stackoom
  简体   繁体   中英

Get access to REST API using JWT security token

 原文  2015-03-05 13:40:56       java/ rsa/ token/ jwt

Question

I have RSA key in format 

<RSAKeyValue>
  <Modulus> ..</Modulus>
  <Exponent>..</Exponent>
 ... 
</RSAKeyValue>

I need to get connection to REST API using java. I should use JWT security token with schema “TokenIssuer”. Nimbus library provide following example for doing it. Will it help me or I need something else? If yes, where should I write RSA key? 

// RSA signatures require a public and private RSA key pair,
// the public key must be made known to the JWS recipient in
// order to verify the signatures
KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA");
keyGenerator.initialize(1024);

KeyPair kp = keyGenerator.genKeyPair();
RSAPublicKey publicKey = (RSAPublicKey)kp.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey)kp.getPrivate();

// Create RSA-signer with the private key
JWSSigner signer = new RSASSASigner(privateKey);

// Prepare JWT with claims set
JWTClaimsSet claimsSet = new JWTClaimsSet();
claimsSet.setSubject("alice");
claimsSet.setIssueTime(new Date());
claimsSet.setIssuer("https://c2id.com");

SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);

// Compute the RSA signature
signedJWT.sign(signer);

// To serialize to compact form, produces something like
// eyJhbGciOiJSUzI1NiJ9.SW4gUlNBIHdlIHRydXN0IQ.IRMQENi4nJyp4er2L
// mZq3ivwoAjqa1uUkSBKFIX7ATndFF5ivnt-m8uApHO4kfIFOrW7w2Ezmlg3Qd
// maXlS9DhN0nUk_hGI3amEjkKd0BWYCB8vfUbUv0XGjQip78AI4z1PrFRNidm7
// -jPDm5Iq0SZnjKjCNS5Q15fokXZc8u0A
String s = signedJWT.serialize();

// To parse the JWS and verify it, e.g. on client-side
signedJWT = SignedJWT.parse(s);

JWSVerifier verifier = new RSASSAVerifier(publicKey);
assertTrue(signedJWT.verify(verifier));

// Retrieve the JWT claims
assertEquals("alice", signedJWT.getJWTClaimsSet().getSubject());

1 answers

solution1
 1 ACCPTED  2015-03-19 08:06:46

From my perspective, if you want use RSA, then I suggest to use nested signed and encrypted JWT. In that way the server can sign JWT with public key, and then the client can decrypt JWT with private key and validate that JWT. From the perspective of storing the keys, you can store them on the file system, provide some kind configuration property to point to that file, or because it's public key, you can get that key from some services, or you can request it from the client. Same approach you can take with storing private keys on client side.

But I think for most scenarios is acceptable to use nested signed and encrypted JWT with simple HMAC protection. Because client will request authentication, and he will send received token to server, and the server will do validation of JWT token. You can look at the Nimbus example http://connect2id.com/products/nimbus-jose-jwt/examples/signed-and-encrypted-jwt

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Get access token from Oauth2 rest api using java Enforce both correct API Key and JWT User Token in REST API with Spring Boot Security SpringBoot login with Spring Security with JWT for REST API Spring security REST API custom JWT authentication How to configure spring http security for a rest api which needs to validate a JWT token generated by a third party and users don't have passwords? How to get the access token of REST API endpoint using Rest Assured with POST method, Currently I am getting 404 error? Get Access token in Spring Security How to get access token using gmail api How to get access token from facebook using spring boot security Get access token using Spring Security with a specific use-case
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM