cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: JWS/JWE
Date Fri, 29 Aug 2014 15:29:19 GMT
Hi Andrei, Hermann

CXF already provides, in snapshots, a fairly decent (IMHO) JWS/JWE 
support, still needs some clean-up. And no JWK are supported yet, but 
see, should be 
straightforward enough to do.
The use-cases that CXF users will be able to address are as follows:

- use it as part of OAuth2 applications, many OAuth2-related 
specs/submissions are now talking about JWT (JSON token that can be 
signed/JWS or encrypted/JWE), including Openid-Connect, we have a JIRA 
for integrating with it too.
- Use it to sign/encrypt regular HTTP payloads, it's going to be used 
more and more often IMHO going forward, and when WebCrypto gets out, CXF 
servers would be able to talk to WebCrypto-aware browsers supporting JWS/JWE

I've no plans to go and analyze precisely what jose4j can do and try to 
match it precisely in CXF (oauth2-jwt module).

I've always been thinking that it's healthy enough to have multiple 
implementations being around because it is simpler to optimize/adapt to 
other CXF modules (ex, we can have JAX-RS JWS/JWE filters) and arguably 
it is simpler to manage generally speaking, and may be it is also about 
ensuring I'll have something to do in 3 years time for example :-). 
RestEasy started its own JWS/JWE effort even earlier AFAIK.

For example, many people use Apache Oltu. Some of them may be using it 
with CXF. That said, IMHO it's good CXF ships its OAuth2 implementation, 
it's lower-level and is a bit closer to CXF, some users may like it 
more, some users may prefer a higher-level Oltu level, same way it would 
be for jose4j vs CXF JWS/JWE, similar to CXF OAuth2 vs Oltu, or say, vs 
CXF JSONProvider (Jettison) vs Jackson, all the combinations are welcome 

I recommend people who would like to play with something different to 
what CXF does or will do just use jose4j because it's a good standalone 
JWS/JWE implementation. I downloaded it awhile back when I was getting 
lost about RSA-OAEP non-reproducible outputs..., jose4j is very object 
oriented, and is rich in what it can do.

But, Hermann, CXF JWS/JWE will be improved to make sure CXF users can do 
most of JWS/JWE. It will not necessarily *directly* support all of JWS 
and JWE algorithms compared to jose4j, but it will do support the key 
ones. You can def start with jose4j if you'd like something released and 
practically finalized, you can look at what CXF does later if you prefer

Cheers, Sergey

On 29/08/14 15:59, Andrei Shakirin wrote:
> Hi Hermann,
> Sergei recently published some related information in this thread:
> Currently you be able to use JWS/JWE through custom JAX-RS request /response filters
using Jose4j or plug it into CXF OAuth implementation.
> Could you please describe your use case a bit more detailed?
> What are you exactly expecting from CXF JWS/JWE support?
> Regards,
> Andrei.
>> -----Original Message-----
>> From: Hermann Angstl []
>> Sent: Freitag, 29. August 2014 16:39
>> To:
>> Subject: JWS/JWE
>> Hi there,
>> quick question: Are there any plans to improve the support for JWS/JWE in CXF
>> up to (or even beyond) the level of jose.4.j?
>> cheers,
>> Hermann

View raw message