Hi Andrei, Hermann
CXF already provides, in snapshots, a fairly decent (IMHO) JWS/JWE
support, still needs some clean-up. And no JWK are supported yet, but
see https://issues.apache.org/jira/browse/CXF-5954, should be
straightforward enough to do.
The use-cases that CXF users will be able to address are as follows:
- use it as part of OAuth2 applications, many OAuth2-related
specs/submissions are now talking about JWT (JSON token that can be
signed/JWS or encrypted/JWE), including Openid-Connect, we have a JIRA
for integrating with it too.
- Use it to sign/encrypt regular HTTP payloads, it's going to be used
more and more often IMHO going forward, and when WebCrypto gets out, CXF
servers would be able to talk to WebCrypto-aware browsers supporting JWS/JWE
I've no plans to go and analyze precisely what jose4j can do and try to
match it precisely in CXF (oauth2-jwt module).
I've always been thinking that it's healthy enough to have multiple
implementations being around because it is simpler to optimize/adapt to
other CXF modules (ex, we can have JAX-RS JWS/JWE filters) and arguably
it is simpler to manage generally speaking, and may be it is also about
ensuring I'll have something to do in 3 years time for example :-).
RestEasy started its own JWS/JWE effort even earlier AFAIK.
For example, many people use Apache Oltu. Some of them may be using it
with CXF. That said, IMHO it's good CXF ships its OAuth2 implementation,
it's lower-level and is a bit closer to CXF, some users may like it
more, some users may prefer a higher-level Oltu level, same way it would
be for jose4j vs CXF JWS/JWE, similar to CXF OAuth2 vs Oltu, or say, vs
CXF JSONProvider (Jettison) vs Jackson, all the combinations are welcome
:-).
I recommend people who would like to play with something different to
what CXF does or will do just use jose4j because it's a good standalone
JWS/JWE implementation. I downloaded it awhile back when I was getting
lost about RSA-OAEP non-reproducible outputs..., jose4j is very object
oriented, and is rich in what it can do.
But, Hermann, CXF JWS/JWE will be improved to make sure CXF users can do
most of JWS/JWE. It will not necessarily *directly* support all of JWS
and JWE algorithms compared to jose4j, but it will do support the key
ones. You can def start with jose4j if you'd like something released and
practically finalized, you can look at what CXF does later if you prefer
Cheers, Sergey
On 29/08/14 15:59, Andrei Shakirin wrote:
Hi Hermann,
Sergei recently published some related information in this thread:
http://cxf.547215.n5.nabble.com/Jose4j-is-available-in-Central-tt5747950.html
Currently you be able to use JWS/JWE through custom JAX-RS request /response
filters using Jose4j or plug it into CXF OAuth implementation.
Could you please describe your use case a bit more detailed?
What are you exactly expecting from CXF JWS/JWE support?
Regards,
Andrei.
-----Original Message-----
From: Hermann Angstl [mailto:[email protected]]
Sent: Freitag, 29. August 2014 16:39
To: [email protected]
Subject: JWS/JWE
Hi there,
quick question: Are there any plans to improve the support for JWS/JWE in CXF
up to (or even beyond) the level of jose.4.j?
cheers,
Hermann
