Author: buildbot
Date: Fri May 27 09:47:38 2016
New Revision: 989314
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri May 27 09:47:38
2016
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1464259621584 {padding: 0px;}
-div.rbtoc1464259621584 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1464259621584 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464342422013 {padding: 0px;}
+div.rbtoc1464342422013 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464342422013 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1464259621584">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464342422013">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE
Policy </a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS
with Detached Content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded
Payload</a></li></ul>
@@ -194,8 +194,8 @@ JsonWebKey key = keySet.getKey("Public R
String thumbprint = JwkUtils.getThumbprint(key);
assertEquals("NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs", thumbprint);
KeyType keyType = key.getKeyType();
-assertEquals(KeyType.RSA, thumbprint);</pre>
-</div></div><pre>JsonWebKeys also supports the retrieval of keys by their type
(RSA, EC, Octet) and operation (ENCRYPT, SIGN, etc). <br clear="none">Once you
have JWK loaded it is typically submitted to JWS or JWE providers.</pre><h2
id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS
related classes in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws";
rel="nofollow">this package</a> and offers a support for all of JWA <a
shape="rect" class="external-link" href="https://tools.ietf.o
rg/html/rfc7518#section-3" rel="nofollow">signature algorithms</a>.</p><h3
id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</h3><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java";
rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java";
rel="nofollow">JwsSignatureVerifier</a> - validating the
signatures.</p><p>Note the signature and verification capabilities are
represented by 2 different interfaces - it was done to keep the interfaces
minimalistic and have the concerns separated which can be appreciated most in
the cases where the code only signs or only validates.</p><p>The following
table shows
the algorithms and the corresponding providers (<span
class="pl-smi">org.apache.cxf.rs.security.jose.jws</span> package):</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1"
rowspan="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td
colspan="1" rowspan="1"
class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1"
rowspan="1"
class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2";
rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1"
class="confluenceTd">HS256, HS384, HS512</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>HmacJwsSignatureProvider</p></td><td colspan="1"
rowspan="1"
class="confluenceTd"><p>HmacJwsSignatureVerifier</p></td></tr><tr><td
colspan="1" rowspan="1
" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.3";
rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1"
class="confluenceTd">RS256, RS384, RS512</td><td colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.4";
rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1"
class="confluenceTd">ES256, ES384, ES512</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.5";
rel="nofollow">RSASSA-PSS</a></td><td
colspan="1" rowspan="1" class="confluenceTd">PS256, PS384, PS512</td><td
colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6";
rel="nofollow">None</a></td><td colspan="1" rowspan="1"
class="confluenceTd">none</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers (except for None) can be initialized with the keys loaded
from JWK or Java JKS stores or from the in-memory
representations.</p><p>RS256/384/512 algorithms are likely to be used most
often at the moment due to existing JKS stores being available everywhere and a
relatively easy way of making the public validati
on keys available. 'None' algorithm might be useful when a JWS sequence is
subsequently JWE-encrypted or when a 2-way TLS (with client and server
certificates) is used.</p><p>Once you have decided which algorithm needs to be
supported you can initialize an appropriate pair of JwsSignatureProvider and
JwsSignatureVerifier if both signing the data and the verification are needed.
If only the signing is needed - select JwsSignatureProvider, only the
verification - select JwsSignatureVerifier. The selected providers are
submitted to JWS Compact or JWS JSON producers or consumers.</p><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java";
rel="nofollow">JwsUtils</a> utility class has a lot of helper methods to load
JwsSignatureProvider or JwsSignatureVerifier and to get JWS sequences created
and validated.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><
a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#section-3.3"; rel="nofollow">JWS
Compact representation</a> is the most often used JWS sequence format. It is
the concatenation of Base64URL-encoded sequence of JWS headers (algorithm and
other properties),  Base64URL-encoded sequence of the actual data being
protected and Base64URL-encoded sequence of the signature algorithm output
bytes.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java";
rel="nofollow">JwsCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java";
rel="nofollow">JwsCompactConsumer</a> offer a support for producing and
consuming compact JWS sequences, protecting the data in JSON or no
n-JSON formats.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java";
rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java";
rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which
help with processing typed JWT Tokens.</p><p> For example, here is how an
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div
class="codeContent panelContent pdl">
+assertEquals(KeyType.RSA, keyType);</pre>
+</div></div><p>JsonWebKeys also supports the retrieval of keys by their type
(RSA, EC, Octet) and operation (ENCRYPT, SIGN, etc). <br clear="none">Once you
have JWK loaded it is typically submitted to JWS or JWE providers.</p><h2
id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS
related classes in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws";
rel="nofollow">this package</a> and offers a support for all of JWA <a
shape="rect" class="external-link" href="https://tools.ietf.org/h
tml/rfc7518#section-3" rel="nofollow">signature algorithms</a>.</p><h3
id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</h3><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java";
rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java";
rel="nofollow">JwsSignatureVerifier</a> - validating the
signatures.</p><p>Note the signature and verification capabilities are
represented by 2 different interfaces - it was done to keep the interfaces
minimalistic and have the concerns separated which can be appreciated most in
the cases where the code only signs or only validates.</p><p>The following
table shows the
algorithms and the corresponding providers (<span
class="pl-smi">org.apache.cxf.rs.security.jose.jws</span> package):</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1"
rowspan="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td
colspan="1" rowspan="1"
class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1"
rowspan="1"
class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2";
rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1"
class="confluenceTd">HS256, HS384, HS512</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>HmacJwsSignatureProvider</p></td><td colspan="1"
rowspan="1"
class="confluenceTd"><p>HmacJwsSignatureVerifier</p></td></tr><tr><td
colspan="1" rowspan="1" cl
ass="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.3";
rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1"
class="confluenceTd">RS256, RS384, RS512</td><td colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.4";
rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1"
class="confluenceTd">ES256, ES384, ES512</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.5";
rel="nofollow">RSASSA-PSS</a></td><td cols
pan="1" rowspan="1" class="confluenceTd">PS256, PS384, PS512</td><td
colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6";
rel="nofollow">None</a></td><td colspan="1" rowspan="1"
class="confluenceTd">none</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers (except for None) can be initialized with the keys loaded
from JWK or Java JKS stores or from the in-memory
representations.</p><p>RS256/384/512 algorithms are likely to be used most
often at the moment due to existing JKS stores being available everywhere and a
relatively easy way of making the public validation k
eys available. 'None' algorithm might be useful when a JWS sequence is
subsequently JWE-encrypted or when a 2-way TLS (with client and server
certificates) is used.</p><p>Once you have decided which algorithm needs to be
supported you can initialize an appropriate pair of JwsSignatureProvider and
JwsSignatureVerifier if both signing the data and the verification are needed.
If only the signing is needed - select JwsSignatureProvider, only the
verification - select JwsSignatureVerifier. The selected providers are
submitted to JWS Compact or JWS JSON producers or consumers.</p><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java";
rel="nofollow">JwsUtils</a> utility class has a lot of helper methods to load
JwsSignatureProvider or JwsSignatureVerifier and to get JWS sequences created
and validated.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a sh
ape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#section-3.3"; rel="nofollow">JWS
Compact representation</a> is the most often used JWS sequence format. It is
the concatenation of Base64URL-encoded sequence of JWS headers (algorithm and
other properties),  Base64URL-encoded sequence of the actual data being
protected and Base64URL-encoded sequence of the signature algorithm output
bytes.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java";
rel="nofollow">JwsCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java";
rel="nofollow">JwsCompactConsumer</a> offer a support for producing and
consuming compact JWS sequences, protecting the data in JSON or non-JS
ON formats.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java";
rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java";
rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which
help with processing typed JWT Tokens.</p><p> For example, here is how an
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">JwtClaims claims = new JwtClaims();
claims.setIssuer("joe");
claims.setExpiryTime(1300819380L);
