Java Reference
In-Depth Information
cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7
AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4
BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K
0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqv
hJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrB
p0igcN_IoypGlUPQGe77Rw
Let's break down how an encoded JWS is created. The first encoded part of the format is a
JSON header document that describes the message. Minimally, it has an
alg
value that de-
scribes the algorithm used to sign the message. It also often has a
cty
header that describes
the
Content-Type
of the message signed. For example:
{
"alg"
"alg"
:
"RS256"
,
"cty"
"cty"
:
"application/xml"
}
The second encoded part of the JWS format is the actual content you are sending. It can be
anything you want, like a simple text mesage, a JSON or XML document, or even an image
or audio file; really, it can be any set of bytes or formats you want to transmit.
Finally, the third encoded part of the JWS format is the encoded digital signature of the con-
tent. The algorithm used to create this signature should match what was described in the
header part of the JWS message.
What I like about JOSE JWS is that it is HTTP-header-friendly. Since it is a simple ASCII
string, you can include it within HTTP header values. This allows you to send JSON or even
binary values within an HTTP header quite easily.
Encrypting Representations
While you can rely on HTTPS to encrypt your HTTP requests and responses, I noted earlier
that you may have some scenarios where you want to encrypt the HTTP message body of
your requests and responses. Specifically, consider scenarios where you are sending mes-
sages to a public or untrusted intermediary. While there are a few standard ways to encrypt
your representations, my favorite is JOSE JSON Web Encryption.
[
19
]
JWE is a compact text format. It consists of five Base 64-encoded strings delimited by a
.
character. The first encoded string is a JSON header describing what is being transmitted.
The second encoded string is an encrypted key used to encrypt the message. The third is the
initialization vector used to encrypt the first block of bytes. The fourth is the actual encrypted
messsage. And finally, the fifth is some extra metadata used to validate the message. The me-
dia type for JOSE JWE is
application/jose+json
. So here's what a full an HTTP re-
sponse containing JWE might look like:
