Java Reference
In-Depth Information
HTTP
HTTP
/
1.1 200
OOK
Content-Type
:
application/jose+json
eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.
UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-kFm
1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKxGHZ7Pc
HALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3YvkkysZIF
NPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPhcCdZ6XDP0_F8
rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPgwCp6X-nZZd9OHBv
-B3oWh2TbqmScqXMR4gp_A.
AxY8DCtDaGlsbGljb3RoZQ.
KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.
9hH0vgRfYgPnAHOd8stkvw
Like JSON Web Signatures, the encoded header for JWE is a simple JSON document that
describes the message. Minimally, it has an
alg
value that describes the algorithm used to
encrypt the message and a
enc
value that describes the encryption method. It often has a
cty
header that describes the
Content-Type
of the message signed. For example:
{
"alg"
"alg"
:
"RSA1_5"
,
"enc"
"enc"
:
"A128CBC-HS256"
,
"cty"
"cty"
:
"application/xml"
}
The algorithms you can use for encryption come in two flavors. You can use a shared secret
(i.e., a password) to encrypt the data, or you can use an asymmetric key pair (i.e., a public
and private key).
As for the other encoded parts of the JWE format, these are really specific to the algorithm
you are using and something I'm not going to go over.
As with JWS, the reason I like JWE is that it is HTTP-header-friendly. If you want to encrypt
an HTTP header value, JWE works quite nicely.
Wrapping Up
In this chapter, we discussed a few of the authentication protocols used on the Inter-
net—specifically, Basic, Digest, and Client Certificate Authentication. You learned how to
configure your JAX-RS applications to be secure using the metadata provided by the servlet
and Java EE specifications. You also learned about OAuth as well as digital signatures and
encryption of HTTP messages.
Chapter 29
contains some code you can use to test-drive
many of the concepts in this chapter.
