Skip to main content

jEAP Spring Boot JSON Web Encryption (JWE) Starter

The jeap-spring-boot-jwe-starter provides transparent JWE-based end-to-end encryption support for jEAP Spring Boot services. It automatically exposes the backend public keys as a JWKS endpoint, manages Vault-backed RSA key material including refresh and rotation support, and decrypts incoming application/jose requests before they reach Spring MVC controllers. For protected endpoints, the starter also encrypts JSON responses as JWE, supports configurable exclusions such as actuator and JWKS endpoints, and provides structured error responses for invalid or missing encryption protocol data. It is designed to use established JOSE libraries and standard algorithms such as RSA-OAEP-256 and A256GCM, without requiring application controllers to implement encryption logic themselves.

Angular frontends: use the companion library jeap-jwe-client — an npm module providing an Angular HttpInterceptor that integrates with this starter and transparently encrypts requests and decrypts responses. See Client integration for the protocol details.

Modules

ModulePurpose
jeap-spring-boot-jwe-cryptoCrypto utilities (Nimbus). RSA key factory, 4096-bit validation, JWK Set conversion. No Spring dependency.
jeap-spring-boot-jwe-key-managementKey-store abstraction (JweKeyStore), in-memory cache, key sources (static test + Vault transit), loader, and periodic refresher with exponential backoff.
jeap-spring-boot-jwe-webServlet stack: JWKS endpoint, the JWE servlet filter (request decryption / response encryption), mandatory-encryption enforcement with RFC 7807 errors, and the protocol-metadata endpoint.
jeap-spring-boot-jwe-starterAuto-configuration, configuration properties (jeap.jwe.*), bean wiring.
jeap-spring-boot-jwe-testShared test infrastructure (reusable 4096-bit RSA test keys). Test scope only.
jeap-spring-boot-jwe-security-itIntegration tests proving the starter coexists with jeap-spring-boot-security-starter (Bearer-token auth + transparent JWE). Test sources only; keeps the jeap-security dependency out of the published starter.

Dependency direction: cryptokey-managementwebstarter. The …-security-it module is a test-only leaf depending on …-starter.

Documentation

TopicFile
Architecture overviewdocs/architecture.md
Quick setupdocs/getting-started.md
Configuration referencedocs/configuration.md
Servlet filterdocs/servlet-filter.md
Client integrationdocs/client-integration.md
Key management internalsdocs/key-management.md
JWKS endpointdocs/jwks-endpoint.md
Vault integrationdocs/vault-integration.md
Observability (metrics)docs/observability.md
Testing without Vaultdocs/testing.md

See