You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

 

Introduction

CXF 3.0.x implements JOSE.

Maven Dependencies

<dependency>
  <groupId>org.apache.cxf</groupId>
  <artifactId>cxf-rt-rs-security-jose</artifactId>
  <version>3.1.0</version>
</dependency>

 

JOSE Overview

JOSE is a set of high quality specifications that specify how data payloads can be signed and/or encrypted with the cryptographic properties set in JSON-formatted metadata (headers).

Note that not only JSON documents but also documents in the arbitrary formats can be secured: text, binary data, even XML.

 

JOSE is a key piece of the advanced OAuth2 applications but is also perfect at securing the regular HTTP web service communications.

 

At the moment two signature and encryption output formats are supported: compact and JSON.

 

Compact format is a concatenation of Base64URL-encoded JOSE headers (where the cryptographic signature or encryption properties are set),

Base64URL-encoded payload (in the original form if it is signed, otherwise - encrypted), plus Base64URL-encoded signature of the payload or some of encryption process input or output data

such as an initialization vector, authentication tag, etc.

 

The JSON (full) format is where all the information describing a signature or encryption process is presented in a not-compact, regular JSON document, offering a non-optimized but easier to understand format.

The signature process also supports the detached body mode where the body to be signed is not included in the actual output - assuming that both the consumer and producer know how to access the original payload in order to

validate the signature.

 

The following subsections will have the examples with more details.

JWA Algorithms

All JOSE signature and encryption algorithms are grouped and described in a JSON Web Algorithms (JWA) specification.

The algorithms are split into 3 categories: signature algorithms (MAC, RSA, Elliptic Curve), algorithms for supporting the encryption of content encryption keys (RSA-OAEP, Key Wrap, etc),

algorithms for encrypting the actual content (AES GCM, etc).

All encryption algorithms produce authentication tags which provides the protection against manipulating the already encrypted content.

Refer to this specification to get all the information needed (with the follow up links to the corresponding RFC when applicable) about a particular signature or encryption

algorithm: the properties, recommended key sizes, other security considerations related to all of or some specific algorithms.

JWK Keys

 

Json Web Key (JWK) is a JSON document describing the cryptographic key properties. JWKs are very flexible and light-weight (in most cases) and one can expect JWKs becoming one of the major

mechanisms for representing and storing cryptographic keys. What is important is that one does not have to use a JWK in order to sign or encrypt the document, working directly with Java JCA secret and asymmetric key

representations is sufficient but JWK is a first class citizen in JOSE with all of JOSE examples using JWK representations.

JWS Signature

 

JSON Encryption

JSON Web Tokens

 

JAX-RS Jose Filters

 

OAuth2 and Jose

 

Third-Party Alternatives

Jose4J. Etc.

 

  • No labels