Hi Anders Many thanks, very interesting.
I hope more CXF users but also some of my colleagues who are interested in the WEB security will start experimenting sooner rather than later :-).
I'd also like to try a Merchant demo and see if CXF servers can 'participate' and if not then what kind of the runtime support they might need.
Addressing https://issues.apache.org/jira/browse/CXF-6532 can be one such step. Cheers, Sergey On 01/04/16 13:21, Anders Rundgren wrote:
On 18/03/16 00:21, Giriraj Bhojak wrote: >I have been struggling with a basic question related to using signing and >encryption for REST services. >If the REST call (using JSON) happens over http or https via a browser, how >can I ensure that JSON payload is signed and encrypted, just like a SOAP >request that is signed and encrypted? >Is there a JavaScript component that I can use to implement JOSE for >browser based REST requests? >Or am I interpreting this in a wrong way? I think the answer given by Sergey was very good. I have added a few things below. Disclaimer: I'm a developer in this space so my views may be slightly "colored" :-) The initial problem which there's no easy workaround for is that Browsers adhere to SOP (Same Origin Policy) making less straightforward creating a signature for any other server than the one generating the key. Assuming that this is not a show-stopper, WebCrypto is suitable for creating the "technical" part of a signature (the signature value itself). The same goes for encryption. Formatting of signed and encrypted JSON data is an entirely different story where I have personally spent considerable time on an alternative to IETF's JOSE suite. A comparison can be found here: https://cyberphone.github.io/openkeystore/resources/docs/jsonsignatures.html However, the question was really about REST requests which as far as I can tell mix rather poorly with JOSE and JCS unless we are talking about individual attributes rather than the entire message. Encryption of complete REST requests would need specific support to be useful since attributes wouldn't be available until a request has been fully decrypted. It seems to me that the advantages of REST would be a bit limited in such a scenario but I could be wrong. FWIW, I'm not using WebCrypto much these days because SOP is too constraining for the kind of applications I'm working with. The following is a browser application which signs and encrypts data using platform-level keys. Messages are expressed in JSON using SOAP-like (but without any envelope) requests and responses: https://test.webpki.org/webpay-merchant Cheers, Anders R
-- Sergey Beryozkin Talend Community Coders http://coders.talend.com/
