[Resteasy-developers] JWT & JWS implementation on RESTEasy

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Good morning everyone.

I've been working to include security on AeroGear and make use of 
RESTEasy, to be more specific I would like to include JWT/JWS support, 
the API is pretty straightforward and I think is a good fit for mobile.

Before move forward on AeroGear I'd like to suggest (implement if you 
guys agree) the inclusion two new attributes:

- iat: claim identifies the time at which the JWT was issued. This claim 
can be used to determine the age of the JWT. Its value MUST be a number 
containing an IntDate value

- exp: claim identifies the expiration time on or after which the JWT 
MUST NOT be accepted for processing. The processing of the exp claim 
requires that the current date/time MUST be before the expiration 
date/time listed in the exp claim. Implementers MAY provide for some 
small leeway, usually no more than a few minutes, to account for clock 
skew. Its value MUST be a number containing an IntDate value.

This is important, because I wouldn't like to trust on SSL/TLS only. If 
for some reason this layer is broken (wrong configuration, lack of 
understanding from some developers) , would be nice to have an 
additional layer of security (it won't solve all the problems, but might 
help).

What do you guys think? Makes sense?

-- 
abstractj