Versions Compared

Old Version 39

changes.mady.by.user Sergey Beryozkin

Saved on

compared with

New Version 40

changes.mady.by.user Sergey Beryozkin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note, JWS Compact and JSON, as well as JWE Compact client and server output filters can do the best effort at keeping the streaming process going while they are signing or encrypting the payload. JWE JSON client/server output filter and JWS Compact client/server input filters will be enhanced in due time to support the streaming too. Most of CXF JOSE system tests enable the streaming capable filters to stream by default, however this can be disabled.  

JWS and JWE JSON input filters are expected to process JSON containers with the properties set in a random order hence by default they wil not stream the data in.  

...

No Format
Address: https://localhost:9001/jwsjwkhmac/bookstore/books
Http-Method: POST
Content-Type: application/jose
Payload: 
eyJhbGciOiJIUzI1NiIsImN0eSI6Impzb24ifQ.
eyJCb29rIjp7ImlkIjoxMjMsIm5hbWUiOiJib29rIn19.
hg1T41ESuX6JvRR--huTA3HnbrsdIZSwkxQdyWj9j6c

May 24, 2016 10:53:32 AM org.apache.cxf.rs.security.jose.common.JoseUtils traceHeaders
INFO: JWS Headers: 
{"alg":"HS256",
 "cty":"json"}

 

You can see 3 JWS parts (put on separate lines for the better readibility) separated by dots. The 1st part is Base64Url encoded protected headers, next one - Base64Url encoded Book JSON payload, finally - the signature. Note that the protected headers can be traced by enabling a "jose.debug" contextual property.

The following client code can be used to set the client JOSE interceptors:

Code Block
languagejava
titleClient JWS SetUp
@Test
    public void testJwsJwkBookHMac() throws Exception {
        String address = "https://localhost:" + PORT + "/jwsjwkhmac";
        BookStore bs = createJwsBookStore(address);
        Book book = bs.echoBook(new Book("book", 123L));
        assertEquals("book", book.getName());
        assertEquals(123L, book.getId());
    }
    private BookStore createJwsBookStore(String address, 
                                         List<?> mbProviders) throws Exception {
        JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
        bean.setServiceClass(BookStore.class);
        bean.setAddress(address);
        List<Object> providers = new LinkedList<Object>();
        JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor// JWS Compact Out
        JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor();
        // enable streaming 
       jwsWriter jwsWriter.setUseJwsOutputStream(true);
        providers.add(jwsWriter);
        // JWS Compact In
     providers   providers.add(new JwsClientResponseFilter());
        // Book to/from JSON
        providers.add(new JacksonJsonProvider());
        bean.getPropertiessetProviders(true).put("jose.debug", true)providers);
        bean.setProviders(providers);
        bean// point to the JWS security properties
        bean.getProperties(true).put("rs.security.signature.properties", 
            "org/apache/cxf/systest/jaxrs/security/secret.jwk.properties");
        // enable the tracing of JWS headers
        bean.getProperties(true).put("jose.debug", true);
        
        return bean.create(BookStore.class);
    }

The above code shows a client proxy code but WebClient can be created instead with a bean.createWebClient() instead.

 

JwsJsonWriterInterceptor creates JWS JSON sequences on the client or server out directions. 

JwsJsonClientResponseFilter and JwsJsonContainerRequestFilter process the incoming client or server Compact JWS sequences.

Here is an example of a JSON Book representation being signed and converted into JWS JSON and POSTed to the target service:

No Format
Http-Method: POST
Content-Type: application/jose+json
Payload: 
{
  "payload" : "eyJCb29rIjp7ImlkIjoxMjMsIm5hbWUiOiJib29rIn19",
  "signatures":
   [
     {
       "protected" : "eyJhbGciOiJIUzI1NiIsImN0eSI6Impzb24ifQ",
       "signature" : "hg1T41ESuX6JvRR--huTA3HnbrsdIZSwkxQdyWj9j6c"
     }
   ]
}

Note the Base64Url encoded payload goes first, followed by the 'signatures' array, with each element containing the protected headers and the actual signature specific to a given signature key.

Enabling the clear JWS payload option wilkl produce:

No Format
{
 "payload" : "{"Book":{"id":123,"name":"book"}}",  
 "signatures": 
   [
      {
       "protected" : "eyJhbGciOiJIUzI1NiIsImN0eSI6Impzb24iLCJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdfQ",
       "signature" : "AwHX5IVrGLXQicma-aaRAyLuHQcKc65fE3ucl_LonO8"
      }
   ]
}

 

JWE

JweWriterInterceptor creates Compact JWE sequences on the client or server out directions. For example, if you have the client code posting a Book or the server code returning a Book, with this Book representation expected to be encrypted, then add JweWriterInterceptor and set the encryption properties on the JAX-RS client or server.

...