Or a browser may ask a trusted server to help with it, and get this
server returning a String representing a JOSE payload, then script then
forward it somewhere else...
Sergey
On 17/03/16 21:35, Sergey Beryozkin wrote:
Hi
You may be talking about WebCrypto.
If you have a CXF client sending JSON, then JWE/JWS protecting it is
easy enough, but you have a script running in a browser then this script
have no access to the key stores, unless it is a WebCrypto aware browser
and most of them are by now AFAIK,
See this demo:
https://test.webpki.org/WCPPSignatureDemo/signcmd
(it says a password is 1234). It shows an interaction between a
WebCrypto (https://www.w3.org/TR/WebCryptoAPI/) browser based client
and a regular Java HTTP server, the data are signed, using JOSE (JWS
Compact) as one option.
I actually presented this demo at Apache Con NA 2015, except I replaced
the demo server with a CXF JWS-enabled server.
Sergey
On 17/03/16 15:45, Giriraj Bhojak wrote:
Hi,
I have been struggling with a basic question related to using signing and
encryption for REST services.
If the REST call (using JSON) happens over http or https via a
browser, how
can I ensure that JSON payload is signed and encrypted, just like a SOAP
request that is signed and encrypted?
Is there a JavaScript component that I can use to implement JOSE for
browser based REST requests?
Or am I interpreting this in a wrong way?
Thanks,
Giriraj.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
