Contents

Popular
Contents

This policy verifies the generated JWS. If the signature value has been tampered or the signature is different, it will not allow the user to access the resource.

Configuration

The properties that have to be configured to use the policy are described below.


Figure 1: Verify Json Web Signature Policy configuration attributes

Property
Description
JWS Identifier
Configure the Message Part Identifier with the source as header/Query parameter/context variable/constant through which the JWT is passed.
Bearer Token
If the JWT to be verified is being sent in the request's "Authorization" Header as a bearer token, then enable this property.

Headers

 
Known Headers
Verify JWS policy examines "crit" parameter in the JWT header, if present, and checks that each value listed under "crit" contained in JWT provided for validation is present among the entries under this "Known Headers" element  i.e the "Known Headers" must contain a superset of the items listed in JWT's "crit" header. Any header that is found in "crit" header that is not specified here among <KnownHeaders> causes the policy to fail.
Ignore Critical Headers 
If this property is enabled, the policy ignores "crit" parameter in the JWT header.

Key Configuration

 
Secret Key
Provide when a symmetric algorithm like HS256 is specified. The minimum length of the string has to be 256, 384, 512 bits for HS256, HS384, HS512 respectively.
Json Web Keys

Provide when an asymmetric algorithm like RS256 or ES256 is specified.

Icon
Load Keys From URL

If Json Web Keys are exposed in a specific URL, then enable this property.

Keys URL

Specify the URL in which Json Web Keys are exposed.

Icon

If it's a secured URL (Eg: https://www.googleapis.com/oauth2/v3/certs), the certificate of the corresponding server has to be added to the Truststore located at installer\esb\server\profiles\certs\jssecacerts. Password of this Truststore is "passphrase".

Sample Keytool command for importing certificate into truststore with an optional entry name(alias) as is given below.

With this command, "samplecert1.cer" certificate can be added to the truststore "jssecacerts" with an entry name "samplealias".

Check JWKs Revocation Status
If this property is enabled, the public JSON Web Key being used for JWT verification shall be checked for its presence among the specified Revoked JWKs and verification would fail if the specific key is found to be revoked.
Revoked JWKs
Provide the revoked public Json Web Keys.
Load Revoked JWKs from URL
If Revoked Public Json Web Keys are exposed in a URL, then enable this property.
Revoked JWKs URL
Specify the URL in which Revoked Public Json Web Keys are exposed. If it's a secured URL, refer to

Detached Content

In certain cases, it will be useful to protect the integrity of the content that is not itself contained in a JWS. Perform the following actions by detaching content as follows:

  1. Create Assign Variable policy with the respective variable names and identifiers.


    Figure 2: Verify Json Web Signature Policy configuration attributes

    Icon

    This sets the values in context variable with the specified names.

  2. Go to $FioranoHome/APIManagement\samples\JavaCallOuts\DetachedJWSClaim and run the compiled script. This creates a Classes directory containing a jar with compiled classes.

    Icon

    The java class can be modified as per requirement.

  3. Configure Java Call Out policy using the jar created above.

  4. Configure the Verify JWS policy as explained in this page.

Verifying a Json Web Signature

Request

Use browser/postman to send the request as below:

Response

Verifies the signature and allows to access the respective resources.

Adaptavist ThemeBuilder EngineAtlassian Confluence