This policy verifies the generated JWS. If the signature value has been tampered or the signature is different, it will not allow the user to access the resource.
Configuration
The properties that have to be configured to use the policy are described below.
Figure 1: Verify Json Web Signature Policy configuration attributes
Property | Description |
Secret Key | Provide when a symmetric algorithm like HS256 is specified. The minimum length of the string has to be 256, 384, 512 bits for HS256, HS384, HS512 respectively. |
JWS Identifier | Configure the Message Part Identifier with the source as header/Query parameter/context variable/constant through which the JWT is passed. |
Json Web Keys | Provide when an asymmetric algorithm like RS256 or ES256 is specified. |
Load Keys From URL | If Json Web Keys are exposed in a specific URL, then enable this property. |
Keys URL | Specify the URL in which Json Web Keys are exposed. |
Detached Content
In certain cases, it will be useful to protect the integrity of the content that is not itself contained in a JWS. Perform the following actions by detaching content as follows:
Create Assign Variable policy with the respective variable names and identifiers.
Figure 2: Verify Json Web Signature Policy configuration attributesGo to $FioranoHome/APIManagement\samples\JavaCallOuts\DetachedJWSClaim and run the compiled script. This creates a Classes directory containing a jar with compiled classes.
- Configure Java Call Out policy using the jar created above.
- Configure the Verify JWS policy as explained in this page.
Verifying a Json Web Signature
Request
Use browser/postman to send the request as below:
Response
Verifies the signature and allows to access the respective resources.