Author: buildbot
Date: Wed May 25 16:47:30 2016
New Revision: 989128
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Wed May 25 16:47:30
2016
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1464104819168 {padding: 0px;}
-div.rbtoc1464104819168 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1464104819168 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464194817685 {padding: 0px;}
+div.rbtoc1464194817685 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464194817685 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1464104819168">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464194817685">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE
Policy </a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS
with Detached Content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded
Payload</a></li></ul>
@@ -137,14 +137,14 @@ div.rbtoc1464104819168 li {margin-left:
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Signature">Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Encryption">Encryption</a></li></ul>
</li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</a></li><li><a shape="rect"
href="#JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</a></li></ul>
</li><li><a shape="rect"
href="#JAX-RSJOSE-Interoperability">Interoperability</a></li><li><a
shape="rect" href="#JAX-RSJOSE-Third-PartyLibraries">Third-Party
Libraries</a></li></ul>
-</div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p><a shape="rect"
class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a> is a set of high quality specifications that
specify how data payloads can be signed/validated and/or encrypted/decrypted
with the cryptographic properties set in the JSON-formatted metadata (headers).
The data to be secured can be in JSON or other format (plain text, XML, binary
data).</p><p><a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a> is a key piece of the advanced OAuth2-based
applications such as OpenIdConnect but can also be successfully used for
securing the regular HTTP web service communications.</p><p>CXF 3.1.x and 3.2.0
provides a complete implementation of <a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven
Dependencies</h1><p> </p><p>Having the following dependency will let the
developers write JOSE code: creating and securing JSON Web Tokens (JWT), and
securing the arbitrary data (not only JSON)</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p><a shape="rect"
class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a> is a set of high quality specifications that
specify how data payloads can be signed/validated and/or encrypted/decrypted
with the cryptographic properties set in the JSON-formatted metadata (headers).
The data to be secured can be in JSON or other formats (plain text, XML, binary
data).</p><p><a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a> is a key piece of advanced OAuth2 and OpenId
Connect applications but can also be successfully used for securing the regular
HTTP web service communications.</p><p>CXF 3.1.x and 3.2.0 provide a complete
implementation of <a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/"; rel="nofollow">JOSE</a>
and offer a comprehensive utility and filter support for prot
ecting JAX-RS services and clients with the help of <a shape="rect"
class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a>.</p><p>CXF OAuth2 and OIDC modules are also depending
on it.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven
Dependencies</h1><p> </p><p>Having the following dependency will let
developers write JOSE JWS or JWE code:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-jose</artifactId>
<version>3.1.7</version>
</dependency>
</pre>
-</div></div><p> </p><p>Having the following dependency will let the
developers use JAX-RS JOSE filters which will transparently sign and/or encrypt
the data streams, and decrypt or/and validate the incoming JOSE sequences and
make the original data available for the processing.</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p> </p><p>Having the following dependency will let
developers use JAX-RS JOSE filters which will sign and/or encrypt the data
streams, and decrypt or/and validate the incoming JOSE sequences and make the
original data available for the processing.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-jose-jaxrs</artifactId>
@@ -169,7 +169,7 @@ private static void registerBouncyCastle
private static void unregisterBouncyCastle() throws Exception {
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
}</pre>
-</div></div><p> </p><h1 id="JAX-RSJOSE-JavaandJCEPolicy">Java and JCE
Policy </h1><p>Java7 or higher is recommended for most cases: Java6 does
not support JWE AES-GCM at all while with BouncyCastle it is not possible to
submit JWE Header properties as an extra input to the encryption process to get
them integrity protected which is not JWE compliant.</p><p>Unlimited JCE Policy
for Java 7/8/9 needs to be installed if a size of the encrypting key is 256
bits (example, JWE A256GCM).</p><h1
id="JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518";
rel="nofollow">JWA</a> - JSON Web Algorithms where all supported signature and
encryption algorithms are listed</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> - JSON Web
Keys - introduces a JSON format for desc
ribing the public and private keys used by JWA algorithms</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> - JSON Web Signature - describes how the data can be
signed or validated and introduces compact and JSON JWS formats for
representing the signed data</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7516"; rel="nofollow">JWE</a> - JSON Web
Encryption - describes how the data can be encrypted or decrypted and
introduces compact and JSON JWE formats for representing the encrypted
data  </li></ul><p>Additionally, <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> (JSON Web Token), while technically being not part of
JOSE, is often used as an input material to JWS and JWE processors, especially
in OAuth2 flows (example: OAuth2 access tokens can be represented internally as
JWT, OpenIdConnect IdToken and UserInfo are effective
ly JWTs). <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7519"; rel="nofollow">JWT</a> describes how
a set of claims in JSON format can be either JWS-signed and/or
JWE-enctypted. </p><h2 id="JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</h2><p>All JOSE signature and encryption algorithms are grouped and
described in the <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518"; rel="nofollow">JWA</a> (JSON Web
Algorithms) specification.</p><p>The algorithms are split into 3 categories:
signature algorithms (HMAC, RSA, Elliptic Curve), algorithms for supporting the
encryption of content encryption keys (RSA-OAEP, AES Key Wrap, etc), and
algorithms for encrypting the actual content (AES GCM, etc).</p><div>The
specification lists all the algorithms that can be used either for signing or
encrypting and also describes how some of these algorithms work in
cases</div><div>where JCA (or BouncyCastle) does not support them directly,
example, A
ES-CBC-HMAC-SHA2.</div><div>Algorithm name is a type + hint, example: HS256
(HMAC with SHA-256), RSA-OAEP-256 (RSA OAEP key encryption with SHA-256),
etc.</div><p>All JWS and JWE algorithms process not only the actual data but
also the meta-data (the algorithm properties) thus ensuring the algorithm
properties are integrity-protected, additionally JWE algorithms produce
authentication tags which ensure the already encrypted content won't be
manipulated.</p><p>Please refer to <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518"; rel="nofollow">the specification</a>
to get all the information needed (with the follow up links to the
corresponding RFC when applicable) about a particular signature or encryption
algorithm: the properties, recommended key sizes, other security considerations
related to all of or some specific algorithms. CXF JOSE code already enforces a
number of the recommended constraints.</p><p>CXF offers the utility support for
working with J
WA algorithms in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa";
rel="nofollow">this package</a>.</p><p>Typically one would supply an algorithm
property in a type-safe way either to JWS or JWE processor, for example, 
SignatureAlgorithm.HS256 for JWS, KeyAlgorithm.A256KW plus
ContentAlgorithm.A256GCM for JWE, etc. Each enum has methods for checking a key
size, JWA and Java JCA algorithm names.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK
Keys</h2><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> (JSON Web
Key) is a JSON document describing the cryptographic key properties. JWKs are
very flexible and one can expect JWKs becoming one of the major mechanisms for
representing and storing cryptographic keys. While one does not have to
represent the keys as JWK in order to sign or encrypt the document and rely on
Java JCA secret and asymmetric keys instead, JWK is a preferred representation
of signature or encryption keys in JOSE.</p><p>For example:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Secret HMAC Key</b></div><div
class="codeContent panelContent pdl">
+</div></div><p> </p><h1 id="JAX-RSJOSE-JavaandJCEPolicy">Java and JCE
Policy </h1><p>Java7 or higher is recommended in most cases: Java6 does
not support JWE AES-GCM at all while with BouncyCastle it is not possible to
submit JWE Header properties as an extra input to the encryption process to get
them integrity protected which is not JWE compliant.</p><p>Unlimited JCE Policy
for Java 7/8/9 needs to be installed if a size of the encryption key is 256
bits (example, JWE A256GCM).</p><h1
id="JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518";
rel="nofollow">JWA</a> - JSON Web Algorithms where all supported signature and
encryption algorithms are listed</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> - JSON Web
Keys - introduces a JSON format for descr
ibing the public and private keys used by JWA algorithms</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> - JSON Web Signature - describes how the data can be
signed or validated and introduces compact and JSON JWS formats for
representing the signed data</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7516"; rel="nofollow">JWE</a> - JSON Web
Encryption - describes how the data can be encrypted or decrypted and
introduces compact and JSON JWE formats for representing the encrypted
data  </li></ul><p>Additionally, <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> (JSON Web Token), while technically being not part of
JOSE, is often used as an input material to JWS and JWE processors, especially
in OAuth2 flows (example: OAuth2 access tokens can be represented internally as
JWT, OpenIdConnect IdToken and UserInfo are effectivel
y JWTs). <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7519"; rel="nofollow">JWT</a> describes how
a set of claims in JSON format can be JWS-signed and/or
JWE-enctypted. </p><h2 id="JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</h2><p>All JOSE signature and encryption algorithms are grouped and
described in the <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518"; rel="nofollow">JWA</a> (JSON Web
Algorithms) specification.</p><p>The algorithms are split into 3 categories:
signature algorithms (HMAC, RSA, Elliptic Curve), algorithms for supporting the
encryption of content encryption keys (RSA-OAEP, AES Key Wrap, etc), and
algorithms for encrypting the actual content (AES GCM or AES CBC
HMAC).</p><div>The specification lists all the algorithms that can be used for
signing or encrypting the data and also describes how some of these algorithms
work in cases</div><div>where Java JCA (or BouncyCastle) does not support them
directly,
example, AES-CBC-HMAC-SHA2.</div><div>Algorithm name is a type + hint,
example: HS256 (HMAC with SHA-256), RSA-OAEP-256 (RSA OAEP key encryption with
SHA-256), etc.</div><p>All JWS and JWE algorithms process not only the actual
data but also the meta-data (the algorithm properties) thus ensuring they are
integrity-protected, additionally JWE algorithms produce authentication tags
which ensure the already encrypted content won't be manipulated.</p><p>Please
refer to <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518"; rel="nofollow">the specification</a>
to get all the information needed (with the follow up links to the
corresponding RFC when applicable) about a particular signature or encryption
algorithm: the properties, recommended key sizes, other security considerations
related to all of or some specific algorithms. CXF JOSE code already enforces a
number of the recommended constraints.</p><p>CXF offers the utility support for
working with JWA algorit
hms in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa";
rel="nofollow">this package</a>.</p><p>Typically one would supply an algorithm
property in a type-safe way either to JWS or JWE processor, for example, 
SignatureAlgorithm.HS256 for JWS, KeyAlgorithm.A256KW plus
ContentAlgorithm.A256GCM for JWE, etc. Each enum has methods for checking a key
size, JWA and Java JCA algorithm names.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK
Keys</h2><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> (JSON Web
Key) is a JSON document describing the cryptographic key properties. JWKs are
very flexible and one can expect JWKs becoming one of the major mechanisms for
representing and storing cryptographic keys. While one does not have to
represent the keys as JWK in order to sign or encrypt the document and rely on
Java JCA s
ecret and asymmetric keys instead, JWK is a preferred representation of
signature or encryption keys in JOSE.</p><p>For example:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Secret HMAC Key</b></div><div
class="codeContent panelContent pdl">
<pre class="brush: js; gutter: false; theme: Default" style="font-size:12px;">{
"kty":"oct",
"k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
@@ -187,7 +187,7 @@ private static void unregisterBouncyCast
"e":"AQAB",
"alg":"RS256",
"kid":"Public RSA Key"}</pre>
-</div></div><p>A 'kid' property can be of special interest as it allows to
identify a key but also help with the simple key rotation mechanism realized
(ex, <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys";
rel="nofollow">OIDC Asymmetric Key Rotation</a>).</p><p>A collection of JWK
keys is called a JWK Key Set which is represented as JSON array of
JWKs.</p><p>CXF offers a utility support for reading and writing JWK keys and
key sets and for working with the encrypted inlined and standalone JWK stores
in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk";
rel="nofollow">this package</a>.</p><p>For example, a key set containing
public JWK keys can be seen <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/s
ecurity/certs/jwkPublicSet.txt" rel="nofollow">here</a> and referred to from
the <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties#L19";
rel="nofollow">configuration properties</a>. The private (test) key set can be
represented in a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt";
rel="nofollow">clear form</a>, though most likely you'd want a private key set
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt";
rel="nofollow">encrypted</a> and referred to <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test
/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties#L19"
rel="nofollow">like this</a>. </p><p>One can inline the encrypted key or
the key set directly in the configuration properties. For example, here is how
an encrypted <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18";
rel="nofollow">single JWK key is inlined</a>. Similarly, here is how an
encrypted <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18";
rel="nofollow">collection of keys is inlined</a>.</p><p>CXF assumes that the
JWK keys have been encrypted if a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org
/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java"
rel="nofollow">password provider</a> is available in scope, it is typically
registered with JAX-RS endpoints. The encryption is done with a password based
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-4.8"; rel="nofollow">PBES2
algorithm</a>. </p><p>Support for the pluggable strategies for loading
JWKs is on the map.</p><p>For example, here is how you can load a JWK key using
its 'kid':</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>JWK
examples</b></div><div class="codeContent panelContent pdl">
+</div></div><p>A 'kid' property can be of special interest as it allows to
identify a key but also help with the simple key rotation mechanism realized
(ex, <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys";
rel="nofollow">OIDC Asymmetric Key Rotation</a>).</p><p>A collection of JWK
keys is called a JWK Key Set which is represented as JSON array of
JWKs.</p><p>JWK can contain X509 certificates or their thumbprints if
preferred.</p><p>CXF offers a utility support for reading and writing JWK keys
and key sets and working with the encrypted inlined and standalone JWK stores
in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk";
rel="nofollow">this package</a>.</p><p>For example, a key set containing
public JWK keys can be seen <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master
/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt"
rel="nofollow">here</a> and referred to from the <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties#L19";
rel="nofollow">configuration properties</a>. The private (test) key set can be
represented in a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt";
rel="nofollow">clear form</a>, though most likely you'd want a private key set
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt";
rel="nofollow">encrypted</a> and referred to <a shape="rect"
class="external-link" href="
https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties#L19";
rel="nofollow">like this</a>. </p><p>One can inline the encrypted key or
the key set directly in the configuration properties. For example, here is how
an encrypted <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18";
rel="nofollow">single JWK key is inlined</a>. Similarly, here is how an
encrypted <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18";
rel="nofollow">collection of keys is inlined</a>.</p><p>CXF assumes that JWK
keys have been encrypted if a <a shape="rect" class="external-link"
href="https://github.com/apach
e/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java"
rel="nofollow">password provider</a> is available in a request context, it is
typically registered with JAX-RS endpoints. The encryption is done with a
password based <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-4.8"; rel="nofollow">PBES2
algorithm</a>. </p><p>Support for the pluggable strategies for loading
JWKs is on the map.</p><p>For example, here is how you can load a JWK key using
its 'kid':</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>JWK
examples</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">InputStream is =
JsonWebKeyTest.class.getResourceAsStream(fileName);
JsonWebKeys keySet = JwkUtils.readJwkSet(is);
JsonWebKey key = keySet.getKey("Public RSA Key");
@@ -513,7 +513,7 @@ JweDecryptionProvider jweIn = JweUtils.l
</div></div><p>The providers may be initialized from a single properties file
or each of them may have specific properties allocated to it.</p><p>Sometimes
it can be useful to load the properties only and check the signature or
encryption algorithm and load a JWS or JWE provider directly as shown in JWS
and JWE sections above.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>Loading JWS and JWE properties</b></div><div class="codeContent
panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">Properties jwsProps =
JweUtils.loadEncryptionProperties("jws.properties", true);
Properties jweProps = JweUtils.loadEncryptionProperties("jwe.properties",
true);</pre>
-</div></div><p>After loading the properties one can check various property
values (signature algorithm, etc) and use it to create a required
provider.</p><p>The above code needs to be executed in the context of the
current request (in server or client in/out interceptors or server service
code) as it expects the current CXF Message be available in order to deduce
where to load the configuration properties from. However <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java";
rel="nofollow">JwsUtils</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java";
rel="nofollow">JweUtils</a> provide a number of utility methods for loading
the providers without loading the properties first which can be used when
setting up the c
lient code or when no properties are available in the current request
context.</p><p> </p><p>When the code needs to load the configuration
properties it first looks for the property 'container' file which contains the
specific properties instructing which keys and algorithms need to be used.
Singature or encryption properties for in/out operations can be provided.
 </p><h2 id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration
Property Containers</h2><h3 id="JAX-RSJOSE-Signature">Signature</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for Compact or JSON signature creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspa
n="1" class="confluenceTd"><p>The signature properties file for Compact or
JSON signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
Compact or JSON signature
creation/verification.</td></tr></tbody></table></div><h3
id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption properties file for Compact
or JSON encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="conflue
nceTd"><p>The encryption properties file for Compact or JSON decryption. If
not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
encryption/decryption.</td></tr></tbody></table></div><p>Note that these
property containers can be used for creating/processing JWS and JWE Compact and
JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more
than one signature or encryption be created then let the property value be a
commas separated list of locations, with each location pointing to a unique
signature or encryption operation property file.</p><p>Once the properties are
loaded the runtime proceeds with initializing JWS/JWE providers accordingly.
The following section lists the properties, some oif them being common and some
- unique to the signature/verification a
nd encryption/decryption processes.</p><p>Note that one can override some of
the properties, for example, 'rs.security.store' can be set as a dynamic
request property pointing to a preloaded Java KeyStore object.</p><h2
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h2><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyStore Object through
dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are
"jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan=
"1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     - j
ws.in</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1"
class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access
the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in
the header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that app
lies to signature only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><t
d colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwor
ds to access keys for decryption. If this is not specified it falls back to
use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm
to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and
'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td colspa
n="1" rowspan="1" class="confluenceTd">Include the JWK public key
for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id
for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for encryption in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT
tokens as SecurityContext Principals. The default is
false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-Interoperability">Interoperability</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/"; rel="nofollow">JOSE</a>
is already widely supported in OAuth2 and OIDC applications. Besides that CXF
JOSE client or server will interoperate with a 3rd party client/server able to
produce or consume JWS/JWE sequences.  For example, see the following <a
shape="rect" class="external-link"
href="https://www.w3.org/TR/WebCryptoAPI/#jose"; rel="nofollow">WebCrypto API
use case</a>, <a shape="rect" class="external-link"
href="https://mobilepki.org/WCPPSignatureDemo/home"; rel="nofollow">the
following demo</a> demonstrates how a JWS sequence produced b
y a browser-hosted script can be validated by a server application capable of
processing JWS, with the demo browser client being tested against a CXF JWS
server too. </p><p> </p><h1
id="JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</h1><p><a
shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home";
rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link"
href="http://connect2id.com/products/nimbus-jose-jwt"; rel="nofollow">Nimbus
JOSE</a></p><p> </p></div>
+</div></div><p>After loading the properties one can check various property
values (signature algorithm, etc) and use it to create a required
provider.</p><p>The above code needs to be executed in the context of the
current request (in server or client in/out interceptors or server service
code) as it expects the current CXF Message be available in order to deduce
where to load the configuration properties from. However <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java";
rel="nofollow">JwsUtils</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java";
rel="nofollow">JweUtils</a> provide a number of utility methods for loading
the providers without loading the properties first which can be used when
setting up the c
lient code or when no properties are available in the current request
context.</p><p> </p><p>When the code needs to load the configuration
properties it first looks for the property 'container' file which contains the
specific properties instructing which keys and algorithms need to be used.
Singature or encryption properties for in/out operations can be provided.
 </p><h2 id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration
Property Containers</h2><h3 id="JAX-RSJOSE-Signature">Signature</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for Compact or JSON signature creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspa
n="1" class="confluenceTd"><p>The signature properties file for Compact or
JSON signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
Compact or JSON signature
creation/verification.</td></tr></tbody></table></div><h3
id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption properties file for Compact
or JSON encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="conflue
nceTd"><p>The encryption properties file for Compact or JSON decryption. If
not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
encryption/decryption.</td></tr></tbody></table></div><p>Note that these
property containers can be used for creating/processing JWS and JWE Compact and
JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more
than one signature or encryption be created then let the property value be a
commas separated list of locations, with each location pointing to a unique
signature or encryption operation property file.</p><p>Once the properties are
loaded the runtime proceeds with initializing JWS/JWE providers accordingly.
The following section lists the properties, some oif them being common and some
- unique to the signature/verification a
nd encryption/decryption processes.</p><p>Note that one can override some of
the properties, for example, 'rs.security.store' can be set as a dynamic
request property pointing to a preloaded Java KeyStore object.</p><h2
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h2><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyStore Object through
dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are
"jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan=
"1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     - j
ws.in</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1"
class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access
the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in
the header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that app
lies to signature only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><t
d colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwor
ds to access keys for decryption. If this is not specified it falls back to
use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm
to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and
'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td colspa
n="1" rowspan="1" class="confluenceTd">Include the JWK public key
for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id
for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for encryption in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT
tokens as SecurityContext Principals. The default is
false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-Interoperability">Interoperability</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/"; rel="nofollow">JOSE</a>
is already widely supported in OAuth2 and OIDC applications. Besides that CXF
JOSE client or server will interoperate with a 3rd party client/server able to
produce or consume JWS/JWE sequences.  For example, see a <a shape="rect"
class="external-link" href="https://www.w3.org/TR/WebCryptoAPI/#jose";
rel="nofollow">WebCrypto API use case</a> and  <a shape="rect"
class="external-link" href="https://mobilepki.org/WCPPSignatureDemo/home";
rel="nofollow">the demo</a> which demonstrates how a JWS sequence produced by a
bro
wser-hosted script can be validated by a server application capable of
processing JWS, with the demo browser client being tested against a CXF JWS
server too. </p><p> </p><h1
id="JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</h1><p><a
shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home";
rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link"
href="http://connect2id.com/products/nimbus-jose-jwt"; rel="nofollow">Nimbus
JOSE</a></p><p> </p></div>
</div>
<!-- Content -->
</td>
