On 2019-02-08 10:57, Colm O hEigeartaigh wrote:
Note that in CXF we support signing REST requests using XML Signature (
http://cxf.apache.org/docs/jax-rs-xml-security.html), JWS (
http://cxf.apache.org/docs/jax-rs-jose.html) + HTTP Signature.
Thanx!
The closest existing solution would then be:
http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSJSONwithUnencodedPayload
{
"payload" : "book",
"signatures":
[
{
"protected" :
"eyJhbGciOiJIUzI1NiIsImN0eSI6InRleHQvcGxhaW4iLCJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdfQ",
"signature" : "fM7O2IVO3NsQeTGrFiMeLf_TKTsMSqnqmjnK40PwQ88"
}
]
}
This is not entirely comparable to
{
"@rest.uri": "https://example.com/transact/pay";,
"@rest.verb": "POST",
"something": "data",
Additional properties
"@rest.signature":
"eyJhbGciOiJIUzI1NiJ9..VHVItCBCb8Q5CI-49imarDtJeSxH2uLU0DhqQP5Zjw4"
}
since the unencoded solution is not supporting arbitrary JSON data, only a [pretty lame]
"payload" element.
There seems to be no support for the other qualifiers of a REST request.
Anders.
Colm.
On Fri, Feb 8, 2019 at 7:27 AM Anders Rundgren <
[email protected]> wrote:
Since there is no IETF standard for signing REST requests and no
such activity in progress either, I took the liberty outlining
a minimalist proposal:
https://github.com/cyberphone/json-canonicalization/blob/master/REST.signatures.md
Comments are as always welcome!
Anders
