Author: buildbot
Date: Fri Mar 13 15:46:50 2015
New Revision: 943707
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Mar 13 15:46:50
2015
@@ -118,14 +118,16 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1426257993585 {padding: 0px;}
-div.rbtoc1426257993585 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1426257993585 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1426261585363 {padding: 0px;}
+div.rbtoc1426261585363 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1426261585363 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1426257993585">
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS
Filters</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configuration">Configuration</a></li><li><a shape="rect"
href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</a></li></ul>
+/*]]>*/</style></p><div class="toc-macro rbtoc1426261585363">
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</a>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-FutureWork">Future
Work</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</a></li></ul>
</div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p>CXF 3.0.x
implements <a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven
Dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><![CDATA[<dependency>
<groupId>org.apache.cxf</groupId>
@@ -133,7 +135,7 @@ div.rbtoc1426257993585 li {margin-left:
<version>3.0.4</version>
</dependency>
]]></script>
-</div></div><p> </p><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE is a set of high quality specifications that specify how
data payloads can be signed and/or encrypted with the cryptographic properties
set in JSON-formatted metadata (headers).</p><p>Note that not only JSON
documents but also documents in the arbitrary formats can be secured: text,
binary data, even XML.</p><p> </p><p>JOSE is a key piece of the advanced
OAuth2 applications but is also perfect at securing the regular HTTP web
service communications.</p><p> </p><p>At the moment two signature and
encryption output formats are supported: compact and
JSON.</p><p> </p><p>Compact format is a concatenation of Base64URL-encoded
JOSE headers (where the cryptographic signature or encryption properties are
set),</p><p>Base64URL-encoded payload (in the original form if it is signed,
otherwise - encrypted), plus Base64URL-encoded signature of the payload or some
of encryption process input or outpu
t data</p><p>such as an initialization vector, authentication tag,
etc.</p><p> </p><p>The JSON (full) format is where all the information
describing a signature or encryption process is presented in a not-compact,
regular JSON document, offering a non-optimized but easier to understand
format.</p><p>The JSON format also supports multiple signatures when signing
the content or multiple content key encryptions when encrypting the content
which can be useful when multiple recipients are involved.</p><p>The signature
process also supports the detached body mode where the body to be signed is not
included in the actual output - assuming that both the consumer and producer
know how to access the original payload in order to</p><p>validate the
signature.</p><p> </p><p>The following subsections will have the examples
with more details.</p><h2 id="JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</h2><p>All JOSE signature and encryption algorithms are grouped and
described in a <a shape="re
ct" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40";
rel="nofollow">JSON Web Algorithms</a> (JWA) specification.</p><p>The
algorithms are split into 3 categories: signature algorithms (MAC, RSA,
Elliptic Curve), algorithms for supporting the encryption of content encryption
keys (RSA-OAEP, Key Wrap, etc),</p><p>algorithms for encrypting the actual
content (AES GCM, etc).</p><p>All encryption algorithms produce authentication
tags which provides the protection against manipulating the already encrypted
content.</p><p>Refer to this specification to get all the information needed
(with the follow up links to the corresponding RFC when applicable) about a
particular signature or encryption</p><p>algorithm: the properties, recommended
key sizes, other security considerations related to all of or some specific
algorithms.</p><p>CXF offers the initial utility support for working with JWA
algorithms in <a shape="rect" class="external-link" href
="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD";>this
package</a>.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK Keys</h2><p> </p><p><a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41";
rel="nofollow">Json Web Key</a> (JWK) is a JSON document describing the
cryptographic key properties. JWKs are very flexible and light-weight (in most
cases) and one can expect JWKs becoming one of the major</p><p>mechanisms for
representing and storing cryptographic keys. What is important is that one does
not have to use a JWK in order to sign or encrypt the document, working
directly with Java JCA secret and asymmetric key</p><p>representations is
sufficient but JWK is a first class citizen in JOSE with all of JOSE examples
using JWK representations.</p><p>CXF offers a utility support for reading and
writing JWK keys and
key sets and for working with the encrypted inlined and standalone JWK stores
in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD";>this
package</a>.</p><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41";
rel="nofollow">JSON Web Signature</a> (JWS) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1";
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC
key.</p><p>Here is one of the ways you can do it in CXF, where a Json Web Token
(JWT, see one of the next sections) is signed by a MAC key:<br
clear="none"> </p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>CXF JWS HMac</b></div><div
class="codeContent panelContent pdl">
+</div></div><p> </p><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE is a set of high quality specifications that specify how
data payloads can be signed and/or encrypted with the cryptographic properties
set in JSON-formatted metadata (headers).</p><p>Note that not only JSON
documents but also documents in the arbitrary formats can be secured: text,
binary data, even XML.</p><p> </p><p>JOSE is a key piece of the advanced
OAuth2 applications but is also perfect at securing the regular HTTP web
service communications.</p><p> </p><p>At the moment two signature and
encryption output formats are supported: compact and
JSON.</p><p> </p><p>Compact format is a concatenation of Base64URL-encoded
JOSE headers (where the cryptographic signature or encryption properties are
set),</p><p>Base64URL-encoded payload (in the original form if it is signed,
otherwise - encrypted), plus Base64URL-encoded signature of the payload or some
of encryption process input or outpu
t data</p><p>such as an initialization vector, authentication tag,
etc.</p><p> </p><p>The JSON (full) format is where all the information
describing a signature or encryption process is presented in a not-compact,
regular JSON document, offering a non-optimized but easier to understand
format.</p><p>The JSON format also supports multiple signatures when signing
the content or multiple content key encryptions when encrypting the content
which can be useful when multiple recipients are involved.</p><p>The signature
process also supports the detached body mode where the body to be signed is not
included in the actual output - assuming that both the consumer and producer
know how to access the original payload in order to</p><p>validate the
signature.</p><p> </p><p>The following subsections will have the examples
with more details.</p><h1 id="JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</h1><p>All JOSE signature and encryption algorithms are grouped and
described in a <a shape="re
ct" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40";
rel="nofollow">JSON Web Algorithms</a> (JWA) specification.</p><p>The
algorithms are split into 3 categories: signature algorithms (MAC, RSA,
Elliptic Curve), algorithms for supporting the encryption of content encryption
keys (RSA-OAEP, Key Wrap, etc),</p><p>algorithms for encrypting the actual
content (AES GCM, etc).</p><p>All encryption algorithms produce authentication
tags which provides the protection against manipulating the already encrypted
content.</p><p>Refer to this specification to get all the information needed
(with the follow up links to the corresponding RFC when applicable) about a
particular signature or encryption</p><p>algorithm: the properties, recommended
key sizes, other security considerations related to all of or some specific
algorithms.</p><p>CXF offers the initial utility support for working with JWA
algorithms in <a shape="rect" class="external-link" href
="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD";>this
package</a>.</p><h1 id="JAX-RSJOSE-JWKKeys">JWK Keys</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41";
rel="nofollow">Json Web Key</a> (JWK) is a JSON document describing the
cryptographic key properties. JWKs are very flexible and light-weight (in most
cases) and one can expect JWKs becoming one of the major</p><p>mechanisms for
representing and storing cryptographic keys. What is important is that one does
not have to use a JWK in order to sign or encrypt the document, working
directly with Java JCA secret and asymmetric key</p><p>representations is
sufficient but JWK is a first class citizen in JOSE with all of JOSE examples
using JWK representations.</p><p>CXF offers a utility support for reading and
writing JWK keys and
key sets and for working with the encrypted inlined and standalone JWK stores
in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD";>this
package</a>.</p><p>Note that JWK keys can be set as JWS or JWE header
properties, example, in order to provide a recipient with the representation of
a public key used to create a signature.</p><h1
id="JAX-RSJOSE-JWSSignature">JWS Signature</h1><p><a shape="rect"
class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41";
rel="nofollow">JSON Web Signature</a> (JWS) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1";
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC
key.</p><p
>Here is one of the ways you can do it in CXF, where a Json Web Token (JWT,
>see one of the next sections) is signed by a MAC key:<br
>clear="none"> </p><div class="code panel pdl" style="border-width:
>1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
>1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[// sign
JoseHeaders headers = new JoseHeaders();
headers.setAlgorithm(SignatureAlgorithm.HS256.getJwaName());
@@ -157,7 +159,24 @@ JwtToken token = jws.getJwtToken();
JoseHeaders headers = token.getHeaders();
assertEquals(SignatureAlgorithm.HS256.getJwaName(), headers.getAlgorithm());
validateClaims(token.getClaims());]]></script>
-</div></div><p> </p><p>CXF ships JWS related classes in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws;h=46610253c8a71916e1955019ea1b01215a7745e6;hb=HEAD";>this
package</a>.</p><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD";>JwsSignatureProvider</a>
supports signing the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD";>JwsSignatureVerifier</a>
- validating the signatures. Providers and verifiers supporting RSA, HMac and
Elliptic Curve signature al
gorithms are shipped.</p><p>JwsCompactConsumer and JwsCompactProducer offer a
utility support for creating and validating JWS compact serialization and
accept keys in a variety of formats</p><p>(as JWKs, JCA representations,
created out of band and wrapped in either JwsSignatureProvider or
JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer and JwsJwtCompactProducer
are JwsCompactConsumer and JwsCompactProducer specializations that offer a
utility support for signing Json Web Tokens in a compact
format.</p><p>JwsJsonConsumer and JwsJsonProducer support JWS JSON (full)
serialization.</p><p>JwsOutputStream and JwsJsonOutputStream are
specialized output streams that can be used in conjunction with JWS JAX-RS
filters (see one of the next sections)</p><p>to support the best effort at
streaming the content while signing it.  These classes will use <a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/ja
va/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a> 
optionally returned from JwsSignatureProvider</p><p>instead of working with
the consumer utility classes which deal with the signature process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h2
id="JAX-RSJOSE-JSONEncryption">JSON Encryption</h2><p> </p><h2
id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h2><p> </p><h1
id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><p> </p><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><p> </p><p> </p><h1
id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p> </p><h1
id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p>Jose4J.
Etc.</p><p> </p></div>
+</div></div><p> </p><p>CXF ships JWS related classes in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws;h=46610253c8a71916e1955019ea1b01215a7745e6;hb=HEAD";>this
package</a> and offers a support for all of JWA signature algorithms.</p><p><a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD";>JwsSignatureProvider</a>
supports signing the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD";>JwsSignatureVerifier</a>
- validating the signatures. Providers and verif
iers supporting RSA, HMac and Elliptic Curve signature algorithms are
shipped.</p><p>JwsCompactConsumer and JwsCompactProducer offer a utility
support for creating and validating JWS compact serialization and accept keys
in a variety of formats</p><p>(as JWKs, JCA representations, created out of
band and wrapped in either JwsSignatureProvider or
JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer and JwsJwtCompactProducer
are JwsCompactConsumer and JwsCompactProducer specializations that offer a
utility support for signing Json Web Tokens in a compact
format.</p><p>JwsJsonConsumer and JwsJsonProducer support JWS JSON (full)
serialization.</p><p>JwsOutputStream and JwsJsonOutputStream are
specialized output streams that can be used in conjunction with JWS JAX-RS
filters (see one of the next sections)</p><p>to support the best effort at
streaming the content while signing it.  These classes will use <a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/rep
os/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a> 
optionally returned from JwsSignatureProvider</p><p>instead of working with
the consumer utility classes which deal with the signature process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h1
id="JAX-RSJOSE-JSONEncryption">JSON Encryption</h1><p><a shape="rect"
class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40";
rel="nofollow">JSON Web Signature</a> (JWE) document describes how a document
content, and, when applicable, a content encryption key, can be encrypted. For
example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.1";
rel="nofollow">Appendix A1</a> shows how the content can be
encrypted</p><p>with a secret key using Aes Gcm with the actu
al content encryption key encrypted/wrapped using RSA-OAEP.</p><p>Here is the
example for doing Aes Cbc HMac and Aes Key Wrap in CXF:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div
class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[final String specPlainText = "Live long
and prosper.";
+
+byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
+
+AesWrapKeyEncryptionAlgorithm keyEncryption = new
AesWrapKeyEncryptionAlgorithm(cekEncryptionKey, KeyAlgorithm.A128KW);
+JweEncryptionProvider encryption = new
AesCbcHmacJweEncryption(ContentAlgorithm.A128CBC_HS256,
+
CONTENT_ENCRYPTION_KEY_A3,
+ INIT_VECTOR_A3,
+ keyEncryption);
+String jweContent =
encryption.encrypt(specPlainText.getBytes("UTF-8"), null);
+assertEquals(JWE_OUTPUT_A3, jweContent);
+
+AesWrapKeyDecryptionAlgorithm keyDecryption = new
AesWrapKeyDecryptionAlgorithm(cekEncryptionKey);
+JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
+String decryptedText = decryption.decrypt(jweContent).getContentText();
+assertEquals(specPlainText, decryptedText);]]></script>
+</div></div><p> </p><p>CXF ships JWE related classes in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD";>this
package</a> and offers a support for all of JWA encryption
algorithms.</p><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
- decrypting the content. Encryptors and
Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer
and JweCompactProducer offer a utility support for creating and validating JWE
compact serialization and accept keys in a variety of formats</p><p>(as JWKs,
JCA representations, created out of band and wrapped in either
JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer
specializations that offer a utility support for encrypting Json Web Tokens in
a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON
(full) serialization.</p><p>JweOutputStream is a specialized output stream that
can be used in conjunction with JWE JAX-RS filters (see one of the next
sections)</p><p>to support the best effort at streaming the content while
encrypting it.  These classes will use <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a> 
optionally returned from JweEncryptionProvider</p><p>instead of working with
the consumer utility classes which deal with the encryption process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h1
id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32";
rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON
format. It offers a standard JSON container for representing various properties
or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE
signature or encryption input like any other data
structure.</p><p> </p><p>JWT has been primarily used in OAuth2
applications to represent self-contained access tokens but can also be used in
other contex
ts.</p><p>CXF offers an initial JWT support in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD";>this
package</a>.</p><h1
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</h1><p>Add more...</p><h1
id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2
id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><p>A variety of signature and
encryption key properties is supported. Add more...</p><h2
id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h2><p>JAX-RS filters
can read the keys from encrypted JWK stores. The stores are encrypted inline or
in separate storages (files). By default the filters expect that the stores has
been encrypted using</p><p>a password based <a shape="rect" cl
ass="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8";
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD";>password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2
POP tokens. Authorization code JOSE requests can already be processed. Utility
support for validating JWT-based access tokens is provided.</p><p>Add
more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily
depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and
IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCryp
to, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</h1><p><a shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home"; rel="nofollow">Jose4J</a> is
a top project from Brian Campbell.  CXF users are encouraged to experiment
with Jose4J (or indeed with other 3rd party implementations) if they
prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters if
preferred.</p><p> </p></div>
</div>
<!-- Content -->
</td>
