JBoss Community Archive (Read Only)

PicketBox

JSON Security

JSON stands for JavaScript Object Notation.  It is one of the popular formats for web programming. It is the preferred data format for REST architecture style applications.

Securing JSON Applications

There are a collection of specification drafts currently being standardized at the IETF. Collectively, these are called JOSE (JavaScript Object Signing And Encryption).

Additionally under the IETF OAuth2 specification family, there is JWT (JSON Web Token) draft.

PicketBox Core provides an implementation for these specifications. It should enable users to receive secure JSON messages as well as transmit secure JSON messages.  Irrespective of whether your client is a mobile device (native or html5 apps) or a browser application, you can always write server side programs using PicketBox core JSON security.

JSON Web Token (JWT)

This forms the basic JSON Structure for security.

JSON Web Signature (JWS)

JWS is used to sign JSON messages.

You will need access to the recipients's Public Key while encrypting a JSON message.

JSON Web Encryption (JWE)

JWE is used to encrypt/decrypt JSON messages.

Code Examples

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2012, Red Hat, Inc., and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.picketbox.test.json;

import static org.junit.Assert.assertEquals;

import org.json.JSONObject;
import org.junit.Test;
import org.picketbox.json.token.JSONWebToken;

/**
 * Unit test the API for JWT
 *
 * @author anil saldhana
 * @since Jul 31, 2012
 */
public class JSONWebTokenAPITestCase {

    /**
     * Test the JWT API for Plain Text usecase
     *
     * @throws Exception
     */
    @Test
    public void testPlainTextJWTAPI() throws Exception {
        String plainText = "{\"data\":\"Welcome to the world of AES\"}";

        JSONWebToken jwt = new JSONWebToken();
        jwt.setData(new JSONObject(plainText));

        // Let us create the header
        JSONObject header = new JSONObject();
        header.put("alg", "none");

        jwt.setHeader(header);

        String encodedJWT = jwt.encode();
        System.out.println(encodedJWT);

        // Let us decode
        jwt = new JSONWebToken();
        jwt.load(encodedJWT);

        assertEquals(plainText, jwt.getData().toString());
    }

    /**
     * Test the JWT API for signature use case
     *
     * @throws Exception
     */
    @Test
    public void testJWSAPI() throws Exception {
        String headerStr = "{\"typ\":\"JWT\",\"alg\":\"HS256\"}";
        String text = "{\"iss\":\"joe\",\"exp\":1300819380,\"http://example.com/is_root\":true}";

        JSONWebToken jwt = new JSONWebToken();
        jwt.setData(new JSONObject(text));

        // Let us create the header
        JSONObject header = new JSONObject(headerStr);
        jwt.setHeader(header);

        String encodedJWT = jwt.encode();
        System.out.println(encodedJWT);

        // Let us decode
        jwt = new JSONWebToken();
        jwt.load(encodedJWT);

        assertEquals("joe", jwt.getData().getString("iss"));
    }

   /**
     * Test the JWT API for encryption use case
     * @throws Exception
     */
    @Test
    public void testJWEAPI() throws Exception{
        String headerStr = "{\"alg\":\"RSA1_5\",\"enc\":\"A128CBC\",\"int\":\"HS256\",\"iv\":\"48V1_ALb6US04U3b\"}";
        String text = "{\"iss\":\"joe\",\"exp\":1300819380,\"http://example.com/is_root\":true}";
        
        JSONWebEncryptionTestCase jweTest = new JSONWebEncryptionTestCase();
        PublicKey publicKey = jweTest.getPublicKey();
        
        JSONWebToken jwt = new JSONWebToken();
        jwt.setData(new JSONObject(text));
        jwt.setPublicKey(publicKey);
        
        // Let us create the header
        JSONObject header = new JSONObject(headerStr);
        jwt.setHeader(header);

        String encodedJWT = jwt.encode();
        System.out.println(encodedJWT);

        // Let us decode
        jwt = new JSONWebToken();
        jwt.setPrivateKey(jweTest.getPrivateKey());
        jwt.load(encodedJWT);

        assertEquals("joe", jwt.getData().getString("iss"));
    }
}
JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-11 12:16:27 UTC, last content change 2012-07-31 17:25:27 UTC.