NFC-66 Readme update

.github/workflows/coverity-analysis.yml

@@ -20,14 +20,14 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 11
+          java-version: 21
 
       - name: Cache Maven packages
         uses: actions/cache@v4
         with:
           path: ~/.m2
-          key: ${{ runner.os }}-m2-v8-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-v8
+          key: ${{ runner.os }}-m2-v21-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v21
 
       - name: Download Coverity Build Tool
         run: |

.github/workflows/maven-build-example.yml

@@ -20,14 +20,14 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 17
+          java-version: 21
 
       - name: Cache Maven packages
         uses: actions/cache@v4
         with:
           path: ~/.m2
-          key: ${{ runner.os }}-m2-v17-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-v17-${{ secrets.CACHE_VERSION }}
+          key: ${{ runner.os }}-m2-v21-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v21-${{ secrets.CACHE_VERSION }}
 
       - name: Install library
         run: mvn -B -ntp install

.github/workflows/maven-build.yml

@@ -20,14 +20,14 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 11
+          java-version: 21
 
       - name: Cache Maven packages
         uses: actions/cache@v4
         with:
           path: ~/.m2
-          key: ${{ runner.os }}-m2-v8-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-v8
+          key: ${{ runner.os }}-m2-v21-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v21
 
       - name: Build
         run: mvn --batch-mode compile

.github/workflows/maven-deploy.yml

@@ -14,14 +14,14 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 11
+          java-version: 21
 
       - name: Cache Maven packages
         uses: actions/cache@v4
         with:
           path: ~/.m2
-          key: ${{ runner.os }}-m2-v8-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-v8
+          key: ${{ runner.os }}-m2-v21-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v21
 
       - name: Deploy to GitLab Package Repository # GitHub Packages
         env:

.github/workflows/sonarcloud-analysis.yml

@@ -20,11 +20,11 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 17
+          java-version: 21
       - name: Cache SonarCloud packages
         uses: actions/cache@v4
         with:
@@ -35,8 +35,8 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.m2
-          key: ${{ runner.os }}-m2-v11-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-v17
+          key: ${{ runner.os }}-m2-v21-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v21
       - name: Build and analyze
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any

example/README.md

@@ -1,6 +1,6 @@
 # Web eID Spring Boot example
 
-![European Regional Development Fund](https://github.com/open-eid/DigiDoc4-Client/blob/master/client/images/EL_Regionaalarengu_Fond.png)
+<img src="src/main/resources/static/img/eu-fund-flags.jpg" width="300" alt="European Regional Development Fund">
 
 This project is an example Spring Boot web application that shows how to implement strong authentication
 and digital signing with electronic ID smart cards using Web eID.
@@ -51,7 +51,7 @@ You can specify the profile as a command-line argument to the Maven wrapper comm
 
 ### 5. Run the application
 
-Spring Boot web applications can be run from the command-line. You need to have the Java Development Kit 17 installed for building the application package and running the application.
+Spring Boot web applications can be run from the command-line. You need to have the Java Development Kit 21 installed for building the application package and running the application.
 
 Build and run the application with the following command in a terminal window:
 
@@ -82,6 +82,7 @@ When the application has started, open the _ngrok_ HTTPS URL in your preferred w
     - [Using DigiDoc4j in production mode with the `prod` profile](#using-digidoc4j-in-production-mode-with-the-prod-profile)
   + [Stateful and stateless authentication](#stateful-and-stateless-authentication)
   + [Assuring that the signing and authentication certificate subjects match](#assuring-that-the-signing-and-authentication-certificate-subjects-match)
+  + [Requesting the signing certificate in a separate step](#requesting-the-signing-certificate-in-a-separate-step)
 * [HTTPS support](#https-support)
   + [How to verify that HTTPS is configured properly](#how-to-verify-that-https-is-configured-properly)
 * [Deployment](#deployment)
@@ -100,7 +101,8 @@ This repository contains the code of a minimal Spring Boot web application that
 -   Spring Security,
 -   the Web eID authentication token validation library [_web-eid-authtoken-validation-java_](https://github.com/web-eid/web-eid-authtoken-validation-java),
 -   the Web eID JavaScript library [_web-eid.js_](https://github.com/web-eid/web-eid.js),
--   the digital signing library [_DigiDoc4j_](https://github.com/open-eid/digidoc4j).
+-   the digital signing library [_DigiDoc4j_](https://github.com/open-eid/digidoc4j),
+-   the Android application [_MOPP-Android_](https://github.com/open-eid/MOPP-Android/).
 
 The project uses Maven for managing the dependencies and building the application. Maven project configuration file `pom.xml` is in the root of the project.
 
@@ -113,11 +115,15 @@ The source code folder `src` contains the application source code and resources
 The `src/main/java/eu/webeid/example` directory contains the Spring Boot application Java class and the following subdirectories:
 
 -   `config`: Spring and HTTP security configuration, Web eID authentication token validation library configuration, trusted CA certificates loading etc,
--   `security`: Web eID authentication token validation library integration with Spring Security via an `AuthenticationProvider` and `AuthenticationProcessingFilter`,
--   `service`: Web eID signing service implementation that uses DigiDoc4j, and DigiDoc4j runtime configuration,
--   `web`: Spring Web MVC controller for the welcome page and Spring Web REST controllers that provide endpoints
-    -   for getting the challenge nonce used by the authentication token validation library,
-    -   for digital signing.
+-   `security`: Web eID authentication token validation library integration with Spring Security
+    -   `AuthenticationProvider` and `AuthenticationProcessingFilter` for handling Web eID authentication tokens,
+    -   `WebEidChallengeNonceFilter` for issuing the challenge nonce required by the authentication flow,
+    -   `WebEidMobileAuthInitFilter` for issuing the challenge nonce and generating the deep link with the authentication request, used to initiate the mobile authentication flow,
+    -   `WebEidAjaxLoginProcessingFilter` and `WebEidLoginPageGeneratingFilter` for handling login requests.
+-   `service`: Web eID signing service implementation that uses DigiDoc4j, and DigiDoc4j runtime configuration.
+    -   `SigningService`: prepares ASiC-E containers and finalizes signatures.
+    -   `MobileSigningService`: orchestrates the mobile signing flow (builds mobile signing requests/responses) and supports requesting the signing certificate in a separate step when enabled by configuration.
+-   `web`: Spring Web MVC controller for the welcome page and Spring Web REST controller that provides a digital signing endpoint.
 
 The `src/resources` directory contains the resources used by the application:
 
@@ -134,7 +140,7 @@ The `src/tests` directory contains the application test suite. The most importan
 
 As described in section [_4. Choose either the `dev` or `prod` profile_](#4-choose-either-the-dev-or-prod-profile) above, the application has two different configuration profiles: `dev` profile for running the application in development mode and `prod` profile for production mode. The `dev` profile is activated by default.
 
-The profile-specific configuration files `src/main/resources/application-{dev,prod}.yaml` contain the `web-eid-auth-token.validation.use-digidoc4j-prod-configuration` setting that configures DigiDoc4j either in test or production mode, and a setting for configuring the origin URL as described in section [_2. Configure the origin URL_](#2-configure-the-origin-url) above. Additionally, the `web-eid-auth-token.validation.truststore-password` setting specifies the truststore password used in the `prod` profile.
+The profile-specific configuration files `src/main/resources/application-{dev,prod}.yaml` contain the `web-eid-auth-token.validation.use-digidoc4j-prod-configuration` setting that configures DigiDoc4j either in test or production mode, and a setting for configuring the origin URL as described in section [_2. Configure the origin URL_](#2-configure-the-origin-url) above. Additionally, the `web-eid-auth-token.validation.truststore-password` setting specifies the truststore password used in the `prod` profile. The `web-eid-mobile` section configures the mobile authentication flow, including the `base-request-uri` for deep link generation and the `request-signing-cert` flag that controls whether the signing certificate is requested during authentication.
 
 The main configuration file `src/main/resources/application.yaml` is shared by all profiles and contains logging configuration and settings that make the session cookie secure behind a reverse proxy as described in section [_HTTPS support_](#https-support) below.
 
@@ -144,7 +150,7 @@ Spring Security has CSRF protection enabled by default. Web eID requires CSRF pr
 
 ### Integration with Web eID components
 
-Detailed overview of Java code changes required for integrating Web eID authentication token validation is available in the [_web-eid-authtoken-validation-java_ library README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md). There are instructions for configuring the nonce generator, trusted certificate authority certificates, authentication token validator, Spring Security authentication integration and REST endpoints. The corresponding Java code is in the `src/main/java/eu/webeid/example/{config,security,web/rest}` directories.
+Detailed overview of Java code changes required for integrating Web eID authentication token validation is available in the [_web-eid-authtoken-validation-java_ library README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md). There are instructions for configuring the nonce generator, trusted certificate authority certificates, authentication token validator, Spring Security authentication integration and security filters. The corresponding Java code is in the `src/main/java/eu/webeid/example/{config,security,web/rest}` directories.
 
 A similar overview of JavaScript and HTML code changes required for authentication and digital signing with Web eID is available in the [web-eid.js library README](https://github.com/web-eid/web-eid.js/blob/main/README.md). The corresponding JavaScript and HTML code is in the `src/resources/{static,templates}` directories.
 
@@ -174,6 +180,16 @@ A common alternative to stateful authentication is stateless authentication with
 
 It is usually required to verify that the signing certificate subject matches the authentication certificate subject by assuring that both ID codes match. This check is implemented at the beginning of the `SigningService.prepareContainer()` method.
 
+### Requesting the signing certificate in a separate step
+
+In some deployments, the signing certificate is not reused from the authentication flow. Instead, it is retrieved directly from the user’s ID-card during the signing process itself.
+
+This approach is useful when the signing process is performed without a prior authentication step. For example, in a mobile flow, the user may start signing directly without authenticating beforehand. In such cases, the signing certificate must be requested separately from the user’s ID-card before the signature can be created.
+
+When this mode is enabled in the configuration, the backend issues a separate request for the signing certificate using the `MobileSigningService`. The service communicates with the client to obtain the certificate before the signing container is prepared, ensuring that the correct certificate chain is available for the signature.
+
+This behavior is controlled by the `request-signing-cert` flag in the `application.yaml` configuration files (`application-dev.yaml`, `application-prod.yaml`). When the flag is set to **false**, the application explicitly requests the signing certificate during the signing process, demonstrating the separate signing certificate retrieval flow. When set to **true**, the signing uses the signing certificate that was already obtained during authentication, and no additional request is made.
+
 ## HTTPS support
 
 There are two ways of adding HTTPS support to a Spring Boot application:
@@ -216,9 +232,9 @@ Tomcat web server automatically if it detects the presence of the
     server.tomcat.protocol-header=x-forwarded-proto
 
 These settings are already enabled in the main configuration file `application.yaml`. See chapter
-[9.3.12](https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-use-behind-a-proxy-server)
+[Running Behind a Front-end Proxy Server](https://docs.spring.io/spring-boot/3.5/how-to/webserver.html#howto.webserver.use-behind-a-proxy-server)
 and
-[9.14.3](https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-enable-https)
+[Enable HTTPS When Running Behind a Proxy Server](https://docs.spring.io/spring-boot/3.5/how-to/security.html#howto.security.enable-https)
 in the official documentation for further details.
 
 ### How to verify that HTTPS is configured properly
@@ -229,7 +245,7 @@ Strict Transport Security (HSTS) header and the `JSESSIONID` session cookie has
 
 ## Deployment
 
-A Docker Compose configuration file `docker-compose.yml` is available in the root of the project for packaging the application in a Docker image so that it can be deployed with a container enginge.
+A Docker Compose configuration file `docker-compose.yml` is available in the root of the project for packaging the application in a Docker image so that it can be deployed with a container engine.
 
 Build the Docker image with [Jib](https://github.com/GoogleContainerTools/jib) as follows:
 

example/pom.xml

@@ -10,17 +10,17 @@
 	</parent>
 	<groupId>eu.webeid.example</groupId>
 	<artifactId>web-eid-springboot-example</artifactId>
-	<version>3.2.1-SNAPSHOT</version>
+	<version>4.0.0-SNAPSHOT</version>
 	<name>web-eid-springboot-example</name>
 	<description>Example Spring Boot application that demonstrates how to use Web eID for authentication and digital
 		signing
 	</description>
 
 	<properties>
-		<java.version>17</java.version>
+		<java.version>21</java.version>
 		<maven-surefire-plugin.version>3.5.3</maven-surefire-plugin.version>
-		<webeid.version>3.2.1-SNAPSHOT</webeid.version>
-		<digidoc4j.version>6.1.0</digidoc4j.version>
+		<webeid.version>4.0.0-SNAPSHOT</webeid.version>
+		<digidoc4j.version>6.0.1</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version> <!-- Keep version 1.44, otherwise mocking will fail. -->
 		<jib.version>3.5.1</jib.version>
 	</properties>
@@ -38,6 +38,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-validation</artifactId>
+        </dependency>
 
 		<dependency>
 			<groupId>org.digidoc4j</groupId>