also the full implementation [here](example/blob/main/src/main/java/eu/webeid/example/web/rest/ChallengeController.java).
+The `WebEidChallengeNonceFilter` handles `/auth/challenge` requests and issues a new nonce for regular Web eID authentication flow.
+See the full implementation [here](example/src/main/java/eu/webeid/example/security/WebEidChallengeNonceFilter.java).
```java
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-import eu.webeid.security.challenge.ChallengeNonceGenerator;
-...
+public final class WebEidChallengeNonceFilter extends OncePerRequestFilter {
+ private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writer();
+ private final RequestMatcher requestMatcher;
+ private final ChallengeNonceGenerator nonceGenerator;
+
+ public WebEidChallengeNonceFilter(String path, ChallengeNonceGenerator nonceGenerator) {
+ this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, path);
+ this.nonceGenerator = nonceGenerator;
+ }
+
+ @Override
+ protected void doFilterInternal(
+ @NonNull HttpServletRequest request,
+ @NonNull HttpServletResponse response,
+ @NonNull FilterChain chain
+ ) throws ServletException, IOException {
+ if (!requestMatcher.matches(request)) {
+ chain.doFilter(request, response);
+ return;
+ }
+
+ var dto = new ChallengeDTO(nonceGenerator.generateAndStoreNonce().getBase64EncodedNonce());
+
+ response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+ OBJECT_WRITER.writeValue(response.getWriter(), dto);
+ }
-@RestController
-@RequestMapping("auth")
-public class ChallengeController {
+ public record ChallengeDTO(String nonce) {}
+}
+```
- @Autowired // for brevity, prefer constructor dependency injection
- private ChallengeNonceGenerator nonceGenerator;
+The `WebEidMobileAuthInitFilter` handles `/auth/mobile/init` requests for authentication flows using **Web eID token format v1.1**. It generates a challenge nonce and returns a deep link URI that embeds both the challenge nonce and the authentication endpoint required for initiating the v1.1 flow.
+See the full implementation [here](example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java).
- @GetMapping("challenge")
- public ChallengeDTO challenge() {
- // a simple DTO with a single 'nonce' field
- final ChallengeDTO challenge = new ChallengeDTO();
- challenge.setNonce(nonceGenerator.generateAndStoreNonce().getBase64EncodedNonce());
- return challenge;
+```java
+@Override
+protected void doFilterInternal(@NonNull HttpServletRequest request,
+ @NonNull HttpServletResponse response,
+ @NonNull FilterChain chain) throws IOException, ServletException {
+ if (!requestMatcher.matches(request)) {
+ chain.doFilter(request, response);
+ return;
}
+
+ var challenge = nonceGenerator.generateAndStoreNonce();
+
+ String loginUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+ .path(mobileLoginPath).build().toUriString();
+
+ String payloadJson = OBJECT_WRITER.writeValueAsString(
+ new AuthPayload(challenge.getBase64EncodedNonce(), loginUri,
+ webEidMobileProperties.requestSigningCert() ? Boolean.TRUE : null)
+ );
+ String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
+ String authUri = getAuthUri(encoded);
+
+ response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+ OBJECT_WRITER.writeValue(response.getWriter(), new AuthUri(authUri));
}
```
+Both filters are registered in the Spring Security filter chain in ApplicationConfiguration.
+See the full implementation [here](example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java):
+```java
+http
+ .addFilterBefore(new WebEidMobileAuthInitFilter("/auth/mobile/init", "/auth/mobile/login", challengeNonceGenerator, webEidMobileProperties),
+ UsernamePasswordAuthenticationFilter.class)
+ .addFilterBefore(new WebEidChallengeNonceFilter("/auth/challenge", challengeNonceGenerator),
+ UsernamePasswordAuthenticationFilter.class)
+```
+
Also, see general guidelines for implementing secure authentication services [here](https://github.com/SK-EID/smart-id-documentation/wiki/Secure-Implementation-Guide).
## 7. Implement authentication
@@ -172,17 +222,20 @@ Authentication consists of calling the `validate()` method of the authentication
When using [Spring Security](https://spring.io/guides/topicals/spring-security-architecture) with standard cookie-based authentication,
-- implement a custom authentication provider that uses the authentication token validator for authentication as shown [here](example/blob/main/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java),
-- implement an AJAX authentication processing filter that extracts the authentication token and passes it to the authentication manager as shown [here](example/blob/main/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java),
-- configure the authentication provider and authentication processing filter in the application configuration as shown [here](example/blob/main/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java).
+- implement a custom authentication provider that uses the authentication token validator for authentication as shown [here](example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java),
+- implement an AJAX authentication processing filter that extracts the authentication token and passes it to the authentication manager as shown [here](example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java),
+- configure the authentication provider and authentication processing filter in the application configuration as shown [here](example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java).
-The gist of the validation is [in the `authenticate()` method](example/blob/main/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java#L74-L76) of the authentication provider:
+The gist of the validation is [in the `authenticate()` method](example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java#L74-L76) of the authentication provider:
```java
try {
- String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
- X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
- return WebEidAuthentication.fromCertificate(userCertificate, authorities);
+ final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
+ final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
+ final var signingCertificate = requireSigningCert && !CollectionUtils.isEmpty(authToken.getUnverifiedSigningCertificates())
+ ? authToken.getUnverifiedSigningCertificates().getFirst() // NOTE: Handling multiple signing certificates is out of scope of this example.
+ : null;
+ return WebEidAuthentication.fromCertificate(userCertificate, signingCertificate, authorities);
} catch (AuthTokenException e) {
...
```
@@ -202,10 +255,11 @@ try {
- [Basic usage](#basic-usage-1)
- [Extended configuration](#extended-configuration-1)
- [Differences between version 1 and version 2](#differences-between-version-1-and-version-2)
+- [Authentication token format versions](#authentication-token-format-versions)
# Introduction
-The Web eID authentication token validation library for Java contains the implementation of the Web eID authentication token validation process in its entirety to ensure that the authentication token sent by the Web eID browser extension contains valid, consistent data that has not been modified by a third party. It also implements secure challenge nonce generation as required by the Web eID authentication protocol. It is easy to configure and integrate into your authentication service.
+The Web eID authentication token validation library for Java contains the implementation of the Web eID authentication token validation process in its entirety to ensure that the authentication token sent by the Web eID browser extension or mobile application contains valid, consistent data that has not been modified by a third party. It also implements secure challenge nonce generation as required by the Web eID authentication protocol. It is easy to configure and integrate into your authentication service.
The authentication protocol, authentication token format, validation requirements and challenge nonce usage is described in more detail in the [Web eID system architecture document](https://github.com/web-eid/web-eid-system-architecture-doc#authentication-1).
@@ -216,7 +270,7 @@ In the following,
- **origin** is defined as the website origin, the URL serving the web application,
- **challenge nonce** (or challenge) is defined as a cryptographic nonce, a large random number that can be used only once, with at least 256 bits of entropy.
-The Web eID authentication token is a JSON data structure that looks like the following example:
+The Web eID authentication token (format **`web-eid:1.0`**) is a JSON data structure that looks like the following example:
```json
{
@@ -248,6 +302,55 @@ It contains the following fields:
The value that is signed by the user’s authentication private key and included in the `signature` field is `hash(origin)+hash(challenge)`. The hash function is used before concatenation to ensure field separation as the hash of a value is guaranteed to have a fixed length. Otherwise the origin `example.com` with challenge nonce `.eu1234` and another origin `example.com.eu` with challenge nonce `1234` would result in the same value after concatenation. The hash function `hash` is the same hash function that is used in the signature algorithm, for example SHA256 in case of RS256.
+The Web eID authentication token (format **`web-eid:1.1`**) is a JSON data structure that looks like the following example:
+
+```json
+{
+ "unverifiedCertificate": "MIIFozCCA4ugAwIBAgIQHFpdK-zCQsFW4...",
+ "algorithm": "RS256",
+ "signature": "HBjNXIaUskXbfhzYQHvwjKDUWfNu4yxXZha...",
+ "unverifiedSigningCertificates": [
+ {
+ "certificate": "MIIFikACB3ugAwASAgIHHFrtdZ-zeQsas1...",
+ "supportedSignatureAlgorithms": [
+ {
+ "cryptoAlgorithm": "ECC",
+ "hashFunction": "SHA-384",
+ "paddingScheme": "NONE"
+ }
+ ]
+ }
+ ],
+ "format": "web-eid:1.1",
+ "appVersion": "https://web-eid.eu/web-eid-app/releases/v2.0.0"
+}
+```
+It contains the following fields:
+
+- `unverifiedSigningCertificates`: an array of objects containing signing certificate information.
+
+Each object inside `unverifiedSigningCertificates` contains:
+
+- `certificate`: base64-encoded DER-encoded signing certificate,
+
+- `supportedSignatureAlgorithms`: list of supported algorithms in the following format:
+
+ - `cryptoAlgorithm`: the cryptographic algorithm used for the key,
+
+ - `hashFunction`: the hashing algorithm used,
+
+ - `paddingScheme`: the padding scheme used (if applicable).
+
+
+Allowed values are:
+
+ cryptoAlgorithm: "ECC", "RSA"
+
+ hashFunction:
+ "SHA-224", "SHA-256", "SHA-384", "SHA-512",
+ "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"
+
+ paddingScheme: "NONE", "PKCS1.5", "PSS"
# Authentication token validation
@@ -255,8 +358,13 @@ The authentication token validation process consists of two stages:
- First, **user certificate validation**: the validator parses the token and extracts the user certificate from the *unverifiedCertificate* field. Then it checks the certificate expiration, purpose and policies. Next it checks that the certificate is signed by a trusted CA and checks the certificate status with OCSP.
- Second, **token signature validation**: the validator validates that the token signature was created using the provided user certificate by reconstructing the signed data `hash(origin)+hash(challenge)` and using the public key from the certificate to verify the signature in the `signature` field. If the signature verification succeeds, then the origin and challenge nonce have been implicitly and correctly verified without the need to implement any additional security checks.
+- Additional validation for **Web eID authentication tokens (format v1.1)**: the token must contain the `unverifiedSigningCertificates` field with at least one signing certificate entry. Each entry's `supportedSignatureAlgorithms` are validated against the set of allowed cryptographic algorithms, hash functions, and padding schemes. For each signing certificate, the following checks are performed:
+ - The subject must match the subject of the authentication certificate, ensuring both certificates belong to the same user.
+ - The issuing authority must match that of the authentication certificate, verified via the Authority Key Identifier (AKI) extension.
+ - The certificate must not be expired.
+ - The certificate must contain the non-repudiation key usage bit required for digital signatures.
-The website back end must lookup the challenge nonce from its local store using an identifier specific to the browser session, to guarantee that the authentication token was received from the same browser to which the corresponding challenge nonce was issued. The website back end must guarantee that the challenge nonce lifetime is limited and that its expiration is checked, and that it can be used only once by removing it from the store during validation.
+The website back end must look up the challenge nonce from its local store using an identifier specific to the browser session, to guarantee that the authentication token was received from the same browser to which the corresponding challenge nonce was issued. The website back end must guarantee that the challenge nonce lifetime is limited and that its expiration is checked, and that it can be used only once by removing it from the store during validation.
## Basic usage
@@ -342,7 +450,7 @@ The authentication protocol requires support for generating challenge nonces, la
The `-Djava.security.egd=file:/dev/./urandom` command line argument is added to `pom.xml` to avoid the risk of having the code execution blocked unexpectedly during random generation. Without this, the JVM uses `/dev/random`, which can block, to seed the `SecureRandom` class.
-The authentication protocol requires a REST endpoint that issues challenge nonces as described in section *[6. Add a REST endpoint for issuing challenge nonces](#6-add-a-rest-endpoint-for-issuing-challenge-nonces)*.
+The authentication protocol requires a filter that issues challenge nonces as described in section *[6. Add a filter for issuing challenge nonces](#6-add-a-filter-for-issuing-challenge-nonces)*.
Nonce usage is described in more detail in the [Web eID system architecture document](https://github.com/web-eid/web-eid-system-architecture-doc#authentication-1).
@@ -362,18 +470,18 @@ The `generateAndStoreNonce()` method both generates the nonce and saves it in th
## Extended configuration
-The following additional configuration options are available in `NonceGeneratorBuilder`:
+The following additional configuration options are available in `ChallengeNonceGeneratorBuilder`:
- `withNonceTtl(Duration duration)` – overrides the default challenge nonce time-to-live duration. When the time-to-live passes, the nonce is considered to be expired. Default challenge nonce time-to-live is 5 minutes.
- `withSecureRandom(SecureRandom)` - allows to specify a custom `SecureRandom` instance.
Extended configuration example:
```java
-NonceGenerator generator = new NonceGeneratorBuilder()
- .withChallengeNonceStore(store)
- .withNonceTtl(Duration.ofMinutes(5))
- .withSecureRandom(customSecureRandom)
- .build();
+ChallengeNonceGenerator generator = new ChallengeNonceGeneratorBuilder()
+ .withChallengeNonceStore(store)
+ .withNonceTtl(Duration.ofMinutes(5))
+ .withSecureRandom(customSecureRandom)
+ .build();
```
# Differences between version 1 and version 2
@@ -381,3 +489,16 @@ NonceGenerator generator = new NonceGeneratorBuilder()
In version 1, the generated challenge nonces were stored in a JSR107 compatible cache. The goal of using a cache was to support stateful and stateless authentication with a universal API that uses the same underlying mechanism. However, in case the website had a CSRF vulnerability, this made the solution vulnerable to [forged login attacks](https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests) (the attacker could trick the victim to submit the authentication token with the attacker's challenge nonce to the website using a CSRF attack, so that the victim was authenticated to the website as the attacker). To mitigate this attack, in version 2 the requirement is that the library adopter must guarantee that the authentication token is received from the same browser to which the corresponding challenge nonce was issued. The recommended solution is to use a session-backed challenge nonce store, as in the code examples above. The library no longer uses the JSR107 cache API and provides a `ChallengeNonceStore` interface instead.
In the internal implementation, the Web eID authentication token format changed in version 2. In version 1, the authentication token was in the OpenID X509 ID Token (JWT) format in order to be compatible with the standard OpenID Connect ID Token specification. During independent security review it was pointed out that any similarities of the Web eID authentication token to the JWT format are actually undesirable, as they would imply that the claims presented in the Web eID authentication token can be trusted and processed, while in fact they must be ignored, as they can be manipulated at the client side. The presence of the claims in the authentication token introduces a risk of vulnerabilities in case the authentication implementer decides to rely on any of them for making security critical decisions or decides to apply the same standard validation workflow that is applied to standard JWTs. Since there does not exist a standardized format for an authentication proof that corresponds to the requirements of the Web eID authentication protocol, a special purpose JSON-based format for the Web eID authentication token was adopted in version 2. The format is described in detail in the section *[Authentication token format](#authentication-token-format)*, and the full analysis of the format change is available in [this article](https://web-eid.github.io/web-eid-system-architecture-doc/web-eid-auth-token-v2-format-spec.pdf).
+
+# Authentication Token Format Versions
+
+The Web eID authentication protocol defines two token formats currently supported by this library:
+
+- **Format v1.0** – Used in desktop Web eID authentication flows with traditional smart card readers.
+
+- **Format v1.1** – An extended authentication token format that allows signing certificate information to be included in the authentication response.
+ - `unverifiedSigningCertificates` – an array of signing certificate entries. Each entry contains:
+ - `certificate` – a base64-encoded DER-encoded signing certificate;
+ - `supportedSignatureAlgorithms` – a list of supported signature algorithms associated with that certificate;
+
+Both token formats follow the same validation principles, differing only in the structure of embedded certificates and the additional verification steps required for v1.1.
diff --git a/example/README.md b/example/README.md
index f0e66519..ebf58d68 100644
--- a/example/README.md
+++ b/example/README.md
@@ -1,6 +1,6 @@
# Web eID Spring Boot example
-
+
This project is an example Spring Boot web application that shows how to implement strong authentication
and digital signing with electronic ID smart cards using Web eID.
@@ -51,7 +51,7 @@ You can specify the profile as a command-line argument to the Maven wrapper comm
### 5. Run the application
-Spring Boot web applications can be run from the command-line. You need to have the Java Development Kit 17 installed for building the application package and running the application.
+Spring Boot web applications can be run from the command-line. You need to have the Java Development Kit 21 installed for building the application package and running the application.
Build and run the application with the following command in a terminal window:
@@ -82,6 +82,7 @@ When the application has started, open the _ngrok_ HTTPS URL in your preferred w
- [Using DigiDoc4j in production mode with the `prod` profile](#using-digidoc4j-in-production-mode-with-the-prod-profile)
+ [Stateful and stateless authentication](#stateful-and-stateless-authentication)
+ [Assuring that the signing and authentication certificate subjects match](#assuring-that-the-signing-and-authentication-certificate-subjects-match)
+ + [Requesting the signing certificate in a separate step](#requesting-the-signing-certificate-in-a-separate-step)
* [HTTPS support](#https-support)
+ [How to verify that HTTPS is configured properly](#how-to-verify-that-https-is-configured-properly)
* [Deployment](#deployment)
@@ -100,7 +101,8 @@ This repository contains the code of a minimal Spring Boot web application that
- Spring Security,
- the Web eID authentication token validation library [_web-eid-authtoken-validation-java_](https://github.com/web-eid/web-eid-authtoken-validation-java),
- the Web eID JavaScript library [_web-eid.js_](https://github.com/web-eid/web-eid.js),
-- the digital signing library [_DigiDoc4j_](https://github.com/open-eid/digidoc4j).
+- the digital signing library [_DigiDoc4j_](https://github.com/open-eid/digidoc4j),
+- the Android application [_MOPP-Android_](https://github.com/open-eid/MOPP-Android/).
The project uses Maven for managing the dependencies and building the application. Maven project configuration file `pom.xml` is in the root of the project.
@@ -113,11 +115,15 @@ The source code folder `src` contains the application source code and resources
The `src/main/java/eu/webeid/example` directory contains the Spring Boot application Java class and the following subdirectories:
- `config`: Spring and HTTP security configuration, Web eID authentication token validation library configuration, trusted CA certificates loading etc,
-- `security`: Web eID authentication token validation library integration with Spring Security via an `AuthenticationProvider` and `AuthenticationProcessingFilter`,
-- `service`: Web eID signing service implementation that uses DigiDoc4j, and DigiDoc4j runtime configuration,
-- `web`: Spring Web MVC controller for the welcome page and Spring Web REST controllers that provide endpoints
- - for getting the challenge nonce used by the authentication token validation library,
- - for digital signing.
+- `security`: Web eID authentication token validation library integration with Spring Security
+ - `AuthenticationProvider` and `AuthenticationProcessingFilter` for handling Web eID authentication tokens,
+ - `WebEidChallengeNonceFilter` for issuing the challenge nonce required by the authentication flow,
+ - `WebEidMobileAuthInitFilter` for issuing the challenge nonce and generating the deep link with the authentication request, used to initiate the mobile authentication flow,
+ - `WebEidAjaxLoginProcessingFilter` and `WebEidLoginPageGeneratingFilter` for handling login requests.
+- `service`: Web eID signing service implementation that uses DigiDoc4j, and DigiDoc4j runtime configuration.
+ - `SigningService`: prepares ASiC-E containers and finalizes signatures.
+ - `MobileSigningService`: orchestrates the mobile signing flow (builds mobile signing requests/responses) and supports requesting the signing certificate in a separate step when enabled by configuration.
+- `web`: Spring Web MVC controller for the welcome page and Spring Web REST controller that provides a digital signing endpoint.
The `src/resources` directory contains the resources used by the application:
@@ -134,7 +140,7 @@ The `src/tests` directory contains the application test suite. The most importan
As described in section [_4. Choose either the `dev` or `prod` profile_](#4-choose-either-the-dev-or-prod-profile) above, the application has two different configuration profiles: `dev` profile for running the application in development mode and `prod` profile for production mode. The `dev` profile is activated by default.
-The profile-specific configuration files `src/main/resources/application-{dev,prod}.yaml` contain the `web-eid-auth-token.validation.use-digidoc4j-prod-configuration` setting that configures DigiDoc4j either in test or production mode, and a setting for configuring the origin URL as described in section [_2. Configure the origin URL_](#2-configure-the-origin-url) above. Additionally, the `web-eid-auth-token.validation.truststore-password` setting specifies the truststore password used in the `prod` profile.
+The profile-specific configuration files `src/main/resources/application-{dev,prod}.yaml` contain the `web-eid-auth-token.validation.use-digidoc4j-prod-configuration` setting that configures DigiDoc4j either in test or production mode, and a setting for configuring the origin URL as described in section [_2. Configure the origin URL_](#2-configure-the-origin-url) above. Additionally, the `web-eid-auth-token.validation.truststore-password` setting specifies the truststore password used in the `prod` profile. The `web-eid-mobile` section configures the mobile authentication flow, including the `base-request-uri` for deep link generation and the `request-signing-cert` flag that controls whether the signing certificate is requested during authentication.
The main configuration file `src/main/resources/application.yaml` is shared by all profiles and contains logging configuration and settings that make the session cookie secure behind a reverse proxy as described in section [_HTTPS support_](#https-support) below.
@@ -144,7 +150,7 @@ Spring Security has CSRF protection enabled by default. Web eID requires CSRF pr
### Integration with Web eID components
-Detailed overview of Java code changes required for integrating Web eID authentication token validation is available in the [_web-eid-authtoken-validation-java_ library README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md). There are instructions for configuring the nonce generator, trusted certificate authority certificates, authentication token validator, Spring Security authentication integration and REST endpoints. The corresponding Java code is in the `src/main/java/eu/webeid/example/{config,security,web/rest}` directories.
+Detailed overview of Java code changes required for integrating Web eID authentication token validation is available in the [_web-eid-authtoken-validation-java_ library README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md). There are instructions for configuring the nonce generator, trusted certificate authority certificates, authentication token validator, Spring Security authentication integration and security filters. The corresponding Java code is in the `src/main/java/eu/webeid/example/{config,security,web/rest}` directories.
A similar overview of JavaScript and HTML code changes required for authentication and digital signing with Web eID is available in the [web-eid.js library README](https://github.com/web-eid/web-eid.js/blob/main/README.md). The corresponding JavaScript and HTML code is in the `src/resources/{static,templates}` directories.
@@ -174,6 +180,16 @@ A common alternative to stateful authentication is stateless authentication with
It is usually required to verify that the signing certificate subject matches the authentication certificate subject by assuring that both ID codes match. This check is implemented at the beginning of the `SigningService.prepareContainer()` method.
+### Requesting the signing certificate in a separate step
+
+In some deployments, the signing certificate is not reused from the authentication flow. Instead, it is retrieved directly from the user’s ID-card during the signing process itself.
+
+This approach is useful when the signing process is performed without a prior authentication step. For example, in a mobile flow, the user may start signing directly without authenticating beforehand. In such cases, the signing certificate must be requested separately from the user’s ID-card before the signature can be created.
+
+When this mode is enabled in the configuration, the backend issues a separate request for the signing certificate using the `MobileSigningService`. The service communicates with the client to obtain the certificate before the signing container is prepared, ensuring that the correct certificate chain is available for the signature.
+
+This behavior is controlled by the `request-signing-cert` flag in the `application.yaml` configuration files (`application-dev.yaml`, `application-prod.yaml`). When the flag is set to **false**, the application explicitly requests the signing certificate during the signing process, demonstrating the separate signing certificate retrieval flow. When set to **true**, the signing uses the signing certificate that was already obtained during authentication, and no additional request is made.
+
## HTTPS support
There are two ways of adding HTTPS support to a Spring Boot application:
@@ -216,9 +232,9 @@ Tomcat web server automatically if it detects the presence of the
server.tomcat.protocol-header=x-forwarded-proto
These settings are already enabled in the main configuration file `application.yaml`. See chapter
-[9.3.12](https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-use-behind-a-proxy-server)
+[Running Behind a Front-end Proxy Server](https://docs.spring.io/spring-boot/3.5/how-to/webserver.html#howto.webserver.use-behind-a-proxy-server)
and
-[9.14.3](https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-enable-https)
+[Enable HTTPS When Running Behind a Proxy Server](https://docs.spring.io/spring-boot/3.5/how-to/security.html#howto.security.enable-https)
in the official documentation for further details.
### How to verify that HTTPS is configured properly
@@ -229,7 +245,7 @@ Strict Transport Security (HSTS) header and the `JSESSIONID` session cookie has
## Deployment
-A Docker Compose configuration file `docker-compose.yml` is available in the root of the project for packaging the application in a Docker image so that it can be deployed with a container enginge.
+A Docker Compose configuration file `docker-compose.yml` is available in the root of the project for packaging the application in a Docker image so that it can be deployed with a container engine.
Build the Docker image with [Jib](https://github.com/GoogleContainerTools/jib) as follows:
diff --git a/example/pom.xml b/example/pom.xml
index a6bbebb6..831e8c3f 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -10,17 +10,17 @@
',title:"",trigger:"hover focus"},fs={allowList:"object",animation:"boolean",boundary:"(string|element)",container:"(string|element|boolean)",customClass:"(string|function)",delay:"(number|object)",fallbackPlacements:"array",html:"boolean",offset:"(array|string|function)",placement:"(string|function)",popperConfig:"(null|object|function)",sanitize:"boolean",sanitizeFn:"(null|function)",selector:"(string|boolean)",template:"string",title:"(string|element|function)",trigger:"string"};class ps extends B{constructor(t,e){if(void 0===Ai)throw new TypeError("Bootstrap's tooltips require Popper (https://popper.js.org/docs/v2/)");super(t,e),this._isEnabled=!0,this._timeout=0,this._isHovered=null,this._activeTrigger={},this._popper=null,this._templateFactory=null,this._newContent=null,this.tip=null,this._setListeners(),this._config.selector||this._fixTitle()}static get Default(){return us}static get DefaultType(){return fs}static get NAME(){return"tooltip"}enable(){this._isEnabled=!0}disable(){this._isEnabled=!1}toggleEnabled(){this._isEnabled=!this._isEnabled}toggle(){this._isEnabled&&(this._isShown()?this._leave():this._enter())}dispose(){clearTimeout(this._timeout),P.off(this._element.closest(rs),as,this._hideModalHandler),this._element.getAttribute("data-bs-original-title")&&this._element.setAttribute("title",this._element.getAttribute("data-bs-original-title")),this._disposePopper(),super.dispose()}show(){if("none"===this._element.style.display)throw new Error("Please use show on visible elements");if(!this._isWithContent()||!this._isEnabled)return;const t=P.trigger(this._element,this.constructor.eventName("show")),e=(h(this._element)||this._element.ownerDocument.documentElement).contains(this._element);if(t.defaultPrevented||!e)return;this._disposePopper();const i=this._getTipElement();this._element.setAttribute("aria-describedby",i.getAttribute("id"));const{container:n}=this._config;if(this._element.ownerDocument.documentElement.contains(this.tip)||(n.append(i),P.trigger(this._element,this.constructor.eventName("inserted"))),this._popper=this._createPopper(i),i.classList.add(ss),"ontouchstart"in document.documentElement)for(const t of[].concat(...document.body.children))P.on(t,"mouseover",d);this._queueCallback(()=>{P.trigger(this._element,this.constructor.eventName("shown")),!1===this._isHovered&&this._leave(),this._isHovered=!1},this.tip,this._isAnimated())}hide(){if(this._isShown()&&!P.trigger(this._element,this.constructor.eventName("hide")).defaultPrevented){if(this._getTipElement().classList.remove(ss),"ontouchstart"in document.documentElement)for(const t of[].concat(...document.body.children))P.off(t,"mouseover",d);this._activeTrigger[hs]=!1,this._activeTrigger[cs]=!1,this._activeTrigger[ls]=!1,this._isHovered=null,this._queueCallback(()=>{this._isWithActiveTrigger()||(this._isHovered||this._disposePopper(),this._element.removeAttribute("aria-describedby"),P.trigger(this._element,this.constructor.eventName("hidden")))},this.tip,this._isAnimated())}}update(){this._popper&&this._popper.update()}_isWithContent(){return Boolean(this._getTitle())}_getTipElement(){return this.tip||(this.tip=this._createTipElement(this._newContent||this._getContentForTemplate())),this.tip}_createTipElement(t){const e=this._getTemplateFactory(t).toHtml();if(!e)return null;e.classList.remove(ns,ss),e.classList.add(`bs-${this.constructor.NAME}-auto`);const i=(t=>{do{t+=Math.floor(1e6*Math.random())}while(document.getElementById(t));return t})(this.constructor.NAME).toString();return e.setAttribute("id",i),this._isAnimated()&&e.classList.add(ns),e}setContent(t){this._newContent=t,this._isShown()&&(this._disposePopper(),this.show())}_getTemplateFactory(t){return this._templateFactory?this._templateFactory.changeContent(t):this._templateFactory=new es({...this._config,content:t,extraClass:this._resolvePossibleFunction(this._config.customClass)}),this._templateFactory}_getContentForTemplate(){return{[os]:this._getTitle()}}_getTitle(){return this._resolvePossibleFunction(this._config.title)||this._element.getAttribute("data-bs-original-title")}_initializeOnDelegatedTarget(t){return this.constructor.getOrCreateInstance(t.delegateTarget,this._getDelegateConfig())}_isAnimated(){return this._config.animation||this.tip&&this.tip.classList.contains(ns)}_isShown(){return this.tip&&this.tip.classList.contains(ss)}_createPopper(t){const e=_(this._config.placement,[this,t,this._element]),i=ds[e.toUpperCase()];return wi(this._element,t,this._getPopperConfig(i))}_getOffset(){const{offset:t}=this._config;return"string"==typeof t?t.split(",").map(t=>Number.parseInt(t,10)):"function"==typeof t?e=>t(e,this._element):t}_resolvePossibleFunction(t){return _(t,[this._element,this._element])}_getPopperConfig(t){const e={placement:t,modifiers:[{name:"flip",options:{fallbackPlacements:this._config.fallbackPlacements}},{name:"offset",options:{offset:this._getOffset()}},{name:"preventOverflow",options:{boundary:this._config.boundary}},{name:"arrow",options:{element:`.${this.constructor.NAME}-arrow`}},{name:"preSetPlacement",enabled:!0,phase:"beforeMain",fn:t=>{this._getTipElement().setAttribute("data-popper-placement",t.state.placement)}}]};return{...e,..._(this._config.popperConfig,[void 0,e])}}_setListeners(){const t=this._config.trigger.split(" ");for(const e of t)if("click"===e)P.on(this._element,this.constructor.eventName("click"),this._config.selector,t=>{const e=this._initializeOnDelegatedTarget(t);e._activeTrigger[hs]=!(e._isShown()&&e._activeTrigger[hs]),e.toggle()});else if("manual"!==e){const t=e===ls?this.constructor.eventName("mouseenter"):this.constructor.eventName("focusin"),i=e===ls?this.constructor.eventName("mouseleave"):this.constructor.eventName("focusout");P.on(this._element,t,this._config.selector,t=>{const e=this._initializeOnDelegatedTarget(t);e._activeTrigger["focusin"===t.type?cs:ls]=!0,e._enter()}),P.on(this._element,i,this._config.selector,t=>{const e=this._initializeOnDelegatedTarget(t);e._activeTrigger["focusout"===t.type?cs:ls]=e._element.contains(t.relatedTarget),e._leave()})}this._hideModalHandler=()=>{this._element&&this.hide()},P.on(this._element.closest(rs),as,this._hideModalHandler)}_fixTitle(){const t=this._element.getAttribute("title");t&&(this._element.getAttribute("aria-label")||this._element.textContent.trim()||this._element.setAttribute("aria-label",t),this._element.setAttribute("data-bs-original-title",t),this._element.removeAttribute("title"))}_enter(){this._isShown()||this._isHovered?this._isHovered=!0:(this._isHovered=!0,this._setTimeout(()=>{this._isHovered&&this.show()},this._config.delay.show))}_leave(){this._isWithActiveTrigger()||(this._isHovered=!1,this._setTimeout(()=>{this._isHovered||this.hide()},this._config.delay.hide))}_setTimeout(t,e){clearTimeout(this._timeout),this._timeout=setTimeout(t,e)}_isWithActiveTrigger(){return Object.values(this._activeTrigger).includes(!0)}_getConfig(t){const e=H.getDataAttributes(this._element);for(const t of Object.keys(e))is.has(t)&&delete e[t];return t={...e,..."object"==typeof t&&t?t:{}},t=this._mergeConfigObj(t),t=this._configAfterMerge(t),this._typeCheckConfig(t),t}_configAfterMerge(t){return t.container=!1===t.container?document.body:a(t.container),"number"==typeof t.delay&&(t.delay={show:t.delay,hide:t.delay}),"number"==typeof t.title&&(t.title=t.title.toString()),"number"==typeof t.content&&(t.content=t.content.toString()),t}_getDelegateConfig(){const t={};for(const[e,i]of Object.entries(this._config))this.constructor.Default[e]!==i&&(t[e]=i);return t.selector=!1,t.trigger="manual",t}_disposePopper(){this._popper&&(this._popper.destroy(),this._popper=null),this.tip&&(this.tip.remove(),this.tip=null)}static jQueryInterface(t){return this.each(function(){const e=ps.getOrCreateInstance(this,t);if("string"==typeof t){if(void 0===e[t])throw new TypeError(`No method named "${t}"`);e[t]()}})}}g(ps);const ms=".popover-header",gs=".popover-body",_s={...ps.Default,content:"",offset:[0,8],placement:"right",template:'
',trigger:"click"},bs={...ps.DefaultType,content:"(null|string|element|function)"};class vs extends ps{static get Default(){return _s}static get DefaultType(){return bs}static get NAME(){return"popover"}_isWithContent(){return this._getTitle()||this._getContent()}_getContentForTemplate(){return{[ms]:this._getTitle(),[gs]:this._getContent()}}_getContent(){return this._resolvePossibleFunction(this._config.content)}static jQueryInterface(t){return this.each(function(){const e=vs.getOrCreateInstance(this,t);if("string"==typeof t){if(void 0===e[t])throw new TypeError(`No method named "${t}"`);e[t]()}})}}g(vs);const ys=".bs.scrollspy",ws=`activate${ys}`,As=`click${ys}`,Es=`load${ys}.data-api`,Ts="active",Cs="[href]",Os=".nav-link",xs=`${Os}, .nav-item > ${Os}, .list-group-item`,ks={offset:null,rootMargin:"0px 0px -25%",smoothScroll:!1,target:null,threshold:[.1,.5,1]},Ls={offset:"(number|null)",rootMargin:"string",smoothScroll:"boolean",target:"element",threshold:"array"};class Ss extends B{constructor(t,e){super(t,e),this._targetLinks=new Map,this._observableSections=new Map,this._rootElement="visible"===getComputedStyle(this._element).overflowY?null:this._element,this._activeTarget=null,this._observer=null,this._previousScrollData={visibleEntryTop:0,parentScrollTop:0},this.refresh()}static get Default(){return ks}static get DefaultType(){return Ls}static get NAME(){return"scrollspy"}refresh(){this._initializeTargetsAndObservables(),this._maybeEnableSmoothScroll(),this._observer?this._observer.disconnect():this._observer=this._getNewObserver();for(const t of this._observableSections.values())this._observer.observe(t)}dispose(){this._observer.disconnect(),super.dispose()}_configAfterMerge(t){return t.target=a(t.target)||document.body,t.rootMargin=t.offset?`${t.offset}px 0px -30%`:t.rootMargin,"string"==typeof t.threshold&&(t.threshold=t.threshold.split(",").map(t=>Number.parseFloat(t))),t}_maybeEnableSmoothScroll(){this._config.smoothScroll&&(P.off(this._config.target,As),P.on(this._config.target,As,Cs,t=>{const e=this._observableSections.get(t.target.hash);if(e){t.preventDefault();const i=this._rootElement||window,n=e.offsetTop-this._element.offsetTop;if(i.scrollTo)return void i.scrollTo({top:n,behavior:"smooth"});i.scrollTop=n}}))}_getNewObserver(){const t={root:this._rootElement,threshold:this._config.threshold,rootMargin:this._config.rootMargin};return new IntersectionObserver(t=>this._observerCallback(t),t)}_observerCallback(t){const e=t=>this._targetLinks.get(`#${t.target.id}`),i=t=>{this._previousScrollData.visibleEntryTop=t.target.offsetTop,this._process(e(t))},n=(this._rootElement||document.documentElement).scrollTop,s=n>=this._previousScrollData.parentScrollTop;this._previousScrollData.parentScrollTop=n;for(const o of t){if(!o.isIntersecting){this._activeTarget=null,this._clearActiveClass(e(o));continue}const t=o.target.offsetTop>=this._previousScrollData.visibleEntryTop;if(s&&t){if(i(o),!n)return}else s||t||i(o)}}_initializeTargetsAndObservables(){this._targetLinks=new Map,this._observableSections=new Map;const t=R.find(Cs,this._config.target);for(const e of t){if(!e.hash||c(e))continue;const t=R.findOne(decodeURI(e.hash),this._element);l(t)&&(this._targetLinks.set(decodeURI(e.hash),e),this._observableSections.set(e.hash,t))}}_process(t){this._activeTarget!==t&&(this._clearActiveClass(this._config.target),this._activeTarget=t,t.classList.add(Ts),this._activateParents(t),P.trigger(this._element,ws,{relatedTarget:t}))}_activateParents(t){if(t.classList.contains("dropdown-item"))R.findOne(".dropdown-toggle",t.closest(".dropdown")).classList.add(Ts);else for(const e of R.parents(t,".nav, .list-group"))for(const t of R.prev(e,xs))t.classList.add(Ts)}_clearActiveClass(t){t.classList.remove(Ts);const e=R.find(`${Cs}.${Ts}`,t);for(const t of e)t.classList.remove(Ts)}static jQueryInterface(t){return this.each(function(){const e=Ss.getOrCreateInstance(this,t);if("string"==typeof t){if(void 0===e[t]||t.startsWith("_")||"constructor"===t)throw new TypeError(`No method named "${t}"`);e[t]()}})}}P.on(window,Es,()=>{for(const t of R.find('[data-bs-spy="scroll"]'))Ss.getOrCreateInstance(t)}),g(Ss);const Ds=".bs.tab",$s=`hide${Ds}`,Is=`hidden${Ds}`,Ns=`show${Ds}`,Ps=`shown${Ds}`,js=`click${Ds}`,Ms=`keydown${Ds}`,Fs=`load${Ds}`,Hs="ArrowLeft",Ws="ArrowRight",Bs="ArrowUp",zs="ArrowDown",Rs="Home",qs="End",Vs="active",Ks="fade",Qs="show",Xs=".dropdown-toggle",Ys=`:not(${Xs})`,Us='[data-bs-toggle="tab"], [data-bs-toggle="pill"], [data-bs-toggle="list"]',Gs=`.nav-link${Ys}, .list-group-item${Ys}, [role="tab"]${Ys}, ${Us}`,Js=`.${Vs}[data-bs-toggle="tab"], .${Vs}[data-bs-toggle="pill"], .${Vs}[data-bs-toggle="list"]`;class Zs extends B{constructor(t){super(t),this._parent=this._element.closest('.list-group, .nav, [role="tablist"]'),this._parent&&(this._setInitialAttributes(this._parent,this._getChildren()),P.on(this._element,Ms,t=>this._keydown(t)))}static get NAME(){return"tab"}show(){const t=this._element;if(this._elemIsActive(t))return;const e=this._getActiveElem(),i=e?P.trigger(e,$s,{relatedTarget:t}):null;P.trigger(t,Ns,{relatedTarget:e}).defaultPrevented||i&&i.defaultPrevented||(this._deactivate(e,t),this._activate(t,e))}_activate(t,e){t&&(t.classList.add(Vs),this._activate(R.getElementFromSelector(t)),this._queueCallback(()=>{"tab"===t.getAttribute("role")?(t.removeAttribute("tabindex"),t.setAttribute("aria-selected",!0),this._toggleDropDown(t,!0),P.trigger(t,Ps,{relatedTarget:e})):t.classList.add(Qs)},t,t.classList.contains(Ks)))}_deactivate(t,e){t&&(t.classList.remove(Vs),t.blur(),this._deactivate(R.getElementFromSelector(t)),this._queueCallback(()=>{"tab"===t.getAttribute("role")?(t.setAttribute("aria-selected",!1),t.setAttribute("tabindex","-1"),this._toggleDropDown(t,!1),P.trigger(t,Is,{relatedTarget:e})):t.classList.remove(Qs)},t,t.classList.contains(Ks)))}_keydown(t){if(![Hs,Ws,Bs,zs,Rs,qs].includes(t.key))return;t.stopPropagation(),t.preventDefault();const e=this._getChildren().filter(t=>!c(t));let i;if([Rs,qs].includes(t.key))i=e[t.key===Rs?0:e.length-1];else{const n=[Ws,zs].includes(t.key);i=v(e,t.target,n,!0)}i&&(i.focus({preventScroll:!0}),Zs.getOrCreateInstance(i).show())}_getChildren(){return R.find(Gs,this._parent)}_getActiveElem(){return this._getChildren().find(t=>this._elemIsActive(t))||null}_setInitialAttributes(t,e){this._setAttributeIfNotExists(t,"role","tablist");for(const t of e)this._setInitialAttributesOnChild(t)}_setInitialAttributesOnChild(t){t=this._getInnerElement(t);const e=this._elemIsActive(t),i=this._getOuterElement(t);t.setAttribute("aria-selected",e),i!==t&&this._setAttributeIfNotExists(i,"role","presentation"),e||t.setAttribute("tabindex","-1"),this._setAttributeIfNotExists(t,"role","tab"),this._setInitialAttributesOnTargetPanel(t)}_setInitialAttributesOnTargetPanel(t){const e=R.getElementFromSelector(t);e&&(this._setAttributeIfNotExists(e,"role","tabpanel"),t.id&&this._setAttributeIfNotExists(e,"aria-labelledby",`${t.id}`))}_toggleDropDown(t,e){const i=this._getOuterElement(t);if(!i.classList.contains("dropdown"))return;const n=(t,n)=>{const s=R.findOne(t,i);s&&s.classList.toggle(n,e)};n(Xs,Vs),n(".dropdown-menu",Qs),i.setAttribute("aria-expanded",e)}_setAttributeIfNotExists(t,e,i){t.hasAttribute(e)||t.setAttribute(e,i)}_elemIsActive(t){return t.classList.contains(Vs)}_getInnerElement(t){return t.matches(Gs)?t:R.findOne(Gs,t)}_getOuterElement(t){return t.closest(".nav-item, .list-group-item")||t}static jQueryInterface(t){return this.each(function(){const e=Zs.getOrCreateInstance(this);if("string"==typeof t){if(void 0===e[t]||t.startsWith("_")||"constructor"===t)throw new TypeError(`No method named "${t}"`);e[t]()}})}}P.on(document,js,Us,function(t){["A","AREA"].includes(this.tagName)&&t.preventDefault(),c(this)||Zs.getOrCreateInstance(this).show()}),P.on(window,Fs,()=>{for(const t of R.find(Js))Zs.getOrCreateInstance(t)}),g(Zs);const to=".bs.toast",eo=`mouseover${to}`,io=`mouseout${to}`,no=`focusin${to}`,so=`focusout${to}`,oo=`hide${to}`,ro=`hidden${to}`,ao=`show${to}`,lo=`shown${to}`,co="hide",ho="show",uo="showing",fo={animation:"boolean",autohide:"boolean",delay:"number"},po={animation:!0,autohide:!0,delay:5e3};class mo extends B{constructor(t,e){super(t,e),this._timeout=null,this._hasMouseInteraction=!1,this._hasKeyboardInteraction=!1,this._setListeners()}static get Default(){return po}static get DefaultType(){return fo}static get NAME(){return"toast"}show(){P.trigger(this._element,ao).defaultPrevented||(this._clearTimeout(),this._config.animation&&this._element.classList.add("fade"),this._element.classList.remove(co),u(this._element),this._element.classList.add(ho,uo),this._queueCallback(()=>{this._element.classList.remove(uo),P.trigger(this._element,lo),this._maybeScheduleHide()},this._element,this._config.animation))}hide(){this.isShown()&&(P.trigger(this._element,oo).defaultPrevented||(this._element.classList.add(uo),this._queueCallback(()=>{this._element.classList.add(co),this._element.classList.remove(uo,ho),P.trigger(this._element,ro)},this._element,this._config.animation)))}dispose(){this._clearTimeout(),this.isShown()&&this._element.classList.remove(ho),super.dispose()}isShown(){return this._element.classList.contains(ho)}_maybeScheduleHide(){this._config.autohide&&(this._hasMouseInteraction||this._hasKeyboardInteraction||(this._timeout=setTimeout(()=>{this.hide()},this._config.delay)))}_onInteraction(t,e){switch(t.type){case"mouseover":case"mouseout":this._hasMouseInteraction=e;break;case"focusin":case"focusout":this._hasKeyboardInteraction=e}if(e)return void this._clearTimeout();const i=t.relatedTarget;this._element===i||this._element.contains(i)||this._maybeScheduleHide()}_setListeners(){P.on(this._element,eo,t=>this._onInteraction(t,!0)),P.on(this._element,io,t=>this._onInteraction(t,!1)),P.on(this._element,no,t=>this._onInteraction(t,!0)),P.on(this._element,so,t=>this._onInteraction(t,!1))}_clearTimeout(){clearTimeout(this._timeout),this._timeout=null}static jQueryInterface(t){return this.each(function(){const e=mo.getOrCreateInstance(this,t);if("string"==typeof t){if(void 0===e[t])throw new TypeError(`No method named "${t}"`);e[t](this)}})}}return q(mo),g(mo),{Alert:X,Button:U,Carousel:St,Collapse:qt,Dropdown:Qi,Modal:Ln,Offcanvas:Qn,Popover:vs,ScrollSpy:Ss,Tab:Zs,Toast:mo,Tooltip:ps}});
+//# sourceMappingURL=bootstrap.bundle.min.js.map
diff --git a/example/src/main/resources/static/js/errors.js b/example/src/main/resources/static/js/errors.js
index 7f42d5ff..80414751 100644
--- a/example/src/main/resources/static/js/errors.js
+++ b/example/src/main/resources/static/js/errors.js
@@ -32,10 +32,9 @@ export function hideErrorMessage() {
alertUi.alert.style.display = "none";
}
-export function showErrorMessage(error) {
- const message = "Authentication failed";
+export function showErrorMessage(error, message = "Authentication failed") {
const details =
- `[Code]\n${error.code}` +
+ `[Code]\n${error.code ?? "UNKNOWN_ERROR"}` +
`\n\n[Message]\n${error.message}` +
(error.response ? `\n\n[response]\n${JSON.stringify(error.response, null, " ")}` : "");
@@ -56,4 +55,4 @@ export async function checkHttpError(response) {
error.code = response.status;
throw error;
}
-}
\ No newline at end of file
+}
diff --git a/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java b/example/src/main/resources/static/js/payload.js
similarity index 68%
rename from example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
rename to example/src/main/resources/static/js/payload.js
index 4a6b9c93..4035e6c2 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
+++ b/example/src/main/resources/static/js/payload.js
@@ -20,16 +20,26 @@
* SOFTWARE.
*/
-package eu.webeid.example.service.dto;
+export function parsePayload(context) {
+ const fragment = window.location.hash.slice(1);
-public class ChallengeDTO {
- private String nonce;
+ if (!fragment) {
+ throw new Error(`Missing ${context} response payload`);
+ }
- public String getNonce() {
- return nonce;
+ let payload;
+ try {
+ payload = JSON.parse(atob(fragment));
+ } catch (e) {
+ console.error(e);
+ throw new Error(`Failed to parse the ${context} response`);
}
- public void setNonce(String nonce) {
- this.nonce = nonce;
+ if (payload.error) {
+ const error = new Error(payload.message ?? `${context} failed`);
+ error.code = payload.code;
+ throw error;
}
+
+ return payload;
}
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 8e1e760b..5ded6033 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -1,309 +1,626 @@
-
+
-
-
-
-
-
-
-
-
- Completing signing…
+
+
+
+
+
+ Signing you in…
+
+
+
+
+ Welcome!
-
-
+
+
-
-
-
-
-
-
-Web eID: electronic ID smart cards on the Web
-- The Web eID project enables usage of European Union electronic identity (eID) smart cards for - secure authentication and digital signing of documents on the web using public-key cryptography. -
-- Estonian, Finnish, Latvian, Lithuanian, Belgian and Croatian eID cards are supported in the first phase, - but only Estonian eID card support is currently enabled in the test application below. -
-- Please get in touch by email at help@ria.ee in case you need support with adding Web eID to your project - or want to add support for a new eID card to Web eID. -
- --
Table of contents
--
-
- Usage -
- Documentation -
- For developers -
-
Usage
-The recommended way of installing Web eID is by installing - the latest Open-EID ID-software package. - In case you do not need or want to install the Open-EID package, install the latest Web eID packages in - Firefox, Chrome, Edge or Safari according to the following instructions: -
--
-
-
- Download and run the Web eID native app and browser extension installer:
-
-
-
- on Ubuntu Linux, for Firefox and Chrome, download and execute the
-install-web-eid.sh- script from the console with
-wget -O - https:///scripts/install-web-eid.sh - | bash
- Note: as of the 2.5 version, Web eID supports Firefox installed via Snap. -
- - on macOS 13 or later, for Firefox and Chrome from - here, - -
- on macOS 13 or later, for Safari, install the extension from - App Store, - -
- on Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, Windows Server - 2025 for Firefox, Chrome and Edge from - here. - -
- - on Ubuntu Linux, for Firefox and Chrome, download and execute the
- - The installer will install the browser extension for all supported browsers automatically. - The extension must be manually enabled from either the extension installation pop-up that appears in - the browser or from the browser extensions management page and may need browser restart under - certain circumstances. - -
Testing:
--
-
- - Attach a smart card reader to the computer and insert the eID card into the reader. - -
- Click Authenticate below. -
- -
- -The privacy policy of the test service is available here. -
- --
Uninstallation
-The uninstaller will remove the browser extension from all supported browsers automatically.
- -Ubuntu Linux
-Uninstall the Web eID software either using the Ubuntu Software Center or from the console with
- sudo apt purge web-eid
macOS
-To uninstall the Web eID software, do the following:
--
-
- download the Web eID native app and browser extension installer as instructed above, -
- open the downloaded file, -
- open Terminal, -
- drag and drop
uninstall.shfrom the downloaded file to the Terminal window,
- - press Enter and Y, -
- enter your password. -
Windows
-Uninstall the Web eID software using Add or remove programs.
- -Debugging and logs
--
-
- - To debug the extension, open the extension page and select - Inspect to open browser developer tools in extension mode. You can examine extension - logs in the Console tab, put breakpoints in extension code in the Debugger tab - and inspect extension network communication in the Network tab. - -
-
- To enable logging in the extension companion native app,
-
-
-
- in Linux, run the following command in the console:
-echo 'logging=true' > ~/.config/RIA/web-eid.conf-
- - in macOS, run the following command in the console:
-defaults write \
-"$HOME/Library/Containers/eu.web-eid.web-eid/Data/Library/Preferences/eu.web-eid.web-eid.plist" - \
-logging true
-defaults write - "$HOME/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Preferences/eu.web-eid.web-eid-safari.plist" - \
-logging true
-
- - in Windows, add the following registry key:
-[HKEY_CURRENT_USER\SOFTWARE\RIA\web-eid]
-"logging"="true"-
-
- - in Linux, run the following command in the console:
-
- The native app logs are stored in
+
+
+
+
+
+
+
Web eID: electronic ID smart cards on the Web + + + + + + + + + + +++ +++++Web eID: electronic ID smart cards on the Web
++ The Web eID project enables usage of European Union electronic identity (eID) smart cards for + secure authentication and digital signing of documents on the web using public-key cryptography. +
++ Estonian, Finnish, Latvian, Lithuanian, Belgian and Croatian eID cards are supported in the + first phase, but only Estonian eID card support is currently enabled in the test application + below. +
++ Please get in touch by email at help@ria.ee in case you need support with adding Web eID to your + project or want to add support for a new eID card to Web eID. +
++ The privacy policy of the test service is available + here. +
+ +
+Web eID plugin status
++ ⏳ + Web eID plugin installed +++ ⏳ + Accessed with a mobile device ++ +
+Table of contents
-
-
~/.local/share/RIA/web-eid/web-eid.login Linux
- ~/Library/Containers/eu.web-eid.web-eid/Data/Library/Application\ - Support/RIA/web-eid/web-eid.login macOS -
- ~/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Application\ - Support/RIA/web-eid-safari/web-eid-safari.logof Safari in macOS --
-
C:/Users/<USER>/AppData/Local/RIA/web-eid/web-eid.login Windows. + Usage with Web eID plugin +
-
- - You can verify if debugging works by executing the native application
- - -web-eidmanually, - there will be an informative message in the logs. -
-Documentation
-- Technical overview of the solution is available in the project - system architecture document. - Overview of authentication token validation implementation in the back end is available in the - web-eid-authtoken-validation-java Java library - README. -
-- Security analysis of the solution is available - in this - document. -
-
-For developers
-- Currently the Web eID back-end libraries are available for Java, .NET and PHP web applications. -
-- To implement authentication and digital signing with Web eID in a Java, .NET or PHP web application, - you need to -
-
-
- use the web-eid.js JavaScript library in the front end of the web application - according to the instructions - here, - -
- for authentication
-
-
-
- in Java use the web-eid-authtoken-validation-java library in - the back end of the web application according to the instructions - here, - -
- in .NET/C# use the web-eid-authtoken-validation-dotnet library according to the - instructions - here - -
- in PHP use the web-eid-authtoken-validation-php library according to the - instructions - here +
-
+ Usage without Web eID plugin
+
-
+
- Documentation +
- - for digital signing
-
-
-
- in Java use the digidoc4j library in the back end of the web
- application according to the instructions
- here,
+
+
+Usage with Web eID plugin
++ The recommended way of installing Web eID is by installing + the latest Open-EID ID-software package. In case you do not need or want to install the Open-EID package, install the latest Web eID + packages in Firefox, Chrome, Edge or Safari according to the following instructions: +
+-
+
-
+ Download and run the Web eID native app and browser extension installer:
+
-
+
-
+ on Ubuntu Linux, for Firefox and Chrome, download and execute the
+install-web-eid.sh+ script from the console with
+wget -O - https:///scripts/install-web-eid.sh | + bash
+ Note: as of the 2.5 version, Web eID supports Firefox installed via Snap. +
+ - + on macOS 13 or later, for Firefox and Chrome from + here, + +
- + on macOS 13 or later, for Safari, install the extension from + App Store, + +
- + on Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, Windows + Server 2025 for Firefox, Chrome and Edge from + here. + +
- -
+ on Ubuntu Linux, for Firefox and Chrome, download and execute the
- in .NET/C# use the libdigidocpp library in the back end of the web - application according to the instructions - here. +
- + The installer will install the browser extension for all supported browsers automatically. + The extension must be manually enabled from either the extension installation pop-up that + appears in the browser or from the browser extensions management page and may need browser + restart under certain circumstances. -
-
+ Download and run the Web eID native app and browser extension installer:
+
- - in Java use the digidoc4j library in the back end of the web
- application according to the instructions
- here,
+
+
- The full source code of an example Spring Boot web application that uses Web eID for authentication - and digital signing is available - here. - The .NET/C# version of the example is available - here. - The PHP version of the example is available - here. -
+ +Testing:
+-
+
- Attach a smart card reader to the computer and insert the eID card into the reader. +
- Click Authenticate below. +
+ +
+ +
+++ ++++ + +
++++++ The uninstaller will remove the browser extension from all supported browsers + automatically. +
+ +Ubuntu Linux
++ Uninstall the Web eID software either using the Ubuntu Software Center or from + the console with
+ +
+sudo apt purge web-eid+macOS
+To uninstall the Web eID software, do the following:
+-
+
- + download the Web eID native app and browser extension installer as + instructed above, + +
- open the downloaded file, +
- open Terminal, +
-
+ drag and drop
uninstall.shfrom the downloaded file to the + Terminal window, +
+ - press Enter and Y, +
- enter your password. +
Windows
+Uninstall the Web eID software using Add or remove programs.
++++ + +
+++++-
+
- + To debug the extension, open the extension page and select + Inspect to open browser developer tools in extension mode. You can + examine extension logs in the Console tab, put breakpoints in + extension code in the Debugger tab and inspect extension network + communication in the Network tab. + +
-
+ To enable logging in the extension companion native app,
+
-
+
-
+ in Linux, run the following command in the console:
+echo 'logging=true' > ~/.config/RIA/web-eid.conf+
+ -
+ in macOS, run the following command in the console:
+defaults write \
+"$HOME/Library/Containers/eu.web-eid.web-eid/Data/Library/Preferences/eu.web-eid.web-eid.plist" + \
+logging true
+defaults write + "$HOME/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Preferences/eu.web-eid.web-eid-safari.plist" + \
+logging true
+
+ -
+ in Windows, add the following registry key:
+[HKEY_CURRENT_USER\SOFTWARE\RIA\web-eid]
+"logging"="true"+
+
+ -
+ in Linux, run the following command in the console:
-
+ The native app logs are stored in
+
-
+
~/.local/share/RIA/web-eid/web-eid.login Linux
+ -
+
~/Library/Containers/eu.web-eid.web-eid/Data/Library/Application\ + Support/RIA/web-eid/web-eid.log+ in macOS +
+ -
+
~/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Application\ + Support/RIA/web-eid-safari/web-eid-safari.log+ of Safari in macOS +
+ -
+
C:/Users/<USER>/AppData/Local/RIA/web-eid/web-eid.log+ in Windows. +
+
+ -
+ You can verify if debugging works by executing the native application
+
web-eid+ manually, there will be an informative message in the logs. +
+
+++ +
++++++ Technical overview of the solution is available in the project + system architecture document. Overview of authentication token validation implementation in the back end is + available in the web-eid-authtoken-validation-java Java library + README. +
++ Security analysis of the solution is available + in this document. +
++++ +
++++++ Currently the Web eID back-end libraries are available for Java, .NET and PHP + web applications. +
++ To implement authentication and digital signing with Web eID in a Java, .NET or + PHP web application, you need to +
+-
+
- + use the web-eid.js JavaScript library in the front end of the web + application according to the instructions + here, + +
-
+ for authentication
+
-
+
- + in Java use the web-eid-authtoken-validation-java library in + the back end of the web application according to the instructions + here, + +
- + in .NET/C# use the + web-eid-authtoken-validation-dotnet library according to the + instructions + here + +
- + in PHP use the web-eid-authtoken-validation-php library + according to the instructions + here + +
+ - + for digital signing + + +
+ The full source code of an example Spring Boot web application that uses Web eID + for authentication and digital signing is available + here. The .NET/C# version of the example is available + here. The + PHP version of the example is available + here. +
+++
+Usage without Web eID plugin
++ The Web eID solution can also be used without installing the Web eID native app and browser + extension. This includes devices like mobile phones, tablets, and some Chromebooks, where the + Web eID plugin cannot currently be installed. +
++ +
+ +
++++++ +
++++++ Technical overview of the solution is available in the project + system architecture document. Overview of authentication token validation implementation in the back end is + available in the web-eid-authtoken-validation-java Java library + README. +
++-
- 
-
+
+
+
-
+ //# sourceURL=index.js
+
+
diff --git a/example/src/main/resources/templates/webeid-callback.html b/example/src/main/resources/templates/webeid-callback.html
new file mode 100644
index 00000000..5c6d509e
--- /dev/null
+++ b/example/src/main/resources/templates/webeid-callback.html
@@ -0,0 +1,92 @@
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
diff --git a/example/src/main/resources/templates/webeid-login.html b/example/src/main/resources/templates/webeid-login.html
new file mode 100644
index 00000000..a8c1b9d8
--- /dev/null
+++ b/example/src/main/resources/templates/webeid-login.html
@@ -0,0 +1,60 @@
+
+
+
+
+
+ Completing signing…
+ +
+
+
+
+
+
+
+
+
+
diff --git a/example/src/main/resources/templates/welcome-with-file-upload-support.html b/example/src/main/resources/templates/welcome-with-file-upload-support.html
index f13ab589..e88725da 100644
--- a/example/src/main/resources/templates/welcome-with-file-upload-support.html
+++ b/example/src/main/resources/templates/welcome-with-file-upload-support.html
@@ -1,36 +1,36 @@
-
+
Signing you in…
+ +
-
-
-
+
+
-
+ +
+Sign a document
- - + +