Académique Documents
Professionnel Documents
Culture Documents
JSR-229
Content
Content ................................................................................................................................ 5 Preface................................................................................................................................. 7 Revision History ................................................................................................................. 7 Who Should Use This Specification ................................................................................... 9 How This Specification Is Organized ................................................................................. 9 Related Literature.............................................................................................................. 10 1 Introduction and Background................................................................................... 11 1.1 Introduction........................................................................................................ 11 1.2 Expert Group...................................................................................................... 11 1.3 Document Conventions...................................................................................... 12 2 Scope and Requirements .......................................................................................... 13 2.1 Scope.................................................................................................................. 13 2.2 Requirements ..................................................................................................... 13 2.3 MIDP vs IMP..................................................................................................... 14 3 Architecture.............................................................................................................. 15 3.1 Overview............................................................................................................ 15 3.2 General Architecture.......................................................................................... 15 3.3 Functional Overview.......................................................................................... 15 3.4 Actors and Roles................................................................................................ 16 3.5 Application Responsibilities .............................................................................. 18 3.6 Payment Module Responsibilities...................................................................... 18 3.7 Payment Adapter Responsibilities ..................................................................... 20 4 Package javax.microedition.payment....................................................................... 22 4.1 Overview............................................................................................................ 22 4.2 Design ................................................................................................................ 23 4.3 Interface TransactionListener ............................................................................ 23 4.4 Interface TransactionRecord.............................................................................. 24 4.5 Class TransactionModule................................................................................... 27 4.6 Class TransactionModuleException .................................................................. 32 4.7 Class TransactionListenerException.................................................................. 33 4.8 Class TransactionFeatureException................................................................... 34 4.9 Class TransactionPayloadException.................................................................. 34 4.10 Code Sample ...................................................................................................... 36 5 System Functions ..................................................................................................... 38 5.1 Overview............................................................................................................ 38 5.2 System Properties .............................................................................................. 38 6 Provisioning ............................................................................................................. 39 6.1 Overview............................................................................................................ 39 6.2 JAD Resource .................................................................................................... 39 6.3 JAR-Manifest Resource..................................................................................... 42 6.4 Update................................................................................................................ 47 6.5 Examples............................................................................................................ 49 7 Security..................................................................................................................... 51 7.1 Requirements ..................................................................................................... 51 7.2 Applications ....................................................................................................... 51 7.3 Provisioning Data .............................................................................................. 52 7.4 Storage ............................................................................................................... 52 7.5 Payment Module ................................................................................................ 53 7.6 Non-GUI Platforms............................................................................................ 53 7.7 Summary............................................................................................................ 54 8 Adapters ................................................................................................................... 55 8.1 Overview............................................................................................................ 55 8.2 Registered Adapters Namespaces ...................................................................... 55
Preface
This document, Payment API Specification (JSR-229), specifies the optional application programming interface to enable payment for JavaTM 2 Platform, Micro Edition (J2METM).
Revision History
Date 01-Apr-2004 07-Apr-2004 16-Apr-2004 Version 0.1.0 0.2.0 0.3.0 Description Initial Draft - Renamed commit() into process() - Updated a few exception inconsistencies - Add support for localization in the Manifest - Changed notify() name and signature - Moved constants to TransactionRecord - Improved definition of SUCCESSFUL field - Added support for updating/upgrading the Manifest - Added support for updating <InstrumentName> blocks - Made price information optional in the Manifest - Added support for Pay-*-Cache in the Manifest - Cleaned up throw definition for trivial exceptions - New chapter 9 Actors Responsibilities - Added support for debug options in JAD - New chapter 7 Security - Changed signature for missed transactions handling - Duplicated Pay-Max-Payload-Size in JAR & JAD - Redefined SMS format and APPID definition - TransactionModule is not more to be a singleton - Updated JAD/JAR sample - Updated Java code sample - Added Pay-Debug-DemoMode options - Corrected sample code - de-static-fied methods in TransactionModule class - Changed definitions of pay-max-payload-size - Few definition consistency corrections - Added new methods to TransactionRecords - Few consistency and typo corrections - Changed 3-letters to 2-letters language codes (ISO639) - Added Pay-Language Property field in the Manifest - Precise relationships between Pay-Debug options - Integration of the Security aspects (draft) - Dummy mandatory test adapter - Changed TransactionRecord signature - Added Factory in TransactionModule - Removed CDC from the target platform list - Combined SMSN and SMSC adapters - Removed Dummy adapter (TCK issue!) Early Draft - Removed getFeatureProperty() method - Removed getFeatureIDs() method - Removed chapter 5 Property Field Name - Changed Definition of Pay-Feature
23-Apr-2004
0.4.0
02-Aug-2004
0.8.3
03-Aug-2004 14-Sep-2004
0.8.5 0.8.6
22-Sept-2004
0.8.7
27-Sept-2004 15-Nov-2004
0.8.8 0.8.9
14-Jan-2005
0.9.0
02-Feb-2005
0.9.1
16-Jan-2006
1.1.0
Related Literature
The JavaTM Language Specification by James Gosling, Bill Joy, and Guy L. Steele. AddisonWesley, 1996, ISBN 0-201-63451-1 The JavaTM Virtual Machine Specification (Java Series), Second Edition by Tim Lindholm and Frank Yellin. Addison-Wesley, 1999, ISBN 0-201-43294-3 Connected, Limited Device configuration (JSR-30), Sun Microsystems, Inc. J2ME Platform Specification (JSR-68), Sun Microsystems, Inc. Mobile Information Device Profile 2.0 (JSR-118), Sun Microsystems, Inc. Information Module Profile- Next Generation (JSR-228), Siemens AG and Nokia.
10
The Payment API specification defines an optional package1 for the Java 2 Platform, Micro Edition (J2ME). The specification has been produced in response to Java Specification Request 229 (JSR-229), and specifies the architecture and associated APIs that enables an open, thirdparty, application development environment for payment transactions.
1.2
Expert Group
This specification was produced by the Payment API Expert Group (PAPI-EG). The following companies and representants, listed in alphabetical order, are members of the PAPI-EG: Aplix Corporation: Esmertec AG: Gemplus Corporation: In-Fusio SA: Iopsis Software Inc.: Matsushita Electric Industrial Co, Ltd: Nokia Corporation: BenQ Mobile GmbH & Co OHG: Siemens AG: Sun Microsystems, Inc.: Symbian Ltd: T-Mobile International AG & Co. KG: Michael Leone Claus Rasmussen Remy Cricco Thomas Landspurg Ash Parikh Kyoko Ohshima, Kristian Woodsend Vikas Chawla, Jaakko Halme, Jari Otranen Jean-Yves Bitterlich2 Michael Becker, Jochen Sauter Lei Liu, John Pampuch Jonathan Allin Robin Jewsbury
As well as the following individuals: Andrew Beacock, Roderick Farrugia, Damon Hart-Davis, Pavel Lahoda
1 2
The definition and usage of a J2ME optional package is defined in JSR-68, J2ME Platform Specification Specification leader
11
1.3
Document Conventions
1.3.1 Definitions
This document uses http://www.ietf.org/) Term MUST MUST NOT SHOULD definitions based upon those specified in RFC-2119 (See
Definition The associated definition is an absolute requirement of this specification. The definition is an absolute prohibition of this specification. Indicates a recommended practice. There may exist valid reasons in particular circumstances to ignore this recommendation, but the full implications must be understood and carefully weighed before choosing a different course. Indicates a non-recommended practice. There may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label. Indicates that an item is truly optional.
SHOULD NOT
MAY
Description Used in all Java code including keywords, data types, constants, method names, variables, class names, and interface names. Used for emphasis and to signify the first use of a term.
12
Scope
A generic, optional API to initiate payment transactions in a secured manner to transparently expedite the chargeable service requests, which are originated from J2ME applications, with external operator charging service delivery, payment service protocols, pricing management and implementation logic The syntax for the description of the associated payment provisioning data, enabling API implementers to support different payment adapters
Both will allow 3rd-party developers to build applications with control of features and services that are chargeable. The JSR API includes methods for: Requesting a payment transaction Requesting feature and service price management Payment service availability
The definition of provisioning data ensures that service providers and payment service providers can select a suitable set of payment adapters provisioned for applications on application deployment time. The following types of payment adapters are primarily addressed: Operator charging 3rd-party payment service providers
This JSR enables application developers to initiate mobile payment transactions from MIDP applications. It is an optional package for the J2ME CLDC configuration and targeted at MIDP and IMP devices. The scope of this JSR is to provide a generic payment initiation mechanism that hides the actual payment architecture and complexity from the developers. This JSR does not define and imply any concrete payment implementation and mechanism, but is generic enough to support different implementations. It is up to the implementing party to realize the API based on one or more technical solutions enabling the application-initiated payment. The JSR also does not define any user behavior or user interface, but leaves them open to be defined by the actual implementation of the API.
2.2
Requirements
The requirements listed in this chapter are additional requirements beyond those found in Connected, Limited Device Configuration (JSR-30) and in either Mobile Information Device Profile 2.0 (JSR-118) or Information Module Profile- Next Generation (JSR-228). The Payment API is an optional package that runs on the CLDC configuration and either the MIDP profile (JSR-118) or the IMP profile (JSR-228). As such, the API specified in this document defines no requirements for the software (besides those relating to the availability of the configuration and the profiles themselves). However, the implementation of the payment module or of a particular payment adapter may have additional requirements if implemented in Java. A Java-based implementation of the Premium-Priced SMS(PPSMS)-based payment adapter may
13
2.3
MIDP vs IMP
This specification requires MIDP or IMP. Both profiles are very similar and differ mainly in that MIDP supports a graphical user interface subsystem whereas IMP does not. The consequence is that IMP cannot directly interact with the end user as MIDP could. Because of the similarity of both profiles, the following specification has been written for MIDP and refers to MIDlets, although the reader may indistinctly also apply it to IMP and IMlets, making the corresponding changes where appropriate. However, the specification also integrates notes where differences apply. The reader may also refer to chapter 7.5 and Appendix A for further information.
14
3 Architecture
3.1 Overview
This chapter addresses issues that both implementers and developers will encounter when implementing and developing the Payment API and payment adapters. While not comprehensive, this chapter does reflect the most important issues agreed on by the PAPI-EG.
3.2
General Architecture
As stated before, the goal of the PAPI-EG is to create an open, third-party application development environment for payment-enabled Java applications. It will not define or imply any concrete implementation for the core payment module or any of the payment adapters. The following picture illustrates the relative position of the components on the terminal side in a payment transaction. Although it does not imply any concrete implementation, it suggests a flexible architecture. An implementer can also choose to integrate only one particular payment adapter or even only one instance of that particular adapter and combine the Payment API, the payment module and the corresponding payment adapter into one software component. However, the specification always refers to the following figure.
Java application
Payment API
MIDP /IMP
3.3
Functional Overview
The overview of the decomposition into subsystems and functionalities is shown in the following figure. The purpose of the decomposition is to define a minimal set of functionalities and roles associated with different terminal and server components and actors needed to deploy JSR-229 services.
15
End user
Application developer
Interacts with
Implements
Application Provisions application Requests payment Pay API Payment module Pay. adapter Terminal
Provides Manufacturer
Provides
3.4
A description of the actors, as shown in the previous diagram, is given below. However, practice will show that some roles may be combined as, for instance, the role of the price manager can be combined with either the payment service provider or the application provider.
Description
Application: Java applications contain business logic for chargeable features. Those features are charged using the API methods provided by this JSR. They are also responsible for persisting their internal state: e.g., after a payment has been made successfully for a certain feature, it is desirable to have that feature still enabled after the application restarts. Java applications must contain provisioning data as part of the JAR-Manifest file that is injected by the merchant at application deployment time. Payment module (or transaction module): Implements functionality needed to manage one or more payment adapters and one or more instances of each adapter. It contains provisioning data interpreters and dispatches the provisioning information among the registered payment adapters. It will also interact with the end user (if any) when needed and dispatch function calls and parameters to the Payment API to the corresponding payment adapter implementation. Payment adapters (or payment methods): Implement terminal-side logic needed to process a payment based on the applications request, the users choice and the provisioning information. It contains provisioning data interpreters and communication protocol implementations. It also supports forwarding a (limited) payload along with the payment transaction to the application
16
Trust Relationships
The end users trust the payment module of their terminal device that the implementation and thereby any application will never make any payment transaction without the users acknowledgment. They trust the payment module and the underlying payment adapters that any private or critical information (credit card numbers, PIN, etc.) will never be made public nor transferred to any network servers if not part of the standardized or proprietary payment protocol. Application developers trust the application providers that their application will not be altered and will be available for download. They also trust them for correct settlement. They trust the manufacturer for correct and safe (as defined by this application) implementation. The application provider trusts the price manager for correct settlement. The payment service providers trust the manufacturers that their terminals are safe and are fully compliant with this specification. They trust the price manager that the provisioning information (in particular prices and URLs) is forwarded to the application provider without tampering. The manufacturer trusts the (implementer of the) payment adapter that it correctly implements the payment protocol it has been designed for and does not include any malicious functionality.
17
3.5
Application Responsibilities
Status/History
Applications are responsible for managing their internal state regarding purchased features. The application must store state information for persistent storage to allow the end user to continue using a purchased feature when the application is started next time. Such application-specific state information might be, for example, the last game level for which a payment request has been issued. Only the application itself can take care of it because the representation/meaning of a feature is part of the applications logic. Security issues related to storing the applications internal state are discussed in chapter 7.
3.6
Responsibilities refer here to functionalities that are provided by the payment module component but are not directly accessible by Java applications. These functions, such as price update, can be offered to the end user directly by the payment module by providing an appropriate user interface.
Provisioning Mapping
Java applications are provided including provisioning data for the different payment adapters. It is the payment modules task to load the payment provisioning data from the JAR-Manifest Resource file, find possible syntax errors (and, if so, signal them to the end user) and map them to the appropriate payment adapter. Moreover, provisioning data is linked to a particular application or the suite it may belong to, and cannot be (re)used for another application. It is up to the implementation to decide when to map: it might be parsed at download/installation time by the AMS3 (a.k.a. JAM4) or at application startup by the AMS or even during the applications runtime at TransactionModule construction time. In case there is nothing to map (i.e. provisioning information provided along with the application does not match any of the locally installed payment adapters (if any)), the user will have no means by which he will be able to submit a payment request using that application. The user must be informed and be offered to choose to continue with this application or not. This confirmation dialog must be shown at TransactionModule construction time (refer to section A.3).
Method Selection
The Payment API is payment adapter agnostic. Therefore, if several payment adapters are installed, it is the responsibility of the payment module to offer the user (if any) a selection dialog or system to choose the optimal payment method under the current circumstances. It is also the responsibility of the payment module to inform and manage accordingly in case no payment adapter is present.
3 4
Application Management Software as defined by J2ME Java Application Management as introduced by MIDP1.0
18
Pricing Updates
Price updates for some features must be performed by the payment module implementation. Initial price information is delivered with an application and updates must override these values. It is up to the implementation, in combination with the user, how often or when price updates should be conducted. In case of MIDP, it is required for the payment module implementation to show a graphical user interface element to request a price update. Such an item can be, for example, a menu item shown by the payment module. In case of IMP, this can be controlled via the security policy instead. Moreover, the date of the latest price (and thereby provisioning) update must be logged as described in the next section. Hiding the update and persistency mechanisms from the application has the advantage that information is handled consistently and in one place.
Application processed() Payment API Payment module process() <FeatureTitle> <This feature is decribed here in more detail>. Are you sure you want to buy this feature for EUR 0.50 using Premium Priced SMS? Last update date: <date> Last update stamp: <stamp> Yes No Other method Update
The figure above depicts a typical user interface workflow. The application initiates a payment request to the payment module by calling the process() method. It then interacts with the user by showing a dialog and asks the end user for payment confirmation. The user can choose first to update all prices or change the payment method before confirming or denying the payment request. After processing the payment requests (e.g. with the help of the correct payment adapter), the payment module then asynchronously delivers back to the application the state of the payment request using the processed() listener interface .
19
3.7
Conducting Payment
A payment adapter is responsible for conducting payment transactions. Therefore, the implementation of such a payment adapter will focus on at least one particular payment method. All payment methods MUST involve an interaction between this adapter and servers in the network. Although some payment methods would not need to interact with a server (i.e. are smartcard based, like GeldKarte, Moneo, etc.), the payload, as defined by this Payment API, still has to be propagated through the network. As part of the payment transaction, the payment adapter is also responsible for forwarding a payload (if any is defined by the application), limited to 132 bytes5, to the application provider through the payment service provider.
Payment Authentication
Particular payment adapters involve non-repudiation mechanisms and may also need to interact with the user to authenticate the user to the payment system. The architecture designed in this specification clearly leaves this task to the implementation of the payment adapter. A credit-cardbased adapter may ask the user for the card number and expiration date every time it is used. It may also need an X.509 certificate or access to a smartcard to authenticate itself to the credit card operator in the network. All these are considerations that are specific to the adapter (plugin) and therefore are outside the scope of this document.
5
20
21
4 Package javax.microedition.payment
4.1 Overview
Summary Interfaces TransactionListener TransactionRecord Class TransactionModule Exceptions TransactionModuleException TransactionListenerException TransactionFeatureException TransactionPayloadException
This application programming interface has been designed to allow for an asynchronous handling of payment transactions. This is achieved by an emit/notify mechanism, respectively represented by the TransactionModule class and TransactionListener interface. It is also part of the design that no basic TransactionException class has been specified. This prevents an application developer from using a general catch(TransactionException) to (not) handle all payment-related exceptions. It is also part of the design that the developer must set a listener for transaction notifications. If this is omitted, a TransactionListenerException is thrown where appropriate.
22
4.2
Design
The following UML diagram details the previously defined classes and interfaces and also shows the interaction between those classes:
4.3
Interface TransactionListener
4.3.1 Summary
Declaration public interface TransactionListener Description A listener type for receiving notifications of transaction records that have been generated by the payment module once a transaction has been processed. When the payment module (together with the corresponding payment adapter) has been able to process a payment transaction, the application is notified by having the command processed() method called on the TransactionListener that had been set using the setListener() method of the TransactionModule class.
23
4.3.2 Details
processed
public void processed(TransactionRecord record) Description: Called by the payment module (as interfaced by the TransactionModule) to indicate that a transaction-related event has occurred. The parameter record holds (by its getState() method) one of the values defined in the TransactionRecord interface: TransactionRecord.TRANSACTION_SUCCESSFUL, TransactionRecord.TRANSACTION_FAILED, TransactionRecord.TRANSACTION_REJECTED. The record is identifiable through the transaction ID that has been returned by the process() method call. Refer to chapter 4.4 for more information about the meaning of the TransactionRecord.TRANSACTION_* fields. Parameters: record - the original TransactionRecord containing the feature ID, the final state (TransactionRecord.TRANSACTION_* value) and timestamp. This record is created by the payment module.
4.4
Interface TransactionRecord
4.4.1 Summary
Declaration public interface TransactionRecord Description The payment module manages a list of past transactions for each application. Each of these transactions is atomically represented by an object implementing the TransactionRecord interface. Summary Fields static int TRANSACTION_SUCCESSFUL static int TRANSACTION_FAILED static int TRANSACTION_REJECTED Methods int getFeatureID() int getTransactionID() int getState() long getFinishedTimestamp() boolean wasMissed()
24
4.4.2 Details
Field TRANSACTION_SUCCESSFUL
public static final int TRANSACTION_SUCCESSFUL = 0 Description: This value indicates that the payment module has been able to process the payment successfully. The application is thereby assured that the payment transaction of a given feature will be booked. The meaning of successfully processed is payment method dependent: most payment adapters will be able to guarantee a 100% reliable payment transaction (every actor gets the predicted part of a given transaction). Others, like Premium Priced SMS-based payment, will not be able to achieve this level of reliability due to the inherent limitations imposed by the design of the SMS infrastructure. However, the meaning of TRANSACTION_SUCCESSFUL is that the application MUST consider the payment as being done and should offer the paid feature to the user.
Field TRANSACTION_FAILED
public static final int TRANSACTION_FAILED = 1 Description: This value indicates that the payment module has not been able to finish the payment due to some error or problem. The application is thereby aware that the payment could not be fulfilled. This value also includes the case where the payment module could not find any payment adapter corresponding to the users selection to process this transaction. This case only covers technical errors which made the processing impossible but it does not cover rejection of a transaction request by the user: the latter is covered by the following field TRANSACTION_REJECTED.
Field TRANSACTION_REJECTED
public static final int TRANSACTION_REJECTED = 2 Description: This value indicates that the payment module has not been allowed by the user to process the payment transaction. The user has chosen the No option when asked by the payment module to confirm agreement to pay for a given feature. In the case of IMP, the payment module was preconfigured to deny transactions.
getFeatureID
int getFeatureID() Description: This method returns the feature ID of this particular transaction record.
25
getTransactionID
int getTransactionID() Description: This method returns the transaction ID of this particular transaction record. It is the same identifier as returned before when the process() method was called. Returns: An integer value representing the unique identifier of this particular payment transaction. The identifier is platform-unique.
getState
int getState() Description: This method returns the final state of this particular transaction as managed by the payment module. The final state value is one of the following: TransactionRecord.TRANSACTION_SUCCESSFUL, TransactionRecord.TRANSACTION_FAILED, TransactionRecord.TRANSACTION_REJECTED. Returns: The final state of the transaction as one of the constants defined in this class.
getFinishedTimestamp
long getFinishedTimestamp() Description: This method returns the timestamp by which the transaction has been acknowledged by the payment module. It is usually the time when the final state (successful, failed or rejected) is set, i.e. shortly before the payment module will call the processed() method of the transaction listener. Returns: A value representing the number of milliseconds since January 1, 1970, 00:00:00 GMT at which time the transaction was acknowledged.
wasMissed 26
4.5
Class TransactionModule
4.5.1 Summary
Declaration public class TransactionModule Description The TransactionModule class represents the communication interface between the application and the payment module. It has been designed to support asynchronous payment handling. Each call of process() has to return immediately. To convey the result of a payment transaction, an event is generated subsequently and the corresponding record is passed through the processed() method of the TransactionListeners interface to the registered listener. Summary Constructor TransactionModule(Object object) Methods void setListener(TransactionListener listener) int process(int featureID, String featureTitle, String featureDescription) int process(int featureID, String featureTitle, String featureDescription, byte[] payload) TransactionRecord[] getPastTransactions(int max) void deliverMissedTransactions()
4.5.2 Details
Constructor TransactionModule
public TransactionModule(Object object) throws TransactionModuleException
27
Description: Constructs a TransactionModule object and verifies that the provisioning information for the payment module and that for the payment adapters (that are present on the device) have been provided correctly. Should there be found anything missing or incorrect, a TransactionModuleException is thrown. This also covers the case where multiple payment adapters are present and the provisioning information for one or more payment adapters cannot be verified. Please refer to section A.3 for complementary information. A java.lang.NullPointerException is thrown if the argument passed as Object is null. Parameter: object - Object referring to the application itself (MIDlet, IMlet, etc.). Throws: TransactionModuleException - The payment module thereby signals that it refused a connection from the TransactionModule class. Reasons may be, for instance, that the provisioning data is corrupt or incomplete, that there are too many applications linked to that payment module or that the user chooses not to continue because there are no matching provisioning information for any locally installed adapters (if any). The payment module should interact with the user to show the reason.
setListener
public void setListener(TransactionListener listener) Description: Set the listener for asynchronous events. The transaction event listener is removed if listener is set to null. Parameter: listener - if not null, this method sets the listener to which asynchronous payment events will be sent. If set to null, the current listener is removed.
process
public int process(int featureID, String featureTitle, String featureDescription) throws TransactionModuleException TransactionFeatureException TransactionListenerException Description:
28
29
process
public int process(int featureID, String featureTitle, String featureDescription, byte[] payload) throws TransactionModuleException TransactionFeatureException TransactionListenerException TransactionPayloadException Description: This method is similar to the previously defined method process(int featureID, String featureTitle, String featureDescription) but allows passing a payload to the payment module. This payload is forwarded to the payment adapter that will process the payment. The payment adapter MUST then forward that payload to the payment service provider. The payload can be used by the application developer to send application-specific information: a game developer might use it to send high scores or statistics, another application might use it to send a service activation code. There are no constraints on the format. The size is limited only by the size supported by payment adapters (e.g. SMS-based payments have a very limited payload size. See chapter 8). In any case, the process() method will throw a TransactionPayloadException exception if the payload is not accepted by the payment adapter for any reason (payload too large, payload format not accepted). Please refer to the description of the process(int featureID, featureTitle, String featureDescription) method. Parameters: featureID - the ID of a given feature, as provided in the provisioning data. featureTitle - a very short description of the feature itself. It SHOULD only be a few words clearly defining the feature (example can be Level 1, Next Level, 3 Balls, etc). The text SHOULD be written in the language currently used by the platform, as described in the system property microedition.locale. If this parameter is not set (null or empty), a TransactionModuleException is thrown. featureDescription - a longer description of the feature. It SHOULD be considered that the text is meant to be shown/used on a device with few capabilities. As for featureTitle, the text SHOULD be written in the language currently used by the platform. If this parameter is not set (null or empty), a TransactionModuleException is thrown. payload - a byte array containing data that has to be sent along with the transaction to the payment service provider. If this parameter is set to null, this method will behave exactly like process(int featureID, String featureTitle, String featureDescription). The size of the payload is limited to 132 bytes. The developer should be aware that some Unicode characters are 16-bit and are therefore stretching the original string (i.e. the length of the payload may increase). Returns: String
30
getPastTransactions
public TransactionRecord[] getPastTransactions(int max) Description: This method returns an array of TransactionRecord objects representing the list of transactions that have been processed and about which the application has been notified. This implies that, as soon as the payment module has successfully returned from a processed method call, the corresponding transaction is considered as being past. The number is limited by the parameter max. The list is ordered from the latest acknowledged transaction (array[0]) to the oldest one (array[length-1]). The list will contain only transactions that have been generated/requested by the current application. Parameter: max - specifies that the latest max number of transactions will be returned. If max is equal to Integer.MAX_VALUE then all transactions that have been stored by the transaction module will be returned. If max is equal to 0, then null is returned. Returns: An array of TransactionRecord or null if max is set to 0 or if no transactions have been initiated.
deliverMissedTransactions
public void deliverMissedTransactions() throws TransactionListenerException Description: This method requests the payment module to again generate all missed transactions on the processed() listener interface. Consequently, this method can only be called once the listener
31
4.6
Class TransactionModuleException
4.6.1 Summary
Declaration public class TransactionModuleException extends Exception Description TransactionModuleException is an exception thrown whenever an error related to the payment module occurred. This might be due to problems with the initialization or some other internal error of the payment module. Summary Constructors TransactionModuleException() TransactionModuleException(String message)
4.6.2 Details
Constructors TransactionModuleException
public TransactionModuleException() Description: Constructs a new exception with no details message. public TransactionModuleException(String message) Description:
32
4.7
Class TransactionListenerException
4.7.1 Summary
Declaration public class TransactionListenerException extends Exception Description TransactionListenerException is an exception thrown whenever the application tries to process a transaction but the payment module has not detected any listener (i.e. no listener has been set before using the setListener() method) Summary Methods TransactionListenerException() TransactionListenerException(String message)
4.7.2 Details
Constructors TransactionListenerException
public TransactionListenerException() Description: Constructs a new exception with no detail message. public TransactionListenerException(String message) Description: Constructs a new exception with the specified detail message. Parameters: message Message details
33
4.8
Class TransactionFeatureException
4.8.1 Summary
Declaration public class TransactionFeatureException extends Exception Description TransactionFeatureException is an exception thrown whenever the application tries to process a transaction for a particular feature or to retrieve information about a given feature but the payment module was unable to locate the given feature ID from the resource file. Summary Methods TransactionFeatureException() TransactionFeatureException(String message)
4.8.2 Details
Constructors TransactionFeatureException
public TransactionFeatureException() Description: Constructs a new exception with no detail message. public TransactionFeatureException(String message) Description: Constructs a new exception with the specified detail message. Parameters: message Message details
4.9
Class TransactionPayloadException
4.9.1 Summary
Declaration public class TransactionPayloadException extends Exception Description
34
4.9.2 Details
Constructors TransactionPayloadException
public TransactionPayloadException() Description: Constructs a new exception with no detail message. public TransactionPayloadException(String message) Description: Constructs a new exception with the specified detail message. Parameters: message Message details
35
/** * Test MIDlet taken from spec sample. */ public class MyGame extends MIDlet implements TransactionListener, CommandListener { private private private private TransactionModule txModule; int alevel = 0; int nblevel = 0; int MAX_LEVEL = 3;
private Display display; private Command exit; public MyGame() { // Welcome to MyGame display = Display.getDisplay(this); Form formMain = new Form("MyGame"); exit = new Command("Exit", Command.EXIT, 1); formMain.addCommand(exit); formMain.setCommandListener(this); display.setCurrent(formMain); txModule = new TransactionModule(this); } catch(TransactionModuleException e) { /* The payment module thereby signalsthat it refused a * connection from the TransactionModule class. Reasons * may be, for instance, that the provisioning data is * corrupt or incomplete or that there are too many * applications linked to that payment module. The * payment module should interact with the user to show * the reason. */ // print error message: e.toString(); } catch(Exception e) { // print error message: e.toString(); } try { txModule.setListener(this); } catch(Exception e) { // print error message: e.toString(); } } public void startApp() { while (nblevel <= MAX_LEVEL) { // Payment required for level level try {
36
This code is provided here as an example of the usage of the Payment API, as defined by this specification. Sample JAD and JAR-Manifest files that match this code sample can be found in chapter 6.5.1.
37
5 System Functions
5.1 Overview
5.2
System Properties
The PAPI defines the following additional property values that MUST be made available to the application using java.lang.System.getProperty: System Property microedition.payment.version Description The version of the Payment API implemented in the device. The version MUST match the version major and minor of the specification that was used to implement it. If the implementation matches this specification, then this system property MUST return 1.1. The format is <major>.<minor> and follows the same rules defined for Pay-Version (refer page 39 and page 42).
38
6 Provisioning
6.1 Overview
Provisioning data is delivered as part of a JAR-Manifest resource file. However, some paymentrelated information shall be delivered as part of the JAD resource file and allows a user to have some basic information before downloading a given application. This minimum information includes that the given application is payment-enabled, and lists which payment adapters are expected so it can run. At least one of them should be supported by the platform: a particular implementation might allow the downloading of missing payment adapters after the application has been installed or started. However, the user should be aware that the usage of this particular application is dependent on the availability of those payment adapters. With respect to the MIDP specification, the provisioning data provided in the JAD and the JARManifest (i.e. the features included) is global to the entire MIDlet-suite. Modification of the MIDlet-suite implies redefinition of the features and therefore of the behavior of a given MIDlet. As stated in chapter 7, this specification has been defined to take advantage of security features and control mechanisms as provided by MIDP2.0. In order to protect the provisioning information, the MIDlet (and thereby the JAR-Manifest) MUST be protected through the signature of the JAR application by an authority recognized by the platform certificate authority. However, in order to facilitate the development of applications, a debug mode has been defined in which the signature and certification are not required. This debug mode is taken into consideration only on development platforms such as the Java Wireless Toolkit, emulators, simulators and similar.
6.2
JAD Resource
? M* Attribute description The version number of the JAR-Manifest fields used to configure the payment module. The format is <major>.<minor>. Current version is 1.1 and defines the JAD and JAR-Manifest payment-specific field format, interdependencies and behavior of the payment module. The list of registered payment adapters (<RegAdapter>) supported by the application provider. The list is commaseparated and MUST contain only registered adapters (see adapter namespace in chapter 8.2). At least one of these adapters should be supported by the payment module. There MUST NOT be duplicates of adapters for this property.
Pay-Adapters
M*
Pay-Debug-DemoMode
A boolean attribute allowing the developer to fake the behavior of a payment module
39
40
41
6.3
JAR-Manifest Resource
? M Attribute description The version number of the JAR-Manifest fields used to configure the payment module. The format is major.minor. Current version is 1.1. See description of the same field in the JAD file. If the version is not supported by the implemented payment module, then all payment-relevant fields MUST be discarded.
Pay-Update-Stamp
This field MUST contain the past on which the current information was generated. defines the date at which information starts to be valid.
This one-line field contains a date and timeof-day and optionally the timezone field. The format MUST follow the primary
42
This (and always at least the latest) stamp, along with the date and time of the latest update, MUST be stored by the payment module. On MIDP, both dates (stamp and date of latest update) MUST be shown to the user with other payment transaction information such as featureDescription, featureTitle and price of the feature, when displaying payment requests. It should be clear to the user that the prices shown are subject to changes and that the price shown has been validated and made public on the date given by this field. Pay-Update-URL M A URL pointing to the latest version of the provisioning information. Only Pay-* and signature fields of the retrieved provisioning data are taken into consideration. Other fields MUST be ignored. The format of the content MUST be compliant with this JARManifest description and allows the payment module to update payment-related information. Such retrieved information will be parsed by the payment module and, if verified to be compliant, will replace the previous information stored. If the download did not succeed or the retrieved provisioning is not compliant (see also chapter 6.4), an error message MUST be presented to the user, all of the retrieved provisioning information MUST be ignored and the payment module MUST use the previous provisioning. In any case, the user MUST confirm the information shown (old or new) before the payment is processed by the selected adapter. Format is <application-providerurl>. It includes the leading scheme according to RFC 2396. The scheme MUST be supported by the underlying platform. The AMS MUST verify that it supports the specified scheme before launching the application. More information about updates can be found in chapter A.4. The returned MIME-type MUST be: text/vnd.sun.pay.provision. If it is not, the
6
43
If the value is no, then the payment module MUST initiate an update of the provisioning data, at the latest before payment is conducted, the first time the corresponding payment adapter is used (i.e. only after the process method is called). The provisioning update MUST contain all price information needed and may still contain this field set to no. In this case, all Pay-<ProviderTitle>-Tag-<m> are only valid for the current runtime session of that application and MUST be discarded as soon as the application is stopped. If the value is yes, then the payment module uses the value specified in this description file (if any) or retrieves them once and leaves it up to the end user to update the payment information in the future. If the value is <Expiration-Date>, the payment module MUST compare the current date with the <ExpirationDate>. If the expiration date is in the past, the payment module MUST behave as if Pay-Cache was set to no, otherwise MUST behave as if Pay-Cache was set to yes. The format of <ExpirationDate> is the same as for Pay-UpdateStamp. This field is optional and the default value is yes. Pay-Providers M A list of names identifying payment providers supported by the application provider, as defined within the Pay<ProviderTitle>-* fields. Each name corresponds to an instance of a particular adapter. These titles SHOULD be meaningful names as these are the names to be presented to the end user at adapter instance selection time. They also have to be short enough as they will be shown on small
44
45
46
6.4
Update
Provisioning information can be fully updated. Please refer to chapter A.4 for more information about update policies. The provisioning information that is loaded from the URL specified in the Pay-Update-URL field defined in the JAR-Manifest MUST respect the following: If downloaded and if MIME-types and extensions are relevant in the download protocol, the MIME-type MUST be text/vnd.sun.pay.provision and the file extension SHOULD be .jpp. It contains all fields marked as mandatory in the JAR-Manifest file (as defined in chapter 6.3). All fields defined as optional in the JAR-Manifest (as defined in chapter 6.3) are also optional. It is correctly signed (i.e. have Pay-Signature-RSA-SHA1) as defined below. It contains all of the following mandatory fields:
? M
Attribute description Base64 encoding of a certificate without line breaks <n>: a number equal to 1 for first certification path in the descriptor or 1 greater than the previous number for additional certification paths. This defines the sequence in which the certificates are tested to see if the corresponding root certificate is on the device. <m>: a number equal to 1 for the signers certificate in a certification path or 1 greater than the previous number for any subsequent intermediate certificates.
Pay-Signature-RSA-SHA1
Base64 encoding without line breaks of the signature of this provisioning: i.e. of all other fields provided in this provisioning. The order in which all other properties are processed is the same as the order in which those lines appear in the provisioning information stream. In this process, empty lines, Pay-Certificate-<n>-<m> and Pay-Certificate-* and PaySignature-* are ignored.
47
48
6.5
Examples
JAR-Manifest:
[] Pay-Version: 1.1 Pay-Update-Stamp: 2004-11-15 02:00+01:00 Pay-Update-URL: http://<update-site>/thisgame.manifest.jpp Pay-Providers: Test Pay-Feature-0: 0 Pay-Test-Info: PPSMS, EUR, 001, 01 Pay-Test-Tag-0: 2.40, 4321, 0x123456789abcdef0, 1
JAR-Manifest:
[] Pay-Version: 1.1 Pay-Update-Stamp: 2004-11-15 02:00+01:00 Pay-Providers: SMS1, Test1Card, Test2Card Pay-Update-URL: http://<update-site>/thisgame.manifest.jpp Pay-Cache: no
49
Here, X-TEST represents a fictitious payment adapter that has not been specified and is used only for the purpose of the examples.
50
7 Security
Security in the context of mobile payment as defined in this JSR is about securing the provisioning information, the application and its state against modification (except, of course, by developers and providers themselves). It is also about guaranteeing that the terminal owner acknowledges all payment transactions and not about hiding any content. The JSR-229 has been defined and designed to take advantage of security features and control mechanisms as provided by MIDP2.0.
7.1
[REQ-1] [REQ-2] [REQ-3] [REQ-4] [REQ-5] [REQ-6]
Requirements
Tamper resistance of payment-enabled provisioning information Protecting the terminal owner against over-payment Tamper resistance of payment-enabled state information Tamper resistance of payment-enabled application code Protecting the payment service provider against fraudulent access Protecting the application provider against fraudulent access
7.2
Applications
The following permission is defined for the JSR-229 payment functionality: Permission name: javax.microedition.payment.process
To request a payment transaction, a MIDlet (or IMlet) requires this permission to access the implementation of TransactionModule.process(). If the permission is not granted, then this method MUST throw a SecurityException. Otherwise, the implementation must display the payment method selection and transaction confirmation dialog. The following policies for the different domains are to be applied on the different platforms: On GUI-enabled platforms (eg. MIDP): o o o o Untrusted: Trusted 3rd party: Manufacturer: Operator: Disabled Allowed Allowed Allowed
51
On non-GUI platforms (eg. IMP): o o o o Untrusted: Trusted 3rd party: Manufacturer: Operator: Disabled Allowed Allowed Allowed
This permission is used to protect the implementation from untrusted applications. It cannot be overruled by any means, in particular not by the user.
7.3
Provisioning Data
The provisioning information is provided through the following channels, all of which need to be secured as they contain sensitive data for the payment module: the JAD file, the JAR-Manifest file included in the applications JAR file, through the update mechanism of the entire JAR-Manifest file.
All cases are addressed by content signing mechanisms. For the last case, the content may be retrieved by any means and the payment module will use the signature verification mechanism to verify the integrity of the downloaded update. The MIDlet must therefore be protected through the signature of the JAR application by an authority recognized by the platform certificate authority. The signature and certificates MUST be present in the application descriptor (JAD) as attributes, as defined by the MIDP2.0 and IMP2.0 security frameworks. MIDP2.0 and IMP2.0 define rules on how to handle properties that are in both JAD and JARManifest: if the MIDlet suite is not trusted the value from the descriptor file will override the value from the manifest file. If the MIDlet suite is trusted then the values in the application descriptor MUST be identical to the corresponding attribute values in the JAR-Manifest. However, payment-related fields defined in chapter 6.3 MUST be read from the JAR-Manifest and MUST NOT be overloaded by those from JAD in case values are different. This ensures that provisioning data is protected against any external modifications, as tampering with paymentrelated properties will be detected by trusted applications and have no effect on untrusted applications that are not allowed to use payment functionalities.
7.4
Storage
There is an issue that arises particularly in the context of applications using this payment JSR. Such applications need to store their state internally, including the payment history for paid features (e.g. how many balls remain to play before asking again for a payment?). Such state information could be stored using the RMS API. However, experience shows that many manufacturers are fully compliant with the RMS specification but leave the records on a file in the file system (FAT or alike). These record files are then accessible by anyone using a native file browser and might be manipulated or copied onto another device. This makes it possible to misuse the payment functionality. Although it is already part of the MIDP (respectively IMP) specification that RMS records are bounded to the MIDlet-suite (respectively IMlet-suite) that generated those records and thereby cannot be accessed by any other MIDlet-suite (respectively IMlet-suite), the original specification leaves it open to the implementer what happens to those records on the native platform (if any).
52
7.5
Payment Module
Continue Confirmation Dialog In case where there is no matching between provisioning information and locally installed payment adapters, the payment module must display a warning-dialog for the user to confirm whether to continue or not. User Dialog In order to prevent applications from generating payments undetected, the payment module must display a payment method selection and transaction confirmation dialog. Authentication Another question that arises is user authentication to the payment module. However, this issue is left to the implementer of the payment module. Some platforms, such as mobile phones, are already designed to be used as personalized devices and would not need any additional user authentication. Other platforms may have to introduce an intermediate step where the user authenticates to the payment module before being able to use any payment adapters.
7.6
Non-GUI Platforms
Throughout this specification, it is a requirement for a terminal owner to acknowledge all payment transactions. However, the platform may not necessarily have a GUI system through which an end user (if there is one) could possibly interact and thereby acknowledge a given transaction. This is the case for platforms supporting IMP (Information Module Profile). In order to use the process() method of the TransactionModule class, the application MUST be granted a permission to perform the requested transactions. This mechanism is based on a policy mechanism enforced in the platform implementation.
53
7.7
Summary
Here follows a summary of the coverage of the security mechanisms mapped onto the requirements listed at the beginning of this chapter.
Tamper resistance of pament-enabled provisioning information [REQ-1]: Only signed applications are allowed to use JSR-229. Modification of the provisioning information which is located in JAR/Manifest would modify the JAD-signature and hence be detected by the payment module. The application is then not allowed to run. Protecting the terminal owner against over-payment [REQ-2]: a. Only signed applications are allowed to use the JSR-229 API: Provisioning (in particular prices and update links) have been verified and are therefore under control of the payment module, On GUI-enabled devices, it is controlled by having the end user confirm every payment transaction through a user dialog. If the platform does not possess a GUI, please refer to chapter 7.6, Authentication of the end user is left to the implementer, neverthess platform targeted by JSR-229 are already designed to be used as personalized devices.
b.
c.
Tamper resistance of Payment-enabled state information [REQ-3]: Different applications may have different requirements for storing their current state. Therefore, it is the application developers responsibility to choose a storage facilities corresponding to his needs: JSR-75, JSR-177 or the RMS-API may be used for this purposes. Tamper resistance of Payment-enabled application code [REQ-4]: It is outside the scope of this specification and is a general Java MIDP issue. Protecting the Payment Service Provider against fraudulent access [REQ-5]: This specification does not specify any particular payment mechanism. This requirement is an integral part of the specification of every single payment method, which specifies payment adapters and payment service servers. Protecting the Application Provider against fraudulent access [REQ-6]: In the role of a service provider (network-side application logic), application providers are being notified about a successful payment transaction in order to give access to a given content or service. This requirement is out of scope of this specification and is part of the application logic and must be specified between the different actors: payment service provider, application provider and possibly the application developer.
54
8 Adapters
8.1 Overview
This chapter defines general rules about payment adapters including adapter naming rules that must be followed by any new adapters.
8.2
PPSMS
Registered names MUST NOT begin with X- (capital X) as they are reserved for experimental adapters.
8.3
Proposal for new payment adapters may be submitted to the maintenance lead during the maintenance phase. These submissions will be reviewed and finalized together with the PAPI-EG, the submitting part and any other concerned parties. The new adapter will then be integrated into this specification. After the maintenance phase is closed, new payment adapters may only be integrated in this specification as part of a new JSR Proposal defining thereby a new release of this specification.
8.4
All adapters not explicitly defined or registered in this specification are considered to be experimental. The namespace for experimental adapters MUST be preceded by X- (capital X). As soon as such an adapter is officially registered, both namespaces (with and without the leading X-) are reserved.
55
Please refer also to the documentation provided together with the delivered TCK.
56
10
MCC
Glossary
Mobile Country Code: every mobile (GSM) operator is given a unique identifier pair (MCC, MNC). The MCC is a 3-digit code identifying the country in which this mobile (GSM) operator is registered. Mobile Network Code: every mobile (GSM) operator is given a unique identifier pair (MCC, MNC). The MNC is a 2 or 3-digit code identifying the network of a given country in which this mobile (GSM) operator is registered. Mobile Originated message. An SMS or MMS message that was originated on a mobile phone. Mobile Terminated. An SMS or MMS message that was terminated (sent to) a mobile phone. The message may have originated from another mobile phone or from a server, PC or other fixed device. Record Management Store, as defined for J2ME application to store and retrieve application-specific data. Short Message Service. Defined by the GSM standard; allows end users to exchange short messages. SMS are also used to push and send system information such as WAP provisioning or, in this context, payment transactions.
MNC
RMS SMS
57
58
This confirmation-dialog can be bypassed by the Pay-Debug-AutoRequestMode property. As defined in section 6.2, the dialog is skipped and the TransactionModule (constructor) should behave according to the value of the property as if the user did accept of reject the confirmation.
The current specification offers to update the complete JAR-Manifest provisioning. This is specified in chapter 6.4. In order to retrieve a complete, up-to-date JAR-Manifest, the implementation must download the content from the link specified in the Pay-Update-URL field. If it should happen that Pay-<ProviderTitle>-Tag-* tags are missing, an update is initialized to retrieve such provisioning information. If the update process fails (e.g. due to connection problems) or if the retrieved update does not provide the required information, i.e. the update still does not contain all required Pay-<ProviderTitle>-Tag-*, a TransactionModule-Exception MUST be thrown either in the constructor of the TransactionModule class or latest when its process() method is called. The update mechanism allows the following policies to be implemented: User Initiated Update: The user basically always has the right to initiate an update, including in any of the following cases. Always Update: Implemented by setting Pay-Cache:no in the JAR-Manifest and Pay-Cache:no in every provisioning update.
59
60
61
62
The list of all MCC and MNC codes can be found in the ITU-T Rec. E212 (11/98) or at the following location: http://www.itu.int/ITU-T/inr/forms/files/mnc-1203.pdf
63
C.1.4 Limitations
Due to the specified format, the following limitations arise: Attribute Format Restriction Adapter Reliability Limitation 8-bit SMS. Payload is also to be 8-bit encoded. Due to the specifics of payment via SMS and the SMS infrastructure, it is not possible to include an acknowledgement for a payment. Therefore the PPSMS payment adapter implementation MUST return to the payment module immediately after having been able to send that SMS to a given Premium Priced SMS
64
65
- last page -
66