Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


JOSE Example

This example demonstrates Thorntail Jose which offers a complete support for Javascript Object Signing and Encryption.

The demo server emulates a Bank resource accepting the approved or rejected loan applications in the following JSON format:




where the signature field represents a JOSE JWS compact signature of either 'APPROVED' or 'REJECTED' status values with the values themselves not being included in the signature sequence. The values, using the JOSE terminology, are detached.

The demo server verifies the signatures and echoes back the status values if the signatures are valid or returns HTTP 401 otherwise which is tested during the demo build by the integration test which uses a Jose4J library to create the client requests.

You can also use any other 3rd party JOSE library to test the interoperability between it and the Thorntail Jose demo server.

Here we will show you how to use a Fedora 'jose' package

Install Fedora 'jose' package

dnf install jose

and use it to sign both 'APPROVED' and 'REJECTED' values using the JOSE JWK symmetric key shipped with the demo:

echo -n APPROVED | jose jws sig -I- -c -O /dev/null -k src/main/resources/jwk.keys
echo -n REJECTED | jose jws sig -I- -c -O /dev/null -k src/main/resources/jwk.keys

Run the demo server

Now run the server and pass the 'APPROVED' and 'REJECTED' signatures as 'approvedJws' and 'rejectedJws' properties respectively:

mvn thorntail:run -DapprovedJws=... -DrejectedJws=...

Run curl

curl -X POST -H "Content-Type: application/json" -d @target/classes/approvedStatus.json
curl -X POST -H "Content-Type: application/json" -d @target/classes/rejectedStatus.json

You will get 'APPROVED' and 'REJECTED' echoed back.

Finally run

curl -v -X POST -H "Content-Type: application/json" -d @target/classes/rejectedApprovedStatus.json

This request emulates a case where the content has been manipulated after it has been signed, in this case, the signed 'REJECTED' content has been replaced with 'APPROVED'. This will cause the signature verification failure and the server will reject the request with HTTP 401.