Digital Signature Authentication

Version

Application Scenario

When the admin needs to share reports with external users and wants to ensure that the report data is not leaked:

The admin can set a digital signature and a validity period. Through the URL and digital signature, users can view the report within the specified validity period.

Without a digital signature or after the signature expires, the viewing link becomes invalid to ensure security.

Function Description

(1) The access to the template will be allowed only after the legality of the signature information is authenticated through the digital signature. Otherwise, an error will be returned indicating no permission to access the template.

(2) When accessing the Types of Template Preview, you need to add the suffix &fine_digital_signature=value to the URL.

Obtaining the fine_digital_signature Value

Obtain the fine_digital_signature value of the corresponding digital signature key. This section takes the GettingStarted.cpt template as an example.

(1) You need to prepare the Java environment and IDE tool in advance and create a Java file, and import multiple JAR packages from %FR_HOME%\webapps\webroot\WEB-INF\lib into the newly created project, as shown in the following figure.

The JAR packages that need to be imported include: fine-core-11.0.jar, fine-third-11.0.jar, fine-accumulator-11.0.jar, and fine-cbb-11.0.jar.

(2) Copy the code into the newly created file, modify the template that needs digital signature authentication, and customize the digital signature key, as shown in the following figure.

Note:

The value of path is the template path, a relative path, in the form of doc/xx.cpt; the value of key is the digital signature key. These two values will be used in the section "Platform Setting" of this document.

The code is as follows:

import com.fr.cert.token.JwtBuilder;
import com.fr.cert.token.Jwts;
import com.fr.cert.token.SignatureAlgorithm;
import java.util.Date;
public class test {
    public static void main(String[] args) {
        //Validity period for the digital signature (in milliseconds)
        long validTime = 30 * 60 * 1000L;
        //Content of the digital signature, which is the relative path for accessing the resource 
        String path = "GettingStarted.cpt"; //Change this parameter to the path of the template that requires digital signature authentication, which is a relative path, for example, doc/xx.cpt.
        String key = "123456"; //Digital signature key, which can be customized
        //Generate fine_digital_signature
        String fine_digital_signature = createJwt("", "", path, validTime, key);
        //Output fine_digital_signature
        System.out.println(fine_digital_signature);
    }
    private static String createJwt(String issuer, String id, String subject, long validTime, String key) {
        //Used to generate the digital signature, that is, the value of the parameter fine_digital_signature
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
        Date currentTime = new Date();
        Date expirationTime = new Date(currentTime.getTime() + validTime);
        JwtBuilder builder = Jwts.builder()
                .setIssuer(issuer)
                .setSubject(subject)
                .setIssuedAt(currentTime)
                .setExpiration(expirationTime)
                .setId(id)
                .signWith(signatureAlgorithm, key);
        return builder.compact();
    }
}

(3) Run the test file and obtain the fine_digital_signature value of the digital signature key, as shown in the following figure.

The value of the running result will be used in the section "Effect Display" of this document.

Platform Setting

Log in to the decision-making system as the admin, chooses System Management > Template Authentication, and enters the key value in the Digital Signature Key input box, as shown in the following figure.

Effect Display

Directly access the Types of Template Preview. The example link for this document is: http://localhost:8075/webroot/decision/view/report?viewlet=GettingStarted.cpt. A prompt indicating no permission is displayed, as shown in the following figure.

Add the parameter &fine_digital_signature=value to the end of the URL, where value is the data obtained by running the Java file in the section "Obtaining the fine_digital_signature Value" of this document. Now, the template can be viewed normally, as shown in the following figure.

Digital Signature Authentication Not Required for Previewing Templates in the Remote Design Mode

To facilitate template creation, when the designer remotely connects to a remote server with digital signature authentication enabled, previewing the template does not need digital signature authentication.

(1) In the remote design mode, a user can directly preview the template effect by clicking the preview button on the designer, without the need for digital signature authentication.

(2) After a user exits the remote design mode, the template cannot be directly previewed through the template preview URL anymore. In this case, the digital signature must be authenticated for the user to preview the template.

Hiding the Digital Signature Authentication Function

The super admin wants to enable the template authentication function for the sub-admin, but does not want the sub-admin to use the digital signature authentication function.

In this case, the super admin can hide the function through the fine_conf_entity visualization configuration plugin. The settings take effect after the server is restarted.

Note:

For details about modifying field values in tables of FineDB databases, see FINE_CONF_ENTITY Visualization Configuration.

After the admin changes the value of the configuration item TemplateAuthConfig.digitalAuthAvailable to false, and restarts the server, when the admin chooses System Management > Template Authentication > Permission Configuration, the admin will find that Authenticate Digital Signature is hidden.

Note:

Before hiding Authenticate Digital Signature, do not set Authentication Method to Authenticate Digital Signature. Otherwise, the authentication will still be effective after Authenticate Digital Signature is hidden.

Failure of Viewing the Decision-Making System Homepage

Problem description & cause analysis:

When Template Authentication is enabled:

(1) Template authentication is not required when users view directory templates on the decision-making system.

(2) Template authentication is required when users view homepage templates on the decision-making system.

If template A is mounted on the homepage, a user cannot view the homepage if the user does not have the template authentication permission of template A. A prompt will be displayed: No permission to access this page. To access, please contact the administrator.

Solution:

(1) Directly disable digital signature authentication for the corresponding template in Template Authentication, and then mount the corresponding template through the homepage configuration page.

(2) Use a link on the homepage to mount the template: URL of the template + Parameter & fine_digital_signature=value.

The value is the digital signature generated by the key, not the key itself. For the method to obtain it, see the section "Obtaining the fine_digital_signature Value" of this document.