...
Register both JWS and JWE out filters if the data need to be signed and encrypted (the filters are ordered such that the data are signed first and encrypted next) and JWS and JWE in filters if the signed data need to be decrypted first and then verified.
JWS
JWS Compact
JwsWriterInterceptor creates compact JWS sequences on the client or server out directions. For example, if you have the client code posting a Book or the server code returning a Book, with this Book representation expected to be signed, then add JwsWriterInterceptor and set the signature properties on the JAX-RS client or server.
...
Code Block | ||||
---|---|---|---|---|
| ||||
public void testJwsJwkBookHMac() throws Exception { String address = "https://localhost:" + PORT + "/jwsjwkhmac"; BookStore bs = createJwsBookStore(address); Book book = bs.echoBook(new Book("book", 123L)); assertEquals("book", book.getName()); assertEquals(123L, book.getId()); } private BookStore createJwsBookStore(String address, List<?> mbProviders) throws Exception { JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); bean.setServiceClass(BookStore.class); bean.setAddress(address); List<Object> providers = new LinkedList<Object>(); // JWS Compact Out JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor(); // enable streaming jwsWriter.setUseJwsOutputStream(true); // The payload is encoded by default, providersdisable it if required // jwsWriter.setEncodePayload(false); providers.add(jwsWriter); // JWS Compact In providers.add(new JwsClientResponseFilter()); // Book to/from JSON providers.add(new JacksonJsonProvider()); bean.setProviders(providers); // point to the JWS security properties bean.getProperties(true).put("rs.security.signature.properties", "org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"); // enable the tracing of JWS headers bean.getProperties(true).put("jose.debug", true); return bean.create(BookStore.class); } |
The above code shows a client proxy code but WebClient can be created instead. The server is configured here. The client can be configured in Spring/Blueprint too.
JWS Compact With Unencoded Payload
Starting from CXF 3.1.7 it is also possible to produce JWS Compact sequences with the unencoded payload (See JWS With Clear Unencoded Payload above for restrictions).
...
Note that a 2nd part, "book", is not Base64Url encoded. Set an 'encodePayload' option on the request or response JWS Compact filter to 'false'.
JWS JSON
JwsJsonWriterInterceptor creates JWS JSON sequences on the client or server out directions.
...
Note the Base64Url encoded payload goes first, followed by the 'signatures' array, with each element containing the protected headers and the actual signature specific to a given signature key.
JWS JSON with Unencoded Payload
Enabling the clear unencoded JWS payload option wilkl will produce:
No Format |
---|
{ "payload" : "book", "signatures": [ { "protected" : "eyJhbGciOiJIUzI1NiIsImN0eSI6InRleHQvcGxhaW4iLCJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdfQ", "signature" : "fM7O2IVO3NsQeTGrFiMeLf_TKTsMSqnqmjnK40PwQ88" } ] } |
...
No Format |
---|
ID: 1 Address: https://localhost:9001/jwsjwkhmacSinglePartJwsJson/bookstore/books Http-Method: POST Content-Type: multipart/related; type="application/xml"; boundary="uuid:75b37fab-1745-45b7-93ac-15aa9add9b25"; start="<root.message@cxf.apache.org>" Headers: {Accept=[multipart/related], Connection=[Keep-Alive]} Payload: --uuid:75b37fab-1745-45b7-93ac-15aa9add9b25 Content-Type: application/xml Content-Transfer-Encoding: binary Content-ID: <root.message@cxf.apache.org> <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Book><id>123</id><name>book</name></Book> --uuid:75b37fab-1745-45b7-93ac-15aa9add9b25 Content-Type: application/jose Content-Transfer-Encoding: binary Content-ID: <signature> {"protected":"eyJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJhbGciOiJIUzI1NiJ9","signature":"LWMjPoronjdGmJFAAIuCc_qh9sI2i5Jc2onBd-fHdMM"} --uuid:75b37fab-1745-45b7-93ac-15aa9add9b25-- |
JWE
JWE Compact
JweWriterInterceptor creates Compact JWE sequences on the client or server out directions. For example, if you have the client code posting a Book or the server code returning a Book, with this Book representation expected to be encrypted, then add JweWriterInterceptor and set the encryption properties on the JAX-RS client or server.
...
The above code shows a client proxy code but WebClient can be created instead. The server is configured here. The client can be configured in Spring/Blueprint too.
JWE JSON
JweJsonWriterInterceptor creates JWE JSON sequences on the client or server out directions.
...