Study Research On Web Security By JSON Web Signature

User authentication and authorization access occupy an extremely important position in the world of network security. The development of the JWT(JSON Web Signature) and JWT(JSON Web Token) have provided a good solution on user authentication and authorization access. But there is also some fly in the ointment. Therefore this paper made some researches related to web security by JSON web signature system, and then we come up with some improvement strategies on them. The main work is as follows:First in this paper we make an improvement on JSON Web signature base on the strategy which includes the JSON payload is signed by the user with his private key, and according to JSON Web signature architecture to implement the content secured with digital signatures and message authentication codes using JSON based data structures, which use signature mechanism to provide integrity protection. It enables multiple digital signatures or message authentication codes to be applied to the same content. In addition, the digital signature mechanisms used are independent of the type of content being secured, allowing arbitrary content to be secured. Therefore, it improves the security of message authentication. Meanwhile, we did do not change the structure of the JSON payload. We just keep content(payload) and signature in the same file. This avoids having to come up more complicate file after the generation of JSON object.Secondly, we make an improvement on the JWT access architecture and OpenID Connect in the file of Web security. Mainly work as follows:(1) Using token architecture in JSON Web Token to grant authorization to a user. An access token is generated by the login service when a user logs on to the system and the credentials provided by the user are authenticated against the authentication database.Whether or not client authentication is needed in conjunction with a JWT authorization grant, are policy decisions at the discretion of the authorization server. However, if client credentials are present in the request, the authorization server must validate them. If the JWT is not valid, or the current time is not within the token's valid time window for use, the authorization server must construct an error response. The experiment result shows that JWT can be signed following the JSON Web signature specification. In our experiment we didn't transmit any sensitive data in the JWT payload; we just only sign the JWT to protect it during the transmission between parties.(2) Thirdly under the principle of authorization server, we take advantage of the distributed authentication provided by OpenID Connect to complete the user login section. At the authorization sever we make some improvements on OpenID connect tokens, OpenID connect session management, client registration and OpenID connect security.By doing that, the OpenID structure is optimized integrally and it enables us to achieve the cross-platform security encryption.Finally we experiment the whole process of user authentication with JWT by configuring OpenLDAP as OpenID Connect authorization server, and configure the client sides from the user connection request to the authentication verification and access to Resources. The Implementation of JWS and JWT result analysis demonstrate the feasibility and validity of the proposed topic.