RE: JWS/JWE

[Hermann Angstl <ha...@talend.com>]

Thanks Sergey for your detailed reply. Appreciate a lot!

cheers,
Hermann

-----Original Message-----
From: Sergey Beryozkin [mailto:sberyozkin@gmail.com] 
Sent: Freitag, 29. August 2014 17:29
To: users@cxf.apache.org
Subject: Re: JWS/JWE

Hi Andrei, Hermann

CXF already provides, in snapshots, a fairly decent (IMHO) JWS/JWE support, still needs some clean-up. And no JWK are supported yet, but see https://issues.apache.org/jira/browse/CXF-5954, should be straightforward enough to do.
The use-cases that CXF users will be able to address are as follows:

- use it as part of OAuth2 applications, many OAuth2-related specs/submissions are now talking about JWT (JSON token that can be signed/JWS or encrypted/JWE), including Openid-Connect, we have a JIRA for integrating with it too.
- Use it to sign/encrypt regular HTTP payloads, it's going to be used more and more often IMHO going forward, and when WebCrypto gets out, CXF servers would be able to talk to WebCrypto-aware browsers supporting JWS/JWE

I've no plans to go and analyze precisely what jose4j can do and try to match it precisely in CXF (oauth2-jwt module).

I've always been thinking that it's healthy enough to have multiple implementations being around because it is simpler to optimize/adapt to other CXF modules (ex, we can have JAX-RS JWS/JWE filters) and arguably it is simpler to manage generally speaking, and may be it is also about ensuring I'll have something to do in 3 years time for example :-). 
RestEasy started its own JWS/JWE effort even earlier AFAIK.

For example, many people use Apache Oltu. Some of them may be using it with CXF. That said, IMHO it's good CXF ships its OAuth2 implementation, it's lower-level and is a bit closer to CXF, some users may like it more, some users may prefer a higher-level Oltu level, same way it would be for jose4j vs CXF JWS/JWE, similar to CXF OAuth2 vs Oltu, or say, vs CXF JSONProvider (Jettison) vs Jackson, all the combinations are welcome :-).

I recommend people who would like to play with something different to what CXF does or will do just use jose4j because it's a good standalone JWS/JWE implementation. I downloaded it awhile back when I was getting lost about RSA-OAEP non-reproducible outputs..., jose4j is very object oriented, and is rich in what it can do.

But, Hermann, CXF JWS/JWE will be improved to make sure CXF users can do most of JWS/JWE. It will not necessarily *directly* support all of JWS and JWE algorithms compared to jose4j, but it will do support the key ones. You can def start with jose4j if you'd like something released and practically finalized, you can look at what CXF does later if you prefer


Cheers, Sergey



On 29/08/14 15:59, Andrei Shakirin wrote:
> Hi Hermann,
>
> Sergei recently published some related information in this thread: 
> http://cxf.547215.n5.nabble.com/Jose4j-is-available-in-Central-tt57479
> 50.html Currently you be able to use JWS/JWE through custom JAX-RS 
> request /response filters using Jose4j or plug it into CXF OAuth implementation.
>
> Could you please describe your use case a bit more detailed?
> What are you exactly expecting from CXF JWS/JWE support?
>
> Regards,
> Andrei.
>
>> -----Original Message-----
>> From: Hermann Angstl [mailto:hangstl@talend.com]
>> Sent: Freitag, 29. August 2014 16:39
>> To: users@cxf.apache.org
>> Subject: JWS/JWE
>>
>> Hi there,
>>
>> quick question: Are there any plans to improve the support for 
>> JWS/JWE in CXF up to (or even beyond) the level of jose.4.j?
>>
>> cheers,
>> Hermann