Author: buildbot
Date: Wed May 18 10:47:40 2016
New Revision: 988524
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Wed May 18 10:47:40
2016
@@ -119,19 +119,19 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1463503618227 {padding: 0px;}
-div.rbtoc1463503618227 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1463503618227 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1463568424611 {padding: 0px;}
+div.rbtoc1463568424611 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463568424611 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1463503618227">
+/*]]>*/</style></p><div class="toc-macro rbtoc1463568424611">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWEEncryption">JWE Encryption</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li></ul>
-</li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWEEncryption">JWE Encryption</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONWebToken">JSON Web Token</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS
Filters</a>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWS">JWS</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</a></li><li><a shape="rect"
href="#JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK
stores</a></li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-FutureWork">Future
Work</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</a></li></ul>
-</div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p><a shape="rect"
class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a> is a set of high quality specifications that
specify how data payloads can be signed/validated and/or encrypted/decrypted
with the cryptographic properties set in the JSON-formatted metadata (headers).
The data to be secured can be in JSON or some other format (plain text, XML,
binary data).</p><p><a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a> is a key piece of the advanced OAuth2-based
applications such as OpenIdConnect but can also be successfully used for
securing the regular HTTP web service communications.</p><p>CXF 3.1.x and 3.2.0
provides a complete implementation of <a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">M
aven Dependencies</h1><p> </p><p>Having the following dependency will let
the developers write JOSE code: creating and securing JSON Web Tokens (JWT),
and securing the arbitrary data (not only JSON)</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-FutureWork">Future
Work</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</a></li></ul>
+</div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p><a shape="rect"
class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a> is a set of high quality specifications that
specify how data payloads can be signed/validated and/or encrypted/decrypted
with the cryptographic properties set in the JSON-formatted metadata (headers).
The data to be secured can be in JSON or other format (plain text, XML, binary
data).</p><p><a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a> is a key piece of the advanced OAuth2-based
applications such as OpenIdConnect but can also be successfully used for
securing the regular HTTP web service communications.</p><p>CXF 3.1.x and 3.2.0
provides a complete implementation of <a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven
Dependencies</h1><p> </p><p>Having the following dependency will let the
developers write JOSE code: creating and securing JSON Web Tokens (JWT), and
securing the arbitrary data (not only JSON)</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-jose</artifactId>
@@ -145,7 +145,7 @@ div.rbtoc1463503618227 li {margin-left:
<version>3.1.7</version>
</dependency>
</pre>
-</div></div><pre> </pre><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518";
rel="nofollow">JWA</a> - JSON Web Algorithms where all supported signature and
encryption algorithms are listed</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> - JSON Web
Keys - introduces a JSON format for describing the public and private keys used
by JWA algorithms</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515"; rel="nofollow">JWS</a> - JSON Web
Signature - describes how the data can be signed or validated and introduces
compact and JSON JWS formats for representing the signed data</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516";
rel="nofollow">JWE</a> - JSON Web Encryption - describes how the data can be
encrypted or decryp
ted and introduces compact and JSON JWE formats for representing the encrypted
data  </li></ul><p>Additionally, <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> (JSON Web Token), while technically being not part of
JOSE, is often used as an input material to JWS and JWE processors, especially
in OAuth2 flows (example: OAuth2 access tokens can be represented internally as
JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> describes how a set of claims in a JSON format can be
either JWS-signed or JWE-enctypted. </p><h2
id="JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</h2><p>All JOSE signature and
encryption algorithms are grouped and described in <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518";
rel="nofollow">JSON Web Algorithms</a> (JWA) specification.</p><p>The
algorithms
are split into 3 categories: signature algorithms (HMAC, RSA, Elliptic Curve),
algorithms for supporting the encryption of content encryption keys (RSA-OAEP,
AES Key Wrap, etc), and algorithms for encrypting the actual content (AES GCM,
etc).</p><p>All JWS and JWE algorithms process the meta-data (the algorithm
properties) and the actual data thus also ensuring the algorithm properties are
integrity-protected, additionally JWE algorithms produce authentication tags
which ensure the already encrypted content won't be manipulated.</p><p>Please
refer to <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518"; rel="nofollow">the specification</a>
to get all the information needed (with the follow up links to the
corresponding RFC when applicable) about a particular signature or encryption
algorithm: the properties, recommended key sizes, other security considerations
related to all of or some specific algorithms. CXF JOSE code already enforces a
number of the rec
ommended constraints.</p><p>CXF offers the utility support for working with
JWA algorithms in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD";>this
package</a>. Typically one would supply an algorithm property in a type-safe
way either to JWS or JWE processor, for example,  SignatureAlgorithm.HS256
(HMAC signature) for JWS, KeyAlgorithm.A256KW (key encryption wrap) plus
ContentAlgorithm.A256GCM for JWE.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK
Keys</h2><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JSON Web Key</a>
(JWK) is a JSON document describing the cryptographic key properties. JWKs are
very flexible and one can expect JWKs becoming one of the major mechanisms for
representing and storing cryptographic keys. While one does not have to use a
JWK in o
rder to sign or encrypt the document and rely on Java JCA secret and
asymmetric key representations instead, JWK is a preferred representation of
JWS/JWE keys.</p><p>For example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Jwk Signature Key</b></div><div
class="codeContent panelContent pdl">
+</div></div><pre> </pre><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518";
rel="nofollow">JWA</a> - JSON Web Algorithms where all supported signature and
encryption algorithms are listed</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> - JSON Web
Keys - introduces a JSON format for describing the public and private keys used
by JWA algorithms</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515"; rel="nofollow">JWS</a> - JSON Web
Signature - describes how the data can be signed or validated and introduces
compact and JSON JWS formats for representing the signed data</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516";
rel="nofollow">JWE</a> - JSON Web Encryption - describes how the data can be
encrypted or decryp
ted and introduces compact and JSON JWE formats for representing the encrypted
data  </li></ul><p>Additionally, <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> (JSON Web Token), while technically being not part of
JOSE, is often used as an input material to JWS and JWE processors, especially
in OAuth2 flows (example: OAuth2 access tokens can be represented internally as
JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> describes how a set of claims in JSON format can be
either JWS-signed and/or JWE-enctypted. </p><h2
id="JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</h2><p>All JOSE signature and
encryption algorithms are grouped and described in the <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518";
rel="nofollow">JWA</a> (JSON Web Algorithms) specification.</p><p>The algor
ithms are split into 3 categories: signature algorithms (HMAC, RSA, Elliptic
Curve), algorithms for supporting the encryption of content encryption keys
(RSA-OAEP, AES Key Wrap, etc), and algorithms for encrypting the actual content
(AES GCM, etc).</p><div>The specification lists all the algorithms that can be
used either for signing or encrypting and also describes how some of these
algorithms work in cases</div><div>where JCA (or BouncyCastle) does not support
them directly, example, AES-CBC-HMAC-SHA2.</div><div>Algorithm name is a type +
hint, example: HS256 (HMAC with SHA-256), RSA-OAEP-256 (RSA OAEP key encryption
with SHA-256), etc.</div><p>All JWS and JWE algorithms process not only the
actual data but also the meta-data (the algorithm properties) thus ensuring the
algorithm properties are integrity-protected, additionally JWE algorithms
produce authentication tags which ensure the already encrypted content won't be
manipulated.</p><p>Please refer to <a shape="rect" class="ex
ternal-link" href="https://tools.ietf.org/html/rfc7518"; rel="nofollow">the
specification</a> to get all the information needed (with the follow up links
to the corresponding RFC when applicable) about a particular signature or
encryption algorithm: the properties, recommended key sizes, other security
considerations related to all of or some specific algorithms. CXF JOSE code
already enforces a number of the recommended constraints.</p><p>CXF offers the
utility support for working with JWA algorithms in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa";
rel="nofollow">this package</a>.</p><p>Typically one would supply an algorithm
property in a type-safe way either to JWS or JWE processor, for example, 
SignatureAlgorithm.HS256 (HMAC signature) for JWS, KeyAlgorithm.A256KW
(key encryption wrap) plus ContentAlgorithm.A256GCM for JWE. Each enum has
methods fo
r checking a key size, JWA and Java JCA algorithm names.</p><h2
id="JAX-RSJOSE-JWKKeys">JWK Keys</h2><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> (JSON Web
Key) is a JSON document describing the cryptographic key properties. JWKs are
very flexible and one can expect JWKs becoming one of the major mechanisms for
representing and storing cryptographic keys. While one does not have to
represent the keys as JWK in order to sign or encrypt the document and rely on
Java JCA secret and asymmetric keys instead, JWK is a preferred representation
of signature or encryption keys in JOSE.</p><p>For example:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Secret HMAC Key</b></div><div
class="codeContent panelContent pdl">
<pre class="brush: js; gutter: false; theme: Default" style="font-size:12px;">{
"kty":"oct",
"k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
@@ -163,7 +163,7 @@ div.rbtoc1463503618227 li {margin-left:
"e":"AQAB",
"alg":"RS256",
"kid":"Public RSA Key"}</pre>
-</div></div><p> </p><p>A collection of JWK keys is called a JWK Key
Set.</p><p>CXF offers a utility support for reading and writing JWK keys and
key sets and for working with the encrypted inlined and standalone JWK stores
in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD";>this
package</a>. For example, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18";
rel="nofollow">here is how</a> an encrypted inlined JWK key is stored.
Similarly, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18";
rel="nofollo
w">here is how</a> a collection of keys is inlined. In other cases users can
refer to a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.private.properties";
rel="nofollow">file containing the set of keys</a>.</p><p>Support for the
pluggable strategies for loading JWKs is on the map.</p><h2
id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JSON Web Signature</a> (JWS) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1";
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC
key.</p><p>Here is one of the ways you can do it in CXF, where a Json Web Token
(JWT, see one of the next sections) is signed by a MAC ke
y:<br clear="none"> </p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent pdl">
+</div></div><p> </p><p>A collection of JWK keys is called a JWK Key Set
which is represented as JSON array of JWKs.</p><p>CXF offers a utility support
for reading and writing JWK keys and key sets and for working with the
encrypted inlined and standalone JWK stores in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk";
rel="nofollow">this package</a>.</p><p>For example, a key set containing
public JWK keys can be seen <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt";
rel="nofollow">here</a> and referred to from the <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties#L19";
rel="nofollow">configu
ration properties</a>. The private (test) key set can be represented in a <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt";
rel="nofollow">clear form</a>, though most likely you'd want a private key set
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt";
rel="nofollow">encrypted</a> and referred to <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties#L19";
rel="nofollow">like this</a>. </p><p>One can inline the encrypted key or
the key set directly in the configuration properties. For example, here is how
an encrypted <a shape="rect" class="external-link" href="
https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18";
rel="nofollow">single JWK key is inlined</a>. Similarly, here is how an
encrypted <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18";
rel="nofollow">collection of keys is inlined</a>.</p><p>CXF assumes that the
JWK keys have been encrypted if a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java";
rel="nofollow">password provider</a> is available in scope, it is typically
registered with JAX-RS endpoints. The encryption is done with a password based
<a shape="rect" class="external-link" href="https://tools.ietf.org/html/r
fc7518#section-4.8" rel="nofollow">PBES2 algorithm</a>. </p><p>Support
for the pluggable strategies for loading JWKs is on the map.</p><h2
id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1";
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC
key.</p><p>Here is one of the ways you can do it in CXF, where a Json Web Token
(JWT, see one of the next sections) is signed by a MAC key:<br
clear="none"> </p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">// sign
JoseHeaders headers = new JoseHeaders();
headers.setAlgorithm(SignatureAlgorithm.HS256.getJwaName());
@@ -187,7 +187,7 @@ JwtToken token = jws.getJwtToken();
JoseHeaders headers = token.getHeaders();
assertEquals(SignatureAlgorithm.HS256.getJwaName(), headers.getAlgorithm());
validateClaims(token.getClaims());</pre>
-</div></div><p> </p><p>CXF ships JWS related classes in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws;h=46610253c8a71916e1955019ea1b01215a7745e6;hb=HEAD";>this
package</a> and offers a support for all of JWA signature algorithms.</p><p><a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD";>JwsSignatureProvider</a>
supports signing the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD";>JwsSignatureVerifier</a>
- validating the signatures. Providers and verif
iers supporting RSA, HMac and Elliptic Curve signature algorithms are
shipped.</p><p>JwsCompactConsumer and JwsCompactProducer offer a utility
support for creating and validating JWS compact serialization and accept keys
in a variety of formats</p><p>(as JWKs, JCA representations, created out of
band and wrapped in either JwsSignatureProvider or
JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer and JwsJwtCompactProducer
are JwsCompactConsumer and JwsCompactProducer specializations that offer a
utility support for signing Json Web Tokens in a compact
format.</p><p>JwsJsonConsumer and JwsJsonProducer support JWS JSON (full)
serialization.</p><p>JwsOutputStream and JwsJsonOutputStream are
specialized output streams that can be used in conjunction with JWS JAX-RS
filters (see one of the next sections)</p><p>to support the best effort at
streaming the content while signing it.  These classes will use <a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/rep
os/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a> 
optionally returned from JwsSignatureProvider</p><p>instead of working with
the consumer utility classes which deal with the signature process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h2
id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7516";
rel="nofollow">JSON Web Signature</a> (JWE) document describes how a document
content, and, when applicable, a content encryption key, can be encrypted. For
example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.1";
rel="nofollow">Appendix A1</a> shows how the content can be
encrypted</p><p>with a secret key using Aes Gcm with the actual content
encryption key encrypt
ed/wrapped using RSA-OAEP.</p><p>Here is the example for doing Aes Cbc HMac
and Aes Key Wrap in CXF:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent
panelContent pdl">
+</div></div><p> </p><p>CXF ships JWS related classes in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws";
rel="nofollow">this package</a> and offers a support for all of JWA signature
algorithms.</p><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD";>JwsSignatureProvider</a>
supports signing the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD";>JwsSignatureVerifier</a>
- validating the signatures. Providers and verifiers supporting RSA, HMac and
Elliptic Cu
rve signature algorithms are shipped.</p><p>JwsCompactConsumer and
JwsCompactProducer offer a utility support for creating and validating JWS
compact serialization and accept keys in a variety of formats</p><p>(as JWKs,
JCA representations, created out of band and wrapped in either
JwsSignatureProvider or JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer and
JwsJwtCompactProducer are JwsCompactConsumer and JwsCompactProducer
specializations that offer a utility support for signing Json Web Tokens in a
compact format.</p><p>JwsJsonConsumer and JwsJsonProducer support JWS JSON
(full) serialization.</p><p>JwsOutputStream and JwsJsonOutputStream are
specialized output streams that can be used in conjunction with JWS JAX-RS
filters (see one of the next sections)</p><p>to support the best effort at
streaming the content while signing it.  These classes will use <a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/
jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a> 
optionally returned from JwsSignatureProvider</p><p>instead of working with
the consumer utility classes which deal with the signature process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h2
id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7516";
rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document
content, and, when applicable, a content encryption key, can be encrypted. For
example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.1";
rel="nofollow">Appendix A1</a> shows how the content can be
encrypted</p><p>with a secret key using Aes Gcm with the actual content
encryption key encrypted/wrapped using RSA-OAEP.</p><p>Here is
the example for doing Aes Cbc HMac and Aes Key Wrap in CXF:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeHeader
panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Jwe
AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">final String specPlainText = "Live long and prosper.";
byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
@@ -204,7 +204,7 @@ AesWrapKeyDecryptionAlgorithm keyDecrypt
JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
String decryptedText = decryption.decrypt(jweContent).getContentText();
assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p> </p><p>CXF ships JWE related classes in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD";>this
package</a> and offers a support for all of JWA encryption
algorithms.</p><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
- decrypting the content. Encryptors and
Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer
and JweCompactProducer offer a utility support for creating and validating JWE
compact serialization and accept keys in a variety of formats</p><p>(as JWKs,
JCA representations, created out of band and wrapped in either
JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer
specializations that offer a utility support for encrypting Json Web Tokens in
a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON
(full) serialization.</p><p>JweOutputStream is a specialized output stream that
can be used in conjunction with JWE JAX-RS filters (see one of the next
sections)</p><p>to support the best effort at streaming the content while
encrypting it.  These classes will use <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a> 
optionally returned from JweEncryptionProvider</p><p>instead of working with
the consumer utility classes which deal with the encryption process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h2
id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h2><p> </p><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON
format. It offers a standard JSON container for representing various properties
or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE
signature or encryption input like any other data
structure.</p><p> </p><p>JWT has been primarily used in OAuth2
applications to represent self-contained access tokens but can also be used in
other contexts.</p><p>CXF offers an ini
tial JWT support in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD";>this
package</a>.</p><h1
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</h1><p>Add more...</p><h1
id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2
id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyS
tore Object through dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are
"jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1"
rowspan="1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.s
ecurity.keystore.aliases</td><td colspan="1" rowspan="1"
class="confluenceTd">The keystore aliases corresponding to the keys to use,
when using the JSON serialization form. You can append one of the following to
this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1"
rowspan="1" class="confluenceTd">The path to the keystore
file.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1"
class="confluenceTd">The password required to access the private key (in the
keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td>
</tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in
the header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The defau
lt algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for compact signature creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for compact signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
compact signature creation/verification.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" cl
ass="confluenceTd">Include the JWK public key for signature in the "jwk"
header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in
the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><
p>rs.security.decryption.key.password.provider</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys for decryption. If this is
not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm
to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and
'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rows
pan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The signature properties file for
encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for decryption. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td
colspan="1" rowspan="1" class="confluence
Td">Include the JWK public key for encryption in the "jwk"
header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id
for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for encryption in the "x5t"
header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="conf
luenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens as
SecurityContext Principals. The default is
false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS filters
can read the keys from encrypted JWK stores. The stores are encrypted inline or
in separate storages (files). By default the filters expect that the stores has
been encrypted using</p><p>a password based <a shape="rect"
class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8";
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD";>password
provi
der</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2
POP tokens. Authorization code JOSE requests can already be processed. Utility
support for validating JWT-based access tokens is provided.</p><p>Add
more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily
depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and
IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCrypto, OIDC, etc</p><h1
id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a
shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home"; rel="nofollow">Jose4J</a> is
a top project from Brian Campbell.  CXF users are encouraged to experiment
with Jose4J (or indeed with other 3rd party implementations) if they
prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters if
preferred.</p>
<p> </p></div>
+</div></div><p> </p><p>CXF ships JWE related classes in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe";
rel="nofollow">this package</a> and offers a support for all of JWA encryption
algorithms.</p><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
- decrypting the content. Encryptors and Decryptors for all of JWE algorithms
are
shipped.</p><p>JweCompactConsumer and JweCompactProducer offer a utility
support for creating and validating JWE compact serialization and accept keys
in a variety of formats</p><p>(as JWKs, JCA representations, created out of
band and wrapped in either JweEncryptionProvider or
JweDecryptionProvider).</p><p>JweJwtCompactConsumer and JweJwtCompactProducer
are JweCompactConsumer and JweCompactProducer specializations that offer a
utility support for encrypting Json Web Tokens in a compact
format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON (full)
serialization.</p><p>JweOutputStream is a specialized output stream that can be
used in conjunction with JWE JAX-RS filters (see one of the next
sections)</p><p>to support the best effort at streaming the content while
encrypting it.  These classes will use <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jos
e/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a> 
optionally returned from JweEncryptionProvider</p><p>instead of working with
the consumer utility classes which deal with the encryption process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h2
id="JAX-RSJOSE-JSONWebToken">JSON Web Token</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> (JSON Web Token) is a collection of claims in JSON
format. It offers a standard JSON container for representing various properties
or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE
signature or encryption input like any other data structure.</p><p>JWT has been
primarily used in OAuth2 applications to represent self-contained access tokens
but can also be used in other contexts.</p><p>CXF offers an initial JWT support
in <a shape="rect" class="external-link" href="https
://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt"
rel="nofollow">this package</a>.</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2
id="JAX-RSJOSE-JWS">JWS</h2><h2
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</h2><p> </p><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyStore Object through
dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keyst
ore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The
keystore type. Suitable values are "jks" or "jwk".</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1"
rowspan="1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to
the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1"
rowspan="1" class="confluenceTd">The path to the keystore
file.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1"
class="confluenceTd">The password required to access the private key (in the
keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" rowspan
="1" class="confluenceTd"><p>Whether to allow using a JWK received in the
header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security
.signature.out.properties</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The signature properties file for compact signature
creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for compact signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
compact signature creation/verification.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowsp
an="1" class="confluenceTd">rs.security.signature.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for
signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A refere
nce to a PrivateKeyPasswordProvider instance used to retrieve passwords to
access keys for decryption. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm
to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and
'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1" class="c
onfluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The signature properties file for
encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for decryption. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key
for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
rowspan="1" cl
ass="confluenceTd">rs.security.encryption.include.cert</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id
for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for encryption in the "x5t"
header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>
Whether to allow unsigned JWT tokens as SecurityContext Principals. The
default is false.</p></td></tr></tbody></table></div><p> </p><h1
id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF OAuth2 module depends
on its JOSE module. This will be used to support OAuth2 POP tokens.
Authorization code JOSE requests can already be processed. Utility support for
validating JWT-based access tokens is provided.</p><p>Add more...</p><h1
id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily depends on JOSE.
CXF OIDC module utilizes a JOSE module to support OIDC RP and IDP code. Add
more...</p><h1 id="JAX-RSJOSE-FutureWork">Future Work</h1><p>OAuth2, WebCrypto,
OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</h1><p><a shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home"; rel="nofollow">Jose4J</a> is
a top project from Brian Campbell.  CXF users are encouraged to experiment
with Jose4J (or indeed with other 3
rd party implementations) if they prefer.</p><p>TODO: describe how Jose4J can
be integrated with CXF filters if preferred.</p><p> </p></div>
</div>
<!-- Content -->
</td>
