You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Giriraj Bhojak <gi...@gmail.com> on 2016/03/17 16:45:01 UTC
Signing and encrypting JSON payload for REST requests over a browser
Hi,
I have been struggling with a basic question related to using signing and
encryption for REST services.
If the REST call (using JSON) happens over http or https via a browser, how
can I ensure that JSON payload is signed and encrypted, just like a SOAP
request that is signed and encrypted?
Is there a JavaScript component that I can use to implement JOSE for
browser based REST requests?
Or am I interpreting this in a wrong way?
Thanks,
Giriraj.
Re: Signing and encrypting JSON payload for REST requests over a browser
Posted by Giriraj Bhojak <gi...@gmail.com>.
Thank you very much Sergey.
Thanks,
Giriraj
On Mar 18, 2016 6:06 AM, "Sergey Beryozkin" <sb...@gmail.com> wrote:
> Hi,
> On 18/03/16 00:21, Giriraj Bhojak wrote:
>
>> Thank you Sergey.
>> I went through the spec. It mentions that the spec is not stable yet and
>> is
>> subject to change. Would you know if it is widely used?
>>
> There are two specs involved here, JOSE and WebCrypto, the former is
> stable and is already quite widely used, though mostly in OAuth2 flows, but
> JOSE is independent of OAuth2.
>
> WebCrypto is a browser specific mechanism on how to get the keys/etc, the
> demo worked for me in Firefox/Chrome, not sure about the other browsers,
> though I might've tried IE too when trying on Windows, do not remember now.
> I think it is unlikely anything but some minor details will get changed
> there.
>
> If you'd like to start doing signing/encrypting within a script running
> inside a browser then I guess you have to be prepared at this stage to go
> some not-very standard-safe path.
>
>
> I was hoping to use one of the JavaScript tools such as jsrrsasign, but
>> looks like it is our of picture.
>>
>> Would you be able to share the source code/API details of the demo that
>> you
>> gave in Apache Con?
>>
>> On the demo page, click at the WebCrypto++ icon and it will bring you to
> a page with a link to the source code. In my demo I only replaced the
> server code which validates JWS signatures, the code that signs the data
> from within a script was the same as in the original demo.
>
> I have not experimented with that script, I only wanted to demo the JOSE
> JWS interoperability between a non-CXF client (the script) and CXF server
>
> Could you please expand on the trusted server approach you mentioned in the
>> follow-up?
>>
> If you can not sign directly within the script then post the data to be
> signed to the trusted server that will do it for you and return the signed
> data.
>
> HTH, Sergey
>
>>
>> Thank you for responding to my queries.
>>
>> Thanks,
>> Giriraj
>> Thanks,
>> Giriraj
>> On Mar 17, 2016 6:10 PM, "Sergey Beryozkin" <sb...@gmail.com> wrote:
>>
>> Or a browser may ask a trusted server to help with it, and get this server
>>> returning a String representing a JOSE payload, then script then forward
>>> it
>>> somewhere else...
>>>
>>> Sergey
>>> On 17/03/16 21:35, Sergey Beryozkin wrote:
>>>
>>> Hi
>>>>
>>>> You may be talking about WebCrypto.
>>>>
>>>> If you have a CXF client sending JSON, then JWE/JWS protecting it is
>>>> easy enough, but you have a script running in a browser then this script
>>>> have no access to the key stores, unless it is a WebCrypto aware browser
>>>> and most of them are by now AFAIK,
>>>>
>>>> See this demo:
>>>>
>>>>
>>>> https://test.webpki.org/WCPPSignatureDemo/signcmd
>>>>
>>>> (it says a password is 1234). It shows an interaction between a
>>>> WebCrypto (https://www.w3.org/TR/WebCryptoAPI/) browser based client
>>>> and a regular Java HTTP server, the data are signed, using JOSE (JWS
>>>> Compact) as one option.
>>>>
>>>> I actually presented this demo at Apache Con NA 2015, except I replaced
>>>> the demo server with a CXF JWS-enabled server.
>>>>
>>>> Sergey
>>>> On 17/03/16 15:45, Giriraj Bhojak wrote:
>>>>
>>>> Hi,
>>>>>
>>>>> I have been struggling with a basic question related to using signing
>>>>> and
>>>>> encryption for REST services.
>>>>>
>>>>> If the REST call (using JSON) happens over http or https via a
>>>>> browser, how
>>>>> can I ensure that JSON payload is signed and encrypted, just like a
>>>>> SOAP
>>>>> request that is signed and encrypted?
>>>>>
>>>>> Is there a JavaScript component that I can use to implement JOSE for
>>>>> browser based REST requests?
>>>>>
>>>>> Or am I interpreting this in a wrong way?
>>>>>
>>>>> Thanks,
>>>>> Giriraj.
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> --
>>> Sergey Beryozkin
>>>
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>
>>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
Re: Signing and encrypting JSON payload for REST requests over a
browser
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi,
On 18/03/16 00:21, Giriraj Bhojak wrote:
> Thank you Sergey.
> I went through the spec. It mentions that the spec is not stable yet and is
> subject to change. Would you know if it is widely used?
There are two specs involved here, JOSE and WebCrypto, the former is
stable and is already quite widely used, though mostly in OAuth2 flows,
but JOSE is independent of OAuth2.
WebCrypto is a browser specific mechanism on how to get the keys/etc,
the demo worked for me in Firefox/Chrome, not sure about the other
browsers, though I might've tried IE too when trying on Windows, do not
remember now. I think it is unlikely anything but some minor details
will get changed there.
If you'd like to start doing signing/encrypting within a script running
inside a browser then I guess you have to be prepared at this stage to
go some not-very standard-safe path.
> I was hoping to use one of the JavaScript tools such as jsrrsasign, but
> looks like it is our of picture.
>
> Would you be able to share the source code/API details of the demo that you
> gave in Apache Con?
>
On the demo page, click at the WebCrypto++ icon and it will bring you to
a page with a link to the source code. In my demo I only replaced the
server code which validates JWS signatures, the code that signs the data
from within a script was the same as in the original demo.
I have not experimented with that script, I only wanted to demo the JOSE
JWS interoperability between a non-CXF client (the script) and CXF server
> Could you please expand on the trusted server approach you mentioned in the
> follow-up?
If you can not sign directly within the script then post the data to be
signed to the trusted server that will do it for you and return the
signed data.
HTH, Sergey
>
> Thank you for responding to my queries.
>
> Thanks,
> Giriraj
> Thanks,
> Giriraj
> On Mar 17, 2016 6:10 PM, "Sergey Beryozkin" <sb...@gmail.com> wrote:
>
>> Or a browser may ask a trusted server to help with it, and get this server
>> returning a String representing a JOSE payload, then script then forward it
>> somewhere else...
>>
>> Sergey
>> On 17/03/16 21:35, Sergey Beryozkin wrote:
>>
>>> Hi
>>>
>>> You may be talking about WebCrypto.
>>>
>>> If you have a CXF client sending JSON, then JWE/JWS protecting it is
>>> easy enough, but you have a script running in a browser then this script
>>> have no access to the key stores, unless it is a WebCrypto aware browser
>>> and most of them are by now AFAIK,
>>>
>>> See this demo:
>>>
>>>
>>> https://test.webpki.org/WCPPSignatureDemo/signcmd
>>>
>>> (it says a password is 1234). It shows an interaction between a
>>> WebCrypto (https://www.w3.org/TR/WebCryptoAPI/) browser based client
>>> and a regular Java HTTP server, the data are signed, using JOSE (JWS
>>> Compact) as one option.
>>>
>>> I actually presented this demo at Apache Con NA 2015, except I replaced
>>> the demo server with a CXF JWS-enabled server.
>>>
>>> Sergey
>>> On 17/03/16 15:45, Giriraj Bhojak wrote:
>>>
>>>> Hi,
>>>>
>>>> I have been struggling with a basic question related to using signing and
>>>> encryption for REST services.
>>>>
>>>> If the REST call (using JSON) happens over http or https via a
>>>> browser, how
>>>> can I ensure that JSON payload is signed and encrypted, just like a SOAP
>>>> request that is signed and encrypted?
>>>>
>>>> Is there a JavaScript component that I can use to implement JOSE for
>>>> browser based REST requests?
>>>>
>>>> Or am I interpreting this in a wrong way?
>>>>
>>>> Thanks,
>>>> Giriraj.
>>>>
>>>>
>>>
>>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Re: Signing and encrypting JSON payload for REST requests over a browser
Posted by Giriraj Bhojak <gi...@gmail.com>.
Thank you Sergey.
I went through the spec. It mentions that the spec is not stable yet and is
subject to change. Would you know if it is widely used?
I was hoping to use one of the JavaScript tools such as jsrrsasign, but
looks like it is our of picture.
Would you be able to share the source code/API details of the demo that you
gave in Apache Con?
Could you please expand on the trusted server approach you mentioned in the
follow-up?
Thank you for responding to my queries.
Thanks,
Giriraj
Thanks,
Giriraj
On Mar 17, 2016 6:10 PM, "Sergey Beryozkin" <sb...@gmail.com> wrote:
> Or a browser may ask a trusted server to help with it, and get this server
> returning a String representing a JOSE payload, then script then forward it
> somewhere else...
>
> Sergey
> On 17/03/16 21:35, Sergey Beryozkin wrote:
>
>> Hi
>>
>> You may be talking about WebCrypto.
>>
>> If you have a CXF client sending JSON, then JWE/JWS protecting it is
>> easy enough, but you have a script running in a browser then this script
>> have no access to the key stores, unless it is a WebCrypto aware browser
>> and most of them are by now AFAIK,
>>
>> See this demo:
>>
>>
>> https://test.webpki.org/WCPPSignatureDemo/signcmd
>>
>> (it says a password is 1234). It shows an interaction between a
>> WebCrypto (https://www.w3.org/TR/WebCryptoAPI/) browser based client
>> and a regular Java HTTP server, the data are signed, using JOSE (JWS
>> Compact) as one option.
>>
>> I actually presented this demo at Apache Con NA 2015, except I replaced
>> the demo server with a CXF JWS-enabled server.
>>
>> Sergey
>> On 17/03/16 15:45, Giriraj Bhojak wrote:
>>
>>> Hi,
>>>
>>> I have been struggling with a basic question related to using signing and
>>> encryption for REST services.
>>>
>>> If the REST call (using JSON) happens over http or https via a
>>> browser, how
>>> can I ensure that JSON payload is signed and encrypted, just like a SOAP
>>> request that is signed and encrypted?
>>>
>>> Is there a JavaScript component that I can use to implement JOSE for
>>> browser based REST requests?
>>>
>>> Or am I interpreting this in a wrong way?
>>>
>>> Thanks,
>>> Giriraj.
>>>
>>>
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
Re: Signing and encrypting JSON payload for REST requests over a
browser
Posted by Sergey Beryozkin <sb...@gmail.com>.
Or a browser may ask a trusted server to help with it, and get this
server returning a String representing a JOSE payload, then script then
forward it somewhere else...
Sergey
On 17/03/16 21:35, Sergey Beryozkin wrote:
> Hi
>
> You may be talking about WebCrypto.
>
> If you have a CXF client sending JSON, then JWE/JWS protecting it is
> easy enough, but you have a script running in a browser then this script
> have no access to the key stores, unless it is a WebCrypto aware browser
> and most of them are by now AFAIK,
>
> See this demo:
>
>
> https://test.webpki.org/WCPPSignatureDemo/signcmd
>
> (it says a password is 1234). It shows an interaction between a
> WebCrypto (https://www.w3.org/TR/WebCryptoAPI/) browser based client
> and a regular Java HTTP server, the data are signed, using JOSE (JWS
> Compact) as one option.
>
> I actually presented this demo at Apache Con NA 2015, except I replaced
> the demo server with a CXF JWS-enabled server.
>
> Sergey
> On 17/03/16 15:45, Giriraj Bhojak wrote:
>> Hi,
>>
>> I have been struggling with a basic question related to using signing and
>> encryption for REST services.
>>
>> If the REST call (using JSON) happens over http or https via a
>> browser, how
>> can I ensure that JSON payload is signed and encrypted, just like a SOAP
>> request that is signed and encrypted?
>>
>> Is there a JavaScript component that I can use to implement JOSE for
>> browser based REST requests?
>>
>> Or am I interpreting this in a wrong way?
>>
>> Thanks,
>> Giriraj.
>>
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Re: Signing and encrypting JSON payload for REST requests over a
browser
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
You may be talking about WebCrypto.
If you have a CXF client sending JSON, then JWE/JWS protecting it is
easy enough, but you have a script running in a browser then this script
have no access to the key stores, unless it is a WebCrypto aware browser
and most of them are by now AFAIK,
See this demo:
https://test.webpki.org/WCPPSignatureDemo/signcmd
(it says a password is 1234). It shows an interaction between a
WebCrypto (https://www.w3.org/TR/WebCryptoAPI/) browser based client
and a regular Java HTTP server, the data are signed, using JOSE (JWS
Compact) as one option.
I actually presented this demo at Apache Con NA 2015, except I replaced
the demo server with a CXF JWS-enabled server.
Sergey
On 17/03/16 15:45, Giriraj Bhojak wrote:
> Hi,
>
> I have been struggling with a basic question related to using signing and
> encryption for REST services.
>
> If the REST call (using JSON) happens over http or https via a browser, how
> can I ensure that JSON payload is signed and encrypted, just like a SOAP
> request that is signed and encrypted?
>
> Is there a JavaScript component that I can use to implement JOSE for
> browser based REST requests?
>
> Or am I interpreting this in a wrong way?
>
> Thanks,
> Giriraj.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/