Hi Sergei, Cool, you are faster in implementing new features as I can imagine :) I find nice that CXF provides own basic JWE/JWS support, will definitely play with it.
Regards, Andrei. > -----Original Message----- > From: Sergey Beryozkin [mailto:[email protected]] > Sent: Freitag, 29. August 2014 17:29 > To: [email protected] > Subject: Re: JWS/JWE > > Hi Andrei, Hermann > > CXF already provides, in snapshots, a fairly decent (IMHO) JWS/JWE support, > still needs some clean-up. And no JWK are supported yet, but see > https://issues.apache.org/jira/browse/CXF-5954, should be straightforward > enough to do. > The use-cases that CXF users will be able to address are as follows: > > - use it as part of OAuth2 applications, many OAuth2-related specs/submissions > are now talking about JWT (JSON token that can be signed/JWS or > encrypted/JWE), including Openid-Connect, we have a JIRA for integrating with > it too. > - Use it to sign/encrypt regular HTTP payloads, it's going to be used more and > more often IMHO going forward, and when WebCrypto gets out, CXF servers > would be able to talk to WebCrypto-aware browsers supporting JWS/JWE > > I've no plans to go and analyze precisely what jose4j can do and try to match > it > precisely in CXF (oauth2-jwt module). > > I've always been thinking that it's healthy enough to have multiple > implementations being around because it is simpler to optimize/adapt to other > CXF modules (ex, we can have JAX-RS JWS/JWE filters) and arguably it is > simpler to manage generally speaking, and may be it is also about ensuring > I'll > have something to do in 3 years time for example :-). > RestEasy started its own JWS/JWE effort even earlier AFAIK. > > For example, many people use Apache Oltu. Some of them may be using it with > CXF. That said, IMHO it's good CXF ships its OAuth2 implementation, it's > lower- > level and is a bit closer to CXF, some users may like it more, some users may > prefer a higher-level Oltu level, same way it would be for jose4j vs CXF > JWS/JWE, similar to CXF OAuth2 vs Oltu, or say, vs CXF JSONProvider (Jettison) > vs Jackson, all the combinations are welcome :-). > > I recommend people who would like to play with something different to what > CXF does or will do just use jose4j because it's a good standalone JWS/JWE > implementation. I downloaded it awhile back when I was getting lost about > RSA-OAEP non-reproducible outputs..., jose4j is very object oriented, and is > rich > in what it can do. > > But, Hermann, CXF JWS/JWE will be improved to make sure CXF users can do > most of JWS/JWE. It will not necessarily *directly* support all of JWS and JWE > algorithms compared to jose4j, but it will do support the key ones. You can > def > start with jose4j if you'd like something released and practically finalized, > you > can look at what CXF does later if you prefer > > > Cheers, Sergey > > > > On 29/08/14 15:59, Andrei Shakirin wrote: > > Hi Hermann, > > > > Sergei recently published some related information in this thread: > > http://cxf.547215.n5.nabble.com/Jose4j-is-available-in-Central-tt57479 > > 50.html Currently you be able to use JWS/JWE through custom JAX-RS > > request /response filters using Jose4j or plug it into CXF OAuth > implementation. > > > > Could you please describe your use case a bit more detailed? > > What are you exactly expecting from CXF JWS/JWE support? > > > > Regards, > > Andrei. > > > >> -----Original Message----- > >> From: Hermann Angstl [mailto:[email protected]] > >> Sent: Freitag, 29. August 2014 16:39 > >> To: [email protected] > >> Subject: JWS/JWE > >> > >> Hi there, > >> > >> quick question: Are there any plans to improve the support for > >> JWS/JWE in CXF up to (or even beyond) the level of jose.4.j? > >> > >> cheers, > >> Hermann
