Author: buildbot
Date: Wed May 18 13:47:35 2016
New Revision: 988533
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Wed May 18 13:47:35
2016
@@ -119,17 +119,19 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1463575625414 {padding: 0px;}
-div.rbtoc1463575625414 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1463575625414 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1463579220959 {padding: 0px;}
+div.rbtoc1463579220959 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463579220959 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1463575625414">
+/*]]>*/</style></p><div class="toc-macro rbtoc1463579220959">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithClearPayload">JWS
with Clear Payload</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSJOSE-JWEEncryption">JWE
Encryption</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebToken">JSON Web
Token</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-JWEEncryption">JWE Encryption</a>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWECompact">JWE
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWEJSON">JWE
JSON</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebToken">JSON Web
Token</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS
Filters</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWS">JWS</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWS">JWS</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</a></li><li><a shape="rect"
href="#JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-FutureWork">Future
Work</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</a></li></ul>
@@ -173,7 +175,7 @@ String thumbprint = JwkUtils.getThumbpri
assertEquals("NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs", thumbprint);
KeyType keyType = key.getKeyType();
assertEquals(KeyType.RSA, thumbprint);</pre>
-</div></div><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS
related classes in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws";
rel="nofollow">this package</a> and offers a support for all of <a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3"; rel="nofollow">JWA
signature algorithms</a>.</p><h3
id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</h3><p><a shape="rect" class="external-link" href="https
://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java"
rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java";
rel="nofollow">JwsSignatureVerifier</a> - validating the signatures. These
providers can be initialized from the keys or certificates loaded from JWK or
JCA stores.</p><p>Note the signature and verification capabilities are
represented by 2 different interfaces - it was done to keep the interfaces
minimalistic and have the concerns separated which can be appreciated most in
the cases where the code only signs or only validates.</p><p>The following
table shows the algorithms and the corresponding providers:</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td c
olspan="1" rowspan="1" class="confluenceTd"> </td><td colspan="1"
rowspan="1" class="confluenceTd">JwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">JwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2";
rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre>HmacJwsSignatureProvider</pre></td><td colspan="1"
rowspan="1"
class="confluenceTd"><pre>HmacJwsSignatureVerifier</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3";
rel="nofollow">RSASSA-PKCS1</a></td><td colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignarureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="ex
ternal-link" href="https://tools.ietf.org/html/rfc7518#section-3.4";
rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignarureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.5";
rel="nofollow">RSASSA-PSS</a></td><td colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignarureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6";
rel="nofollow">None</a></td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignarureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers
(except for None) can be initialized with the keys loaded from JWK or JCA
stores or from the in-memory representations.</p><h3
id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3";
rel="nofollow">JWS Compact representation</a> is the most often used JOSE
sequence. It is the concatenation of Base64URL-encoded sequence if JWS headers
(algorithm and other properties),  Base64URL-encoded sequence of the
actual data being protected and Base64URL-encoded sequence of the signature
algorithm output bytes.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java";
rel="nofollow">JwsCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jos
e/jws/JwsCompactConsumer.java" rel="nofollow">JwsCompactConsumer</a> offer a
support for producing and consuming compact JWS sequences, protecting the data
in JSON or non-JSON formats.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java";
rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java";
rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which
help with processing typed JWT Tokens.</p><p> For example, here is how an
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl"
style="border-widt
h: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent pdl">
+</div></div><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS
related classes in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws";
rel="nofollow">this package</a> and offers a support for all of JWA <a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3"; rel="nofollow">signature
algorithms</a>.</p><h3
id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</h3><p><a shape="rect" class="external-link" href="https
://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java"
rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java";
rel="nofollow">JwsSignatureVerifier</a> - validating the
signatures.</p><p>Note the signature and verification capabilities are
represented by 2 different interfaces - it was done to keep the interfaces
minimalistic and have the concerns separated which can be appreciated most in
the cases where the code only signs or only validates.</p><p>The following
table shows the algorithms and the corresponding providers:</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"> </td><td colspan="1" rowspan="1"
class="conflu
enceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1" rowspan="1"
class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2";
rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre>HmacJwsSignatureProvider</pre></td><td colspan="1"
rowspan="1"
class="confluenceTd"><pre>HmacJwsSignatureVerifier</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3";
rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#se
ction-3.4" rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.5";
rel="nofollow">RSASSA-PSS</a></td><td colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6";
rel="nofollow">None</a></td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers (except for None) can be initialized with the keys loade
d from JWK or JCA stores or from the in-memory representations.</p><h3
id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3";
rel="nofollow">JWS Compact representation</a> is the most often used JOSE
sequence. It is the concatenation of Base64URL-encoded sequence if JWS headers
(algorithm and other properties),  Base64URL-encoded sequence of the
actual data being protected and Base64URL-encoded sequence of the signature
algorithm output bytes.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java";
rel="nofollow">JwsCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java";
rel="nofollow">JwsCompactC
onsumer</a> offer a support for producing and consuming compact JWS sequences,
protecting the data in JSON or non-JSON formats.</p><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java";
rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java";
rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which
help with processing typed JWT Tokens.</p><p> For example, here is how an
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="b
order-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">// Sign
// Algorithm properties are set in the headers
JoseHeaders headers = new JoseHeaders();
@@ -199,24 +201,21 @@ JwtToken token = jws.getJwtToken();
JoseHeaders headers = token.getHeaders();
assertEquals(SignatureAlgorithm.HS256, headers.getAlgorithm());
validateClaims(token.getClaims());</pre>
-</div></div><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><h3
id="JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</h3><h2
id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7516";
rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document
content, and, when applicable, a content encryption key, can be encrypted. For
example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.1";
rel="nofollow">Appendix A1</a> shows how the content can be
encrypted</p><p>with a secret key using Aes Gcm with the actual content
encryption key encrypted/wrapped using RSA-OAEP.</p><p>Here is the example for
doing Aes Cbc HMac and Aes Key Wrap in CXF:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div
class="codeContent
panelContent pdl">
+</div></div><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><h3
id="JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</h3><h2
id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7516";
rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document
content, and, when applicable, a content encryption key, can be encrypted. For
example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7516#appendix-A.1"; rel="nofollow">Appendix
A1</a> shows how the content can be encrypted with a secret key using AesGcm
with the actual content encryption key being encrypted using
RSA-OAEP.</p><p>CXF ships JWE related classes in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe";
rel="nofollow">this package</a> and offers a support for all of JWA <a
shape="rect" class="external
-link" href="https://tools.ietf.org/html/rfc7518#section-4"; rel="nofollow">key
encryption</a> and <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-5"; rel="nofollow">content
encryption</a> algorithms.</p><h3
id="JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption
Providers</h3><p>JWE Encryption process typically involves a content-encryption
key being generated with this key being subsequently encrypted/wrapped with a
key known to the consumer. Thus CXF offers the providers for supporting the
key-encryption algorithms and providers for supporting the content-encryption
algorithms. Direct key encryption (where the content-encryption key is
established out of band) is also supported.</p><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionProvider.java";
rel="nofollow">KeyEncryptionProvider</a> suppo
rts encrypting a content-encryption key, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionProvider.java";
rel="nofollow">KeyDecryptionProvider</a> - decrypting it.</p><p>The following
table shows the key encryption algorithms and the corresponding
providers:</p><p>RSAKeyEncryptionAlgorithm</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> </td><td colspan="1" rowspan="1"
class="confluenceTd"><strong>KeyEncryptionProvider</strong></td><td colspan="1"
rowspan="1"
class="confluenceTd"><strong>KeyDecryptionProvider</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.2";
rel="nofollow">RSAES-PKCS1-v1_5</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre>RSAKeyEncryptionA
lgorithm</pre></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre>RSAKeyDecryptionAlgorithm</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.3";
rel="nofollow">RSAES OAEP</a></td><td colspan="1" rowspan="1"
class="confluenceTd">RSAKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1"
class="confluenceTd">RSAKeyDecryptionAlgorithm</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-4.4"; rel="nofollow">AES Key
Wrap</a></td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.5";
rel="nofollow">RSASSA-PSS</a></td><td colspan="1"
rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td
colspan="1" rowspan="1"
class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.6";
rel="nofollow">None</a></td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers can be initialized with the keys loaded from JWK or JCA
stores or from the in-memory representations.</p><h3
id="JAX-RSJOSE-JWECompact">JWE Compact</h3><p><a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
supports encrypting t
he content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
- decrypting the content. Encryptors and Decryptors for all of JWE algorithms
are shipped.</p><p>Here is the example of doing AES CBC HMAC and AES Key Wrap
in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Jwe
AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">final String specPlainText = "Live long and prosper.";
byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
AesWrapKeyEncryptionAlgorithm keyEncryption = new
AesWrapKeyEncryptionAlgorithm(cekEncryptionKey, KeyAlgorithm.A128KW);
JweEncryptionProvider encryption = new
AesCbcHmacJweEncryption(ContentAlgorithm.A128CBC_HS256,
-
CONTENT_ENCRYPTION_KEY_A3,
- INIT_VECTOR_A3,
keyEncryption);
String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null);
-assertEquals(JWE_OUTPUT_A3, jweContent);
AesWrapKeyDecryptionAlgorithm keyDecryption = new
AesWrapKeyDecryptionAlgorithm(cekEncryptionKey);
JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
String decryptedText = decryption.decrypt(jweContent).getContentText();
assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p> </p><p>CXF ships JWE related classes in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe";
rel="nofollow">this package</a> and offers a support for all of JWA encryption
algorithms.</p><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
- decrypting the content. Encryptors and Decryptors for all of JWE algorithms
are
shipped.</p><p>JweCompactConsumer and JweCompactProducer offer a utility
support for creating and validating JWE compact serialization and accept keys
in a variety of formats</p><p>(as JWKs, JCA representations, created out of
band and wrapped in either JweEncryptionProvider or
JweDecryptionProvider).</p><p>JweJwtCompactConsumer and JweJwtCompactProducer
are JweCompactConsumer and JweCompactProducer specializations that offer a
utility support for encrypting Json Web Tokens in a compact
format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON (full)
serialization.</p><p>JweOutputStream is a specialized output stream that can be
used in conjunction with JWE JAX-RS filters (see one of the next
sections)</p><p>to support the best effort at streaming the content while
encrypting it.  These classes will use <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jos
e/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a> 
optionally returned from JweEncryptionProvider</p><p>instead of working with
the consumer utility classes which deal with the encryption process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h2
id="JAX-RSJOSE-JSONWebToken">JSON Web Token</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> (JSON Web Token) is a collection of claims in JSON
format. It offers a standard JSON container for representing various properties
or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE
signature or encryption input like any other data structure.</p><p>JWT has been
primarily used in OAuth2 applications to represent self-contained access tokens
but can also be used in other contexts.</p><p>CXF offers an initial JWT support
in <a shape="rect" class="external-link" href="https
://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt"
rel="nofollow">this package</a>.</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2
id="JAX-RSJOSE-JWS">JWS</h2><h2
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</h2><p> </p><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyStore Object through
dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keyst
ore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The
keystore type. Suitable values are "jks" or "jwk".</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1"
rowspan="1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to
the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1"
rowspan="1" class="confluenceTd">The path to the keystore
file.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1"
class="confluenceTd">The password required to access the private key (in the
keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" rowspan
="1" class="confluenceTd"><p>Whether to allow using a JWK received in the
header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security
.signature.out.properties</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The signature properties file for compact signature
creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for compact signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
compact signature creation/verification.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowsp
an="1" class="confluenceTd">rs.security.signature.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for
signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A refere
nce to a PrivateKeyPasswordProvider instance used to retrieve passwords to
access keys for decryption. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm
to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and
'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1" class="c
onfluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The signature properties file for
encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for decryption. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key
for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
rowspan="1" cl
ass="confluenceTd">rs.security.encryption.include.cert</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id
for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for encryption in the "x5t"
header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>
Whether to allow unsigned JWT tokens as SecurityContext Principals. The
default is false.</p></td></tr></tbody></table></div><p> </p><h1
id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF OAuth2 module depends
on its JOSE module. This will be used to support OAuth2 POP tokens.
Authorization code JOSE requests can already be processed. Utility support for
validating JWT-based access tokens is provided.</p><p>Add more...</p><h1
id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily depends on JOSE.
CXF OIDC module utilizes a JOSE module to support OIDC RP and IDP code. Add
more...</p><h1 id="JAX-RSJOSE-FutureWork">Future Work</h1><p>OAuth2, WebCrypto,
OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</h1><p><a shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home"; rel="nofollow">Jose4J</a> is
a top project from Brian Campbell.  CXF users are encouraged to experiment
with Jose4J (or indeed with other 3
rd party implementations) if they prefer.</p><p>TODO: describe how Jose4J can
be integrated with CXF filters if preferred.</p><p> </p></div>
+</div></div><p> </p><h3 id="JAX-RSJOSE-JWEJSON">JWE JSON</h3><h2
id="JAX-RSJOSE-JSONWebToken">JSON Web Token</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> (JSON Web Token) is a collection of claims in JSON
format. It offers a standard JSON container for representing various properties
or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE
signature or encryption input like any other data structure.</p><p>JWT has been
primarily used in OAuth2 applications to represent self-contained access tokens
but can also be used in other contexts.</p><p>CXF offers an initial JWT support
in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt";
rel="nofollow">this package</a>.</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWS">JWS</h2><h2 id="JAX-RSJOSE-JWE">J
WE</h2><h2 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking
JWT authentications to JWS or JWE content</h2><p> </p><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyStore Object through
dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are
"jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1"
rowspan="1" class="confluenceTd">Th
e password required to access the keystore.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td colspan="1"
rowspan="1" class="confluenceTd"> The keystore alias corresponding to the
key to use. You can append one of the following to this tag to get the alias
for more specific operations:<br clear="none">     -
jwe.out<br clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td cols
pan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore
file.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1"
class="confluenceTd">The password required to access the private key (in the
keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in
the header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</h4>
<div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for compact signature creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="conf
luenceTd">rs.security.signature.in.properties</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The signature properties file for compact signature
verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
compact signature creation/verification.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in
the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.ke
y.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key
id for signature in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for decryption. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.
content.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The
encryption content algorithm to use. The default algorithm if not specified is
'A128GCM'.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and
'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The signature properties file for
encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rows
pan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for decryption. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key
for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key
.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key
id for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for encryption in the "x5t"
header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT
tokens as SecurityContext Principals. The default is
false.</p></td></tr></tbody></table></div><p> </p><h1
id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF OAuth2 module depends
on its JOSE module. This will be used to support OAuth
2 POP tokens. Authorization code JOSE requests can already be processed.
Utility support for validating JWT-based access tokens is provided.</p><p>Add
more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily
depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and
IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCrypto, OIDC, etc</p><h1
id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a
shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home"; rel="nofollow">Jose4J</a> is
a top project from Brian Campbell.  CXF users are encouraged to experiment
with Jose4J (or indeed with other 3rd party implementations) if they
prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters if
preferred.</p><p> </p></div>
</div>
<!-- Content -->
</td>
