[security-dev] Implementing JSON Security

Anil Saldhana Anil.Saldhana at redhat.com
Fri Aug 3 15:26:55 EDT 2012

Bill, I agree on the S/Mime part.

But the challenge is we cannot control what the clients use. If they use 
JSON Web Encryption and JSON Web Signatures as their payload interacting 
with a JAX-RS implementation, then you will fall short.

JWE and JWS are being standardized at IETF along with OAuth2. JSON Web 
Token (JWT) is one of the prominent tokens in use with OAuth2. Of course 
Eran complained loudly about JWT.

On 08/03/2012 01:54 PM, Bill Burke wrote:
> Also multipart/signed or a combination of multipart/signed and encrypted
> is supported as well.  I've tried it out in python as well.  So, JSON is
> not required as a payload and you can sign or encrypt basically anything
> you want.
> On 8/3/12 2:50 PM, Bill Burke wrote:
>> Looks like you're encrypting the whole document?  Why not use S/MIME
>> multipart/encrypted?
>> http://docs.jboss.org/resteasy/docs/2.3.4.Final/userguide/html/ch38.html
>> On 8/3/12 2:10 PM, Anil Saldhana wrote:
>>> Last few hours, I prototyped the outgoing json payload encryption that
>>> is described here:
>>> https://docs.jboss.org/author/display/SECURITY/Securing+JAX-RS+Payload
>>> On 08/02/2012 11:28 AM, Bill Burke wrote:
>>>> So why are you wasting your time with this?
>>>> On 8/2/12 12:26 PM, Anil Saldhana wrote:
>>>>> If Jackson needs to implement JSON security, they will have to code it.
>>>>> The pragmatic thing for Jackson would be to just incorporate this teeny
>>>>> library via maven dependency.
>>>>> On 08/02/2012 11:24 AM, Bill Burke wrote:
>>>>>> FYI, again, unless this works with Jackson, the de facto JSON parser,
>>>>>> you're probably not going to have many people taking advantage of this
>>>>>> work...
>>>>>> On 8/2/12 12:20 PM, Anil Saldhana wrote:
>>>>>>> The German Researcher Axel Nennker created a separate project
>>>>>>> http://code.google.com/p/jsoncrypto/. He has given me commit rights so I
>>>>>>> can mavenize his project.
>>>>>>> On 07/31/2012 10:15 AM, Anil Saldhana wrote:
>>>>>>>> I created a wiki article.
>>>>>>>> https://docs.jboss.org/author/display/SECURITY/JSON+Security
>>>>>>>> Will be adding more examples to this article.
>>>>>>>> On 07/30/2012 11:22 AM, Anil Saldhana wrote:
>>>>>>>>> Hi All,
>>>>>>>>>             as you know currently IETF is working on securing JSON.  The drafts
>>>>>>>>> are all available here:
>>>>>>>>> http://datatracker.ietf.org/wg/jose/
>>>>>>>>> So last week, I implemented at least the bare minimum we require to
>>>>>>>>> secure JSON.  But encryption is tricky given that there are a lot of
>>>>>>>>> algorithms that are not yet available in the JDK implementation but are
>>>>>>>>> available via the BouncyCastle project.
>>>>>>>>> Look at the supported table:
>>>>>>>>> http://www.ietf.org/mail-archive/web/jose/current/msg00928.html
>>>>>>>>> While I was doing my implementation, I found out that there is a German
>>>>>>>>> researcher working on a project called xmldap.org and has implemented
>>>>>>>>> the drafts fully. He has been doing this for months. His license is MIT
>>>>>>>>> style.  I have requested him to create a separate independent project
>>>>>>>>> for JOSE so everybody can reuse his work, rather than create umpteen
>>>>>>>>> implementations.  He has agreed to work with me.
>>>>>>>>> http://ignisvulpis.blogspot.com/2012/06/ecdh-es-for-json-web-encryption.html
>>>>>>>>> Regards,
>>>>>>>>> Anil

More information about the security-dev mailing list