We use Jetty Maven Plugin for local development to speed up the compile/run cycle. Our typical application is started using “mvn jetty:run” command and starts in 5-10 seconds.  Recently we upgraded to Maven3 and Jetty 9 and all of the sudden Jetty restart times increased by about 30-40 seconds.  Here is what we saw in the console:

2015-04-12 19:52:09.185:INFO:oejs.Server:main: jetty-9.2.7.v20150116
2015-04-12 19:52:34.072:INFO:/rcra-handler:main: No Spring WebApplicationInitializer types detected on classpath
2015-04-12 19:52:34.173:INFO:/rcra-handler:main: Initializing Spring root WebApplicationContext

So there is 25 second delay while the application is scanned for WebApplicationInitializer. I quickly figured out that I need to filter some jars, but it was not entirely clear how to configure the jetty plugin correctly. So here is what I came up with:

1. Create jetty-context.xml file and place it under your WEB-INF directory. This tells Jetty to only scan Spring, Spring Security jars and classes directory.

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Call name="setAttribute">
        <Arg>org.eclipse.jetty.server.webapp.WebInfIncludeJarPattern</Arg>
        <Arg>.*/spring-security[^/]*\.jar$|.*/spring-web[^/]*\.jar$|.*/classes/.*</Arg>
    </Call>
</Configure>

2. Configure Maven Jetty Plugin to load the context file.

<plugin>
  <groupId>org.eclipse.jetty</groupId>
  <artifactId>jetty-maven-plugin</artifactId>
  <version>9.2.7.v20150116</version>
  <configuration>
    <webApp>
       <contextPath>/rcra-handler</contextPath>
    </webApp>
    <contextXml>${basedir}/src/main/webapp/WEB-INF/jetty-context.xml</contextXml>
    <useTestScope>true</useTestScope>
  </configuration>
</plugin>
 

Security As part of the Esignee project, I have done quite a bit of research on how to improve security of electronic signatures. We are already using W3C XML Signature specification to add integrity and signer identity information whenever document is signed. We also perform rigorous auditing of all user activities while he accesses the document, including collecting originating IP address and access times. However, we saw some room for improvement on the user authentication front, in other words, we wanted to add additional safeguard to make sure that the signer is who he says he is. Typically, an electronic document is sent for signature via a link in an email. A recipient then follows a link that shows the document without any authentication. This presents a few problems:

  • Email is not secure and the message can be intercepted (this is referred to as the “man in the middle attack”)
  • Recipient may not be the intended recipient of the email. Let’s say a realtor typed in an incorrect email and sent an offer to someone else by mistake.
  • Someone else might have access to recipient’s email and they could sign the document without permission of the recipient.

So after learning about Two Factor Authentication (TFA), we decided to take the following approach. First, we wanted to make these feature optional, we figure that the sender knows best whether this document and signatures need additional security. Second, we wanted this process to be as simple as possible for the recipient. We also wanted this process to be inexpensive, we did not want our users to incur additional costs. So, how did we do it?

  • We added a checkbox to our “Send document” dialog asking if the sender wants to secure the transaction with a Text message PIN.
  • If the sender checks the box, he is required to provide recipients mobile phone number.
  • Once the sender clicks send, we generate a random 4-digit pin and send an SMS message to the recipient in addition to the notification email.
  • The recipient receives the email with a link and clicks on the link as before, however, for the secured documents he is asked to enter the pin that was sent to his mobile phone.

In the approach described above, user’s ability to access the email is the first factor (aka “something he knows” – his email credentials) and the fact that he has to have his mobile phone is the second factor (“something he has”). This solution meets our goals: it is optional for the sender, it is easy for the recipient as he does not need anything but his mobile phone and it costs us only 1 cent per message. We used Twilio API to implement our outbound SMS messaging. We loved their API: it is very easy to use – great service.

 

Over the weekend we deployed Esignee 2.0 site .  It contains quite a few new features that you may want to check out.  If you already had Esignee account, it was upgraded to the latest version automatically.

  • Streamlined documents – you will be able to upload a document, sign it and send
    it for signature. You will no longer need to decide between Self-Sign and Send transactions.
  • Multi-party signatures – you can send the same document to multiple parties for signature.
  • Field roles – by assigning a role (eg. buyer or seller) to a field you can specify who can access it. This is especially useful for multi-party signatures.
  • Document reminders – you will be able to send document reminders with a personal message.
  • Send as PDF – send a PDF-copy of the document right from the document detail page.
  • Delete documents – we are finally getting around to adding a delete feature.
  • User management – Premium and Enterprise accounts will now have a user management console. You will able to add and manage additional users under your esignee account.
  • Video tour – we have created a short video of how to use new esignee features.

We are also introducing new types of Plans:

  • Free – with this plan you can send up to 5 documents per month.
  • Personal ($10 per month) – send up to 40 documents per month and we will store
    store your signed documents for up to 2 years. We will also provide an enhanced level of support.
  • Premium ($99 per month) – send an unlimited number of documents, create up to 10 users and 3 year document retention period.
  • Enterprise ($199 per month) – send an unlimited number of documents and create up to 25 users. This plan also includes API access and Service Level Agreement (SLA).

Check out our Plans and Pricing page for additional details.

 

Java is just full of surprises (and that is not a good thing). The last thing a developer wants is to be surprised by a language, especially if the behavior is different across platforms.  I was trying to run a piece of code on my Mac today, and noticed a problem with UTF-8 characters.  The same piece of code works perfectly on our Test servers running Ubuntu and Sun’s JVM.

So after a little bit of poking around I narrowed it down to a problem with FileWriter. It turns out that when you instantiate FileWriter object, it defaults to your platform default character encoding and not UTF-8. I had something like this:

import java.io.File;
import java.io.FileWriter;

FileWriter writer = new FileWriter(new File("your-output-file-name.pdf"));

//UTF-8 characters appear as question marks on OSX

So, instead of using FileWriter, one needs to use its parent class – OutputStreamWriter:

import java.io.File;
import java.io.FileOutputStream;
import java.io.OutputStreamWriter;

FileOutputStream fileStream = new FileOutputStream(new File("your-output-file-name.pdf"));
OutputStreamWriter writer = new OutputStreamWriter(fileStream, "UTF-8");

//now UTF-8 characters are appearing properly in the ouput
 


For the last month or so, we have been working on bringing electronic signature services to Russia. Earlier this year, Russia has passed a new electronic signature law that allows individuals and businesses to sign documents online.  Russian electronic signature law is somewhat complex, as it allows for various signature approaches.

We analyzed the law, and implemented a few changes to our Esignee platform, in order to meet the requirements in the Russian law.

Our Beta users for Podpisat, have provided us with some good feedback, and we are working on incorporating these recommendations.  Our plan is to go live in the next month or two.

You can head over to Beta site, sign up and let me know what you think.

Tagged with:
 

I finally got around to setting up a new site. It may not look very attractive yet, however it is all sorts of awesome underneath. It is hosted on Amazon Web Services (AWS) EC2 micro-instance running Ubuntu. It is insanely inexpensive to run your own instance now, so why not?

Tagged with:
 
Set your Twitter account name in your settings to use the TwitterBar Section.