Topic
  • 11 replies
  • Latest Post - ‏2015-09-16T12:47:33Z by HermannSW
Dev5
Dev5
4 Posts

Pinned topic Rest Service JWT

‏2014-01-01T21:49:33Z |

I am trying to develop sample Rest service which can accept JWT/jws signed message in Firmware 6.0. is it possible to read and verify the JWT signed messages and convert to soap. ?  I searched the forum and don't see anything related to JWT. Please let me know if this is possible in Datapower.

 

  • Dev5
    Dev5
    4 Posts

    Re: Rest Service JWT

    ‏2014-01-02T16:38:52Z  

    is this supported by Datapower Firmware 6.0?

  • HermannSW
    HermannSW
    5460 Posts

    Re: Rest Service JWT

    ‏2014-01-03T12:36:16Z  
    • Dev5
    • ‏2014-01-02T16:38:52Z

    is this supported by Datapower Firmware 6.0?

    I doubt.

    Are you talkiong about this?
    http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-17


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/> <myFrameless/>

  • Dev5
    Dev5
    4 Posts

    Re: Rest Service JWT

    ‏2014-01-03T16:38:30Z  
    • HermannSW
    • ‏2014-01-03T12:36:16Z

    Yes. I did not find anything on datapower docs. So trying to see whether i can develop custom style sheet to do that.

     JWT signed structure is described here.

    http://odino.org/securing-your-http-api-with-javascript-object-signing-and-encryption/

    base64URL encoded seperated by dot ".".   Header.payload.signed signature.

    So far i have configured mpg to accept nonxml. In my first processing policy on post action, I configured binary action to capture incoming post reqeust and convert to some kind of xml format using binary-convert.xsl. Then in next policy, I am trying to put header,payload and signature in sepeate nodes (test5.xsl). But I am having difficult convertng post request to some kind of xml format. is that possible ? If you think of some other way, please let me know.  Thank you. XSL's are below.

    binary-convert.xsl

    <xsl:stylesheet version="1.0"
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      xmlns:dp="http://www.datapower.com/extensions"
      extension-element-prefixes="dp"
    >
      <dp:input-mapping  href="binaryNode.ffd" type="ffd"/>
      <dp:output-mapping href="binaryNode.ffd" type="ffd"/>

      <xsl:template match="/">
        <object>
          <message>
            <xsl:copy-of select="/object/message/node()"/>
          </message>
        </object>
      </xsl:template>
    </xsl:stylesheet>

    test5.xsl

    <xsl:stylesheet version="1.0"
            xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions"
            xmlns:man="http://www.datapower.com/schemas/management"
            extension-element-prefixes="dp">
            <dp:input-mapping type="ffd" href="binaryNode.ffd" />
         <xsl:template match="/object/message" name="tokenize">
            <xsl:param name="text" select="."/>
            <xsl:param name="separator" select="'.'"/>
            <xsl:choose>
                <xsl:when test="not(contains($text, $separator))">
                    <item>
                        <xsl:value-of select="normalize-space($text)"/>
                    </item>
                </xsl:when>
                <xsl:otherwise>
                    <item>
                        <xsl:value-of select="normalize-space(substring-before($text, $separator))"/>
                    </item>
                    <xsl:call-template name="tokenize">
                        <xsl:with-param name="text" select="substring-after($text, $separator)"/>
                    </xsl:call-template>
                </xsl:otherwise>
            </xsl:choose>
        </xsl:template>
    </xsl:stylesheet>
    
  • Dev5
    Dev5
    4 Posts

    Re: Rest Service JWT

    ‏2014-01-03T16:42:44Z  
    • Dev5
    • ‏2014-01-03T16:38:30Z

    Yes. I did not find anything on datapower docs. So trying to see whether i can develop custom style sheet to do that.

     JWT signed structure is described here.

    http://odino.org/securing-your-http-api-with-javascript-object-signing-and-encryption/

    base64URL encoded seperated by dot ".".   Header.payload.signed signature.

    So far i have configured mpg to accept nonxml. In my first processing policy on post action, I configured binary action to capture incoming post reqeust and convert to some kind of xml format using binary-convert.xsl. Then in next policy, I am trying to put header,payload and signature in sepeate nodes (test5.xsl). But I am having difficult convertng post request to some kind of xml format. is that possible ? If you think of some other way, please let me know.  Thank you. XSL's are below.

    binary-convert.xsl

    <xsl:stylesheet version="1.0"
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      xmlns:dp="http://www.datapower.com/extensions"
      extension-element-prefixes="dp"
    >
      <dp:input-mapping  href="binaryNode.ffd" type="ffd"/>
      <dp:output-mapping href="binaryNode.ffd" type="ffd"/>

      <xsl:template match="/">
        <object>
          <message>
            <xsl:copy-of select="/object/message/node()"/>
          </message>
        </object>
      </xsl:template>
    </xsl:stylesheet>

    test5.xsl

    <pre dir="ltr"><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions" xmlns:man="http://www.datapower.com/schemas/management" extension-element-prefixes="dp"> <dp:input-mapping type="ffd" href="binaryNode.ffd" /> <xsl:template match="/object/message" name="tokenize"> <xsl:param name="text" select="."/> <xsl:param name="separator" select="'.'"/> <xsl:choose> <xsl:when test="not(contains($text, $separator))"> <item> <xsl:value-of select="normalize-space($text)"/> </item> </xsl:when> <xsl:otherwise> <item> <xsl:value-of select="normalize-space(substring-before($text, $separator))"/> </item> <xsl:call-template name="tokenize"> <xsl:with-param name="text" select="substring-after($text, $separator)"/> </xsl:call-template> </xsl:otherwise> </xsl:choose> </xsl:template> </xsl:stylesheet> </pre>

    Signed sample message looks like this ( done using Java)

    eyJhbGciOiJSUzI1NiJ9.SldUQ2xhaW1zU2V0IFtpc3M9QXBpZ2VlIEFQSSBHYXRld2F5LCBzdWI9bnVsbCwgYXVkPW51bGwsIGV4cD1GcmkgSmFuIDAzIDA5OjUxOjAzIE1TVCAyMDE0LCBuYmY9RnJpIEphbiAwMyAwOTo0MTowMyBNU1QgMjAxNCwgaWF0PUZyaSBKYW4gMDMgMDk6NDE6MDMgTVNUIDIwMTQsIGp0aT1kZDYxMGJhYy0wNDM3LTRkODAtYjE0MS01OTZkNzVkZDdiZmYsIHR5cD1udWxsLCBjdXN0b21DbGFpbXM9e3Njb3BlPWNhbXBhaWduTWd0LCBjbGllbnQ9WFlaLCB1c2VyPWFiY2R9XQ.esOEqnet0jipaDUbyqHezAuVAR36uPmeiSaa6LYeqhgYLEJYnCYzOf8ic2wjFEfJlX6JjVx5lNMzCuMgjPrfextgDjyujNXLOPJqBURiJSeLjAEZ2Gl1QeFkqyFAYte6qKMHUMOYvpkHXWnq56P72OqctNrrGEcdB9Kurh0VQAM

  • HermannSW
    HermannSW
    5460 Posts

    Re: Rest Service JWT

    ‏2014-01-04T06:16:03Z  
    • Dev5
    • ‏2014-01-03T16:42:44Z

    Signed sample message looks like this ( done using Java)

    eyJhbGciOiJSUzI1NiJ9.SldUQ2xhaW1zU2V0IFtpc3M9QXBpZ2VlIEFQSSBHYXRld2F5LCBzdWI9bnVsbCwgYXVkPW51bGwsIGV4cD1GcmkgSmFuIDAzIDA5OjUxOjAzIE1TVCAyMDE0LCBuYmY9RnJpIEphbiAwMyAwOTo0MTowMyBNU1QgMjAxNCwgaWF0PUZyaSBKYW4gMDMgMDk6NDE6MDMgTVNUIDIwMTQsIGp0aT1kZDYxMGJhYy0wNDM3LTRkODAtYjE0MS01OTZkNzVkZDdiZmYsIHR5cD1udWxsLCBjdXN0b21DbGFpbXM9e3Njb3BlPWNhbXBhaWduTWd0LCBjbGllbnQ9WFlaLCB1c2VyPWFiY2R9XQ.esOEqnet0jipaDUbyqHezAuVAR36uPmeiSaa6LYeqhgYLEJYnCYzOf8ic2wjFEfJlX6JjVx5lNMzCuMgjPrfextgDjyujNXLOPJqBURiJSeLjAEZ2Gl1QeFkqyFAYte6qKMHUMOYvpkHXWnq56P72OqctNrrGEcdB9Kurh0VQAM

    The last 1024 bytes are pure binary data which need special handling in a stylesheet, see:
    http://www-01.ibm.com/support/docview.wss?uid=swg27022977
    http://www-01.ibm.com/support/docview.wss?uid=swg27022979

    $ base64 -di | od -Ax -tcx1
    eyJhbGciOiJSUzI1NiJ9.SldUQ2xhaW1zU2V0IFtpc3M9QXBpZ2VlIEFQSSBHYXRld2F5LCBzdWI9bnVsbCwgYXVkPW51bGwsIGV4cD1GcmkgSmFuIDAzIDA5OjUxOjAzIE1TVCAyMDE0LCBuYmY9RnJpIEphbiAwMyAwOTo0MTowMyBNU1QgMjAxNCwgaWF0PUZyaSBKYW4gMDMgMDk6NDE6MDMgTVNUIDIwMTQsIGp0aT1kZDYxMGJhYy0wNDM3LTRkODAtYjE0MS01OTZkNzVkZDdiZmYsIHR5cD1udWxsLCBjdXN0b21DbGFpbXM9e3Njb3BlPWNhbXBhaWduTWd0LCBjbGllbnQ9WFlaLCB1c2VyPWFiY2R9XQ.esOEqnet0jipaDUbyqHezAuVAR36uPmeiSaa6LYeqhgYLEJYnCYzOf8ic2wjFEfJlX6JjVx5lNMzCuMgjPrfextgDjyujNXLOPJqBURiJSeLjAEZ2Gl1QeFkqyFAYte6qKMHUMOYvpkHXWnq56P72OqctNrrGEcdB9Kurh0VQAM
    base64: ungültige Eingabe
    000000   {   "   a   l   g   "   :   "   R   S   2   5   6   "   }   J
            7b  22  61  6c  67  22  3a  22  52  53  32  35  36  22  7d  4a
    000010   W   T   C   l   a   i   m   s   S   e   t       [   i   s   s
            57  54  43  6c  61  69  6d  73  53  65  74  20  5b  69  73  73
    000020   =   A   p   i   g   e   e       A   P   I       G   a   t   e
            3d  41  70  69  67  65  65  20  41  50  49  20  47  61  74  65
    000030   w   a   y   ,       s   u   b   =   n   u   l   l   ,       a
            77  61  79  2c  20  73  75  62  3d  6e  75  6c  6c  2c  20  61
    000040   u   d   =   n   u   l   l   ,       e   x   p   =   F   r   i
            75  64  3d  6e  75  6c  6c  2c  20  65  78  70  3d  46  72  69
    000050       J   a   n       0   3       0   9   :   5   1   :   0   3
            20  4a  61  6e  20  30  33  20  30  39  3a  35  31  3a  30  33
    000060       M   S   T       2   0   1   4   ,       n   b   f   =   F
            20  4d  53  54  20  32  30  31  34  2c  20  6e  62  66  3d  46
    000070   r   i       J   a   n       0   3       0   9   :   4   1   :
            72  69  20  4a  61  6e  20  30  33  20  30  39  3a  34  31  3a
    000080   0   3       M   S   T       2   0   1   4   ,       i   a   t
            30  33  20  4d  53  54  20  32  30  31  34  2c  20  69  61  74
    000090   =   F   r   i       J   a   n       0   3       0   9   :   4
            3d  46  72  69  20  4a  61  6e  20  30  33  20  30  39  3a  34
    0000a0   1   :   0   3       M   S   T       2   0   1   4   ,       j
            31  3a  30  33  20  4d  53  54  20  32  30  31  34  2c  20  6a
    0000b0   t   i   =   d   d   6   1   0   b   a   c   -   0   4   3   7
            74  69  3d  64  64  36  31  30  62  61  63  2d  30  34  33  37
    0000c0   -   4   d   8   0   -   b   1   4   1   -   5   9   6   d   7
            2d  34  64  38  30  2d  62  31  34  31  2d  35  39  36  64  37
    0000d0   5   d   d   7   b   f   f   ,       t   y   p   =   n   u   l
            35  64  64  37  62  66  66  2c  20  74  79  70  3d  6e  75  6c
    0000e0   l   ,       c   u   s   t   o   m   C   l   a   i   m   s   =
            6c  2c  20  63  75  73  74  6f  6d  43  6c  61  69  6d  73  3d
    0000f0   {   s   c   o   p   e   =   c   a   m   p   a   i   g   n   M
            7b  73  63  6f  70  65  3d  63  61  6d  70  61  69  67  6e  4d
    000100   g   t   ,       c   l   i   e   n   t   =   X   Y   Z   ,
            67  74  2c  20  63  6c  69  65  6e  74  3d  58  59  5a  2c  20
    000110   u   s   e   r   =   a   b   c   d   }   ]  \a 254   8   J 247
            75  73  65  72  3d  61  62  63  64  7d  5d  07  ac  38  4a  a7
    000120   z 335   # 212 226 203   Q 274 252 035 354 300 271   P 021 337
            7a  dd  23  8a  96  83  51  bc  aa  1d  ec  c0  b9  50  11  df
    000130 253 217 231 350 222   i 256 213   a 352 241 201 202 304   % 211
            ab  8f  99  e8  92  69  ae  8b  61  ea  a1  81  82  c4  25  89
    000140 302   c   3 237 362   '   6 302   1   D   | 231   W 350 230 325
            c2  63  33  9f  f2  27  36  c2  31  44  7c  99  57  e8  98  d5
    000150 307 231   M   3   0 256   2  \b 317 255 367 261 266  \0 343 312
            c7  99  4d  33  30  ae  32  08  cf  ad  f7  b1  b6  00  e3  ca
    000160 350 315   \ 263 217   & 240   T   F   "   R   x 270 300 021 235
            e8  cd  5c  b3  8f  26  a0  54  46  22  52  78  b8  c0  11  9d
    000170 206 227   T 036 026   J 262 024 006   -   { 252 212   0   u  \f
            86  97  54  1e  16  4a  b2  14  06  2d  7b  aa  8a  30  75  0c
    000180   9 213 351 220   u 326 236 256   z   ? 275 216 251 313   M 256
            39  8b  e9  90  75  d6  9e  ae  7a  3f  bd  8e  a9  cb  4d  ae
    000190 261 204   q 320   }   * 352 341 321   T  \0
            b1  84  71  d0  7d  2a  ea  e1  d1  54  00
    00019b
     
    ~
    $
     

    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/> <myFrameless/>

  • daniel64
    daniel64
    10 Posts

    Re: Rest Service JWT

    ‏2014-04-08T09:45:57Z  
    • Dev5
    • ‏2014-01-03T16:38:30Z

    Yes. I did not find anything on datapower docs. So trying to see whether i can develop custom style sheet to do that.

     JWT signed structure is described here.

    http://odino.org/securing-your-http-api-with-javascript-object-signing-and-encryption/

    base64URL encoded seperated by dot ".".   Header.payload.signed signature.

    So far i have configured mpg to accept nonxml. In my first processing policy on post action, I configured binary action to capture incoming post reqeust and convert to some kind of xml format using binary-convert.xsl. Then in next policy, I am trying to put header,payload and signature in sepeate nodes (test5.xsl). But I am having difficult convertng post request to some kind of xml format. is that possible ? If you think of some other way, please let me know.  Thank you. XSL's are below.

    binary-convert.xsl

    <xsl:stylesheet version="1.0"
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      xmlns:dp="http://www.datapower.com/extensions"
      extension-element-prefixes="dp"
    >
      <dp:input-mapping  href="binaryNode.ffd" type="ffd"/>
      <dp:output-mapping href="binaryNode.ffd" type="ffd"/>

      <xsl:template match="/">
        <object>
          <message>
            <xsl:copy-of select="/object/message/node()"/>
          </message>
        </object>
      </xsl:template>
    </xsl:stylesheet>

    test5.xsl

    <pre dir="ltr"><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dp="http://www.datapower.com/extensions" xmlns:man="http://www.datapower.com/schemas/management" extension-element-prefixes="dp"> <dp:input-mapping type="ffd" href="binaryNode.ffd" /> <xsl:template match="/object/message" name="tokenize"> <xsl:param name="text" select="."/> <xsl:param name="separator" select="'.'"/> <xsl:choose> <xsl:when test="not(contains($text, $separator))"> <item> <xsl:value-of select="normalize-space($text)"/> </item> </xsl:when> <xsl:otherwise> <item> <xsl:value-of select="normalize-space(substring-before($text, $separator))"/> </item> <xsl:call-template name="tokenize"> <xsl:with-param name="text" select="substring-after($text, $separator)"/> </xsl:call-template> </xsl:otherwise> </xsl:choose> </xsl:template> </xsl:stylesheet> </pre>

    Hi Dev5,

     

    I need to do the same verification...

    Did you finally succeed ?

    Can you post the XSL if yes...

     

    Best regards.

  • VMNanduri
    VMNanduri
    13 Posts

    Re: Rest Service JWT

    ‏2015-09-13T12:05:07Z  

    Hi Herman,

    We are also trying to implement JWE/JWT/JWS in DataPower version 7. But we could not be able to achieve till now. Can you suggest how can we achieve this in DataPower firmware version 7 (<7.2).

     

    Thanks,

    Lakshman

  • HermannSW
    HermannSW
    5460 Posts

    Re: Rest Service JWT

    ‏2015-09-13T19:07:16Z  
    • VMNanduri
    • ‏2015-09-13T12:05:07Z

    Hi Herman,

    We are also trying to implement JWE/JWT/JWS in DataPower version 7. But we could not be able to achieve till now. Can you suggest how can we achieve this in DataPower firmware version 7 (<7.2).

     

    Thanks,

    Lakshman

     how can we achieve this in DataPower firmware version 7 (<7.2).
    >
    You cannot, JWE/JWT/JWS are new features of 7.2.0.0 firmware (besides finding some CommonJS modules somewhere doing it),


    Hermann.
     

  • VMNanduri
    VMNanduri
    13 Posts

    Re: Rest Service JWT

    ‏2015-09-15T05:57:05Z  
    • HermannSW
    • ‏2015-09-13T19:07:16Z

     how can we achieve this in DataPower firmware version 7 (<7.2).
    >
    You cannot, JWE/JWT/JWS are new features of 7.2.0.0 firmware (besides finding some CommonJS modules somewhere doing it),


    Hermann.
     

    Thanks Hermann!

     

    Regards,

    Lakshman

  • AmitLembhe
    AmitLembhe
    1 Post

    Re: Rest Service JWT

    ‏2015-09-15T19:06:22Z  
    • HermannSW
    • ‏2015-09-13T19:07:16Z

     how can we achieve this in DataPower firmware version 7 (<7.2).
    >
    You cannot, JWE/JWT/JWS are new features of 7.2.0.0 firmware (besides finding some CommonJS modules somewhere doing it),


    Hermann.
     

    Is it not possible to handle JWT/JWS  by writing XSLT if Datapower version 7.0 ?

    Datapower 7.2 gives ready configuration options for handling JWT . But is it not technically feasible at all to handle JWT in version 7

  • HermannSW
    HermannSW
    5460 Posts

    Re: Rest Service JWT

    ‏2015-09-16T12:47:33Z  

    Is it not possible to handle JWT/JWS  by writing XSLT if Datapower version 7.0 ?

    Datapower 7.2 gives ready configuration options for handling JWT . But is it not technically feasible at all to handle JWT in version 7

    You can implement JWT yourself, and even with XSLT.

    But with 7.0 firmware you should better do it with GatewayScript.
    You may also search for a CommonJS nodejs module and try to run that directly in GatewayScript.

     

    Hermann.