HTTP / 1.1 200 OOK
Content-Type : application/jose+json
Like JSON Web Signatures, the encoded header for JWE is a simple JSON document that
describes the message. Minimally, it has an alg value that describes the algorithm used to
encrypt the message and a enc value that describes the encryption method. It often has a cty
header that describes the Content-Type of the message signed. For example:
"alg" : "RSA1_5" ,
"enc" : "A128CBC-HS256" ,
"cty" : "application/xml"
The algorithms you can use for encryption come in two flavors. You can use a shared secret
(i.e., a password) to encrypt the data, or you can use an asymmetric key pair (i.e., a public
and private key).
As for the other encoded parts of the JWE format, these are really specific to the algorithm
you are using and something I'm not going to go over.
As with JWS, the reason I like JWE is that it is HTTP-header-friendly. If you want to encrypt
an HTTP header value, JWE works quite nicely.
In this chapter, we discussed a few of the authentication protocols used on the Inter-
net—specifically, Basic, Digest, and Client Certificate Authentication. You learned how to
configure your JAX-RS applications to be secure using the metadata provided by the servlet
and Java EE specifications. You also learned about OAuth as well as digital signatures and
encryption of HTTP messages. Chapter 29 contains some code you can use to test-drive
many of the concepts in this chapter.