Re: Signing and encrypting JSON payload for REST requests over a browser

2016-04-01 Thread Anders Rundgren
On 18/03/16 00:21, Giriraj Bhojak wrote: >I have been struggling with a basic question related to using signing and >encryption for REST services. >If the REST call (using JSON) happens over http or https via a browser, how >can I ensure that JSON payload is signed and encrypted, just like a

Signing and encrypting JSON payload for REST requests over a browser

2016-03-19 Thread Giriraj Bhojak
Hi, I have been struggling with a basic question related to using signing and encryption for REST services. If the REST call (using JSON) happens over http or https via a browser, how can I ensure that JSON payload is signed and encrypted, just like a SOAP request that is signed and encrypted?

Re: Signing and encrypting JSON payload for REST requests over a browser

2016-03-19 Thread Sergey Beryozkin
Hi, On 18/03/16 00:21, Giriraj Bhojak wrote: Thank you Sergey. I went through the spec. It mentions that the spec is not stable yet and is subject to change. Would you know if it is widely used? There are two specs involved here, JOSE and WebCrypto, the former is stable and is already quite

Re: Signing and encrypting JSON payload for REST requests over a browser

2016-03-19 Thread Sergey Beryozkin
Hi You may be talking about WebCrypto. If you have a CXF client sending JSON, then JWE/JWS protecting it is easy enough, but you have a script running in a browser then this script have no access to the key stores, unless it is a WebCrypto aware browser and most of them are by now AFAIK,

Re: Signing and encrypting JSON payload for REST requests over a browser

2016-03-19 Thread Sergey Beryozkin
Or a browser may ask a trusted server to help with it, and get this server returning a String representing a JOSE payload, then script then forward it somewhere else... Sergey On 17/03/16 21:35, Sergey Beryozkin wrote: Hi You may be talking about WebCrypto. If you have a CXF client sending

Re: Signing and encrypting JSON payload for REST requests over a browser

2016-03-19 Thread Giriraj Bhojak
Thank you very much Sergey. Thanks, Giriraj On Mar 18, 2016 6:06 AM, "Sergey Beryozkin" wrote: > Hi, > On 18/03/16 00:21, Giriraj Bhojak wrote: > >> Thank you Sergey. >> I went through the spec. It mentions that the spec is not stable yet and >> is >> subject to change.

Re: Signing and encrypting JSON payload for REST requests over a browser

2016-03-19 Thread Giriraj Bhojak
Thank you Sergey. I went through the spec. It mentions that the spec is not stable yet and is subject to change. Would you know if it is widely used? I was hoping to use one of the JavaScript tools such as jsrrsasign, but looks like it is our of picture. Would you be able to share the source