REST Service Security

RESTful web services APIs can be secured; that is, so a URL can be consumed only by those providing authentication.

JADE provides the ability to restrict JADE REST APIs so that only clients with a valid bearer token can consume the API. In addition, an API developer can customize the rules on what constitute a valid token to meet your requirements.

REST service security allows for the validation of token signatures, including Asymmetrical tokens (for example, RS256) signed from third‑party Auth providers. It also allows for the generation of Symmetrical tokens (for example, HS256) and the association of required claims such as access level or token expiry against specific REST service methods.

The supported token is JSON Web Token (JWT) – an open standard tracked by RFC 7519. The JWT standard defines a compact and self‑contained way for securely transmitting information between parties represented as a JSON object.

The Add JSON Web Token Claims dialog enables you to specify the claims that must be present in a JSON Web Token in order to access a JADE REST API method. As long as one or more required claims are associated with a method, any incoming REST request must include a JSON Web Token in the authorization header of the HTTP request; that is, it must include a header of the form Authorization: Bearer <Token>. For details, see "Associating Required JSON Web Token Claims with REST API Methods" under "REST Service Security", in Chapter 2 of the JADE Object Manager Guide.

REST security classes are summarized in the following table. (For details, see Volume 1 of the JADE Encyclopaedia of Classes.)

Class Description

JadeRequiredClaimAnnotation

Abstract class that represents an annotation on a JadeRestService REST API method
        JadeRequiredDelegateClaimAnnotation Represents an annotation on a JadeRestService REST API method
        JadeRequiredOneOfValueClaimAnnotation Represents an annotation on a JadeRestService REST API method
        JadeRequiredSingleValueClaimAnnotation Represents an annotation on a JadeRestService REST API method
JadeJWTModel Abstract grouping class for JSON Web Token (JWT) classes
        JadeJWKSAuthProviderResponse Can be used as the first parameter to the parse method of the JadeJson class
        JadeJWTClaim Represents one claim in a JSON Web Token
        JadeJWTParser Contains type methods used for parsing JSON Web Tokens
        JadeJWTValidator Contains type methods used for validating the signature of JSON Web tokens
        JadeJsonWebKeySetReader Provides methods to obtaining the public key from a JSON Web Key Set that is used to validate asymmetrically‑signed JSON Web Tokens (JWTs)
        JadeJsonWebToken Represents a symmetrically-signed JSON Web Token that can be used by a JADE REST service to generate authorization tokens for its clients
        JadeJsonWebKeySetReader Provides methods to obtaining the public key from a JSON Web Key Set that is used to validate asymmetrically‑signed JSON Web Tokens (JWTs)
        JadeJsonWebToken Represents a symmetrically-signed JSON Web Token that can be used by a JADE REST service to generate authorization tokens for its clients

The JadeHTTPConnection class provides the following class constants.

The TimeStamp primitive type provides the following constant and methods.

2020.0.01 and higher