Can a Java 3.0 Smart Card Servlet interact with a Webserver?

Question

According to this oracle doc, Java 3.0 Smart Cards can have servlets installed onto them instead of the conventional java applets. Here is the according Oracle Doc.

http://www.oracle.com/technetwork/articles/java/javacard-servlets-136657.html

"Developers no longer need to create individual client applications to access the data and resources on the smart card. The only client interface needed is an ordinary web browser. Smart Card applications are now fully functioning TCP-based servers. These server applications are Java servlets, and they have a full HTTP stack to allow them to process GET requests, POST requests, headers, cookies, sessions, and so on. You can secure the data between the client (the browser) and the server (the smart card) by using the industry-standard SSL (secure sockets layer)."

My situation is that i want to interact with a user's smart card from my website. Conventional methods, using Java Applets within the HTML on my website is no longer supported, Java Web Start is inefficient and not user friendly.

A straightforward example is PIN verification. A 4 digit pin is stored on the smart card. My website will prompt the user to enter their PIN, insert their smart card to their reader. My website will be able to send the necessary APDU command that have their entered PIN to the card, and will be able to receive the response APDU commands that lets the web server know if the PIN was correct or not.

My question is, is it possible to have my website interact with a user's smart card, given the capabilities of a Servlet being executed on the smart card?

If so, can someone please provide me with some simple pseudo or direction to accomplishing this? I havent worked with servlets but i can learn.

Answer 1

What you are describing is part of the API called the Java Card Connected edition. Most - if not all - Java Card implementations on the market are Java Card Classic editions. The main technical issue of the connected edition is that it requires smart cards with a memory of 24 to 32 KiB of memory. That may not sound a lot, but on-die SRAM is very expensive. High end "classic" cards feature about 8 to 12 KiB of RAM.

To have some sort of interaction with the website you need some kind of connection. Somehow you need to convert this HTTP(S) request to packets send to the card and back. As long as no software is installed to do so you won't be able to connect the browser to the smart card.

---

There are of course various solutions out there when it comes to connecting browsers to smart cards. Proprietary browser plugins, PKCS#11 modules, applets. You already named webstart and the dwindling Java (Standard Edition) applets. All have their pros and cons. In most situations Java Card Connected is not directly applicable - unfortunately.