Author: buildbot
Date: Tue May 16 09:47:41 2017
New Revision: 1012308
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/automated-builds.html
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/automated-builds.html
==============================================================================
--- websites/production/cxf/content/automated-builds.html (original)
+++ websites/production/cxf/content/automated-builds.html Tue May 16 09:47:41
2017
@@ -99,7 +99,7 @@ Apache CXF -- Automated Builds
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="AutomatedBuilds-AutomatedBuilds">Automated
Builds</h1><h2 id="AutomatedBuilds-Hudson/Jenkins">Hudson/Jenkins</h2><p>CXF
has a bunch of automatic builds configured in the Apache Hudson/Jenkins
instance at <a shape="rect" class="external-link"
href="https://builds.apache.org/view/A-D/view/CXF/";>https://builds.apache.org/view/A-D/view/CXF/</a>.
There are builds there that trigger automatically on code commits. There are
also nightly builds to test on other JDK's as well as other platforms.</p><h2
id="AutomatedBuilds-Sonar">Sonar</h2><p>CXF also is configured as a build in
the Apache Sonar instance at <a shape="rect" class="external-link"
href="https://analysis.apache.org/dashboard/index/org.apache.cxf:cxf";>https://analysis.apache.org/dashboard/index/org.apache.cxf:cxf</a>.
The Sonar instance runs a variety of quality checks as part of the
build.</p></div>
+<div id="ConfluenceContent"><h1 id="AutomatedBuilds-AutomatedBuilds">Automated
Builds</h1><h2 id="AutomatedBuilds-Hudson/Jenkins">Hudson/Jenkins</h2><p>CXF
has a bunch of automatic builds configured in the Apache Hudson/Jenkins
instance at <a shape="rect" class="external-link"
href="https://builds.apache.org/view/A-D/view/CXF/";>https://builds.apache.org/view/A-D/view/CXF/</a>.
There are builds there that trigger automatically on code commits. There are
also nightly builds to test on other JDK's as well as other platforms.</p><h2
id="AutomatedBuilds-Sonar">Sonar</h2><p>CXF also is configured as a build in
the Apache Sonar instance at <a shape="rect" class="external-link"
href="https://builds.apache.org/analysis/dashboard/index/org.apache.cxf:cxf";>https://builds.apache.org/analysis/dashboard/index/org.apache.cxf:cxf</a>.
The Sonar instance runs a variety of quality checks as part of the
build.</p></div>
</div>
<!-- Content -->
</td>
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Tue May 16 09:47:41
2017
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1494848822919 {padding: 0px;}
-div.rbtoc1494848822919 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1494848822919 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1494928023912 {padding: 0px;}
+div.rbtoc1494928023912 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1494928023912 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1494848822919">
+/*]]>*/</style></p><div class="toc-macro rbtoc1494928023912">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE
Policy </a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS
with Detached Content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded
Payload</a></li></ul>
@@ -492,7 +492,27 @@ Payload:
}
]
}</pre>
-</div></div><p>The client code and server configuration is nearly identical to
a code/configuration needed to set up JWS Compact filters as shown above,
simply replace JwsWriterInterceptor/JwsClientResponseFilter with
JwsJsonWriterInterceptor/JwsJsonClientResponseFilter in the client code, and
JwsContainerRequestFilter/JwsContainerResponseFilter with
JwsJsonContainerRequestFilter/JwsJsonContainerResponseFilter</p><h2
id="JAX-RSJOSE-SigningandVerificationofHTTPAttachments">Signing and
Verification of HTTP Attachments</h2><p>The signing and verification of HTTP
request and response attachments is supported starting from CXF
3.1.12.</p><p>This feature does not buffer the request and response attachment
data and is completely streaming-'friendly'.</p><p>It depends on <a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-F"; rel="nofollow">JWS with
Detached Content</a> and  <a shape="rect" class="external-link"
href="https://tools.ietf.org/html
/rfc7797" rel="nofollow">JWS with Unencoded Payload</a> options as well as on
the newly introduced CXF <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-multiparts.html#JAX-RSMultiparts-MultipartFilters";>multipart
filters</a> and works as follows.</p><p>When request or response attachment
parts are about to be submitted to the Multipart serialization provider, JWS
Multipart Output Filter (<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartClientRequestFilter.java";
rel="nofollow">JwsMultipartClientRequestFilter</a> and/or <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartContainerResponseFilter.java";
rel="nofollow">JwsMultipartContainerResponseFilter</a>) initializes a <a
shape="rect" cla
ss="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignature.java";
rel="nofollow">JWSSignature</a> object. Next every parts's output stream is
replaced with the filtering output stream which updates the signature object on
every write operation. Finally this multipart filter adds one more attachment
part to the list of the attachments to be written - this part holds a reference
to JWS Signature. When this last part is written, JWSSignature produces the
signature bytes which are encoded using either JWS Compact or JWS JSON format,
with the detached and unencoded content already being pushed to the output
stream.</p><p>When the attachment parts are about to be read by the Multipart
deserialization provider, their signature carried over in the last part will
need to be verified. Just before the parts are about to be read in order to be
made available to the application code, JWS Multipa
rt Input Filter (<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartContainerRequestFilter.java";
rel="nofollow">JwsMultipartContainerRequestFilter</a> and/or <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartClientResponseFilter.java";
rel="nofollow">JwsMultipartClientResponseFilter</a>) checks the last part and
initializes a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsVerificationSignature.java";
rel="nofollow">JWSVerificationSignature</a> object. Next for every attachment
but the last one it replaces the input stream with the filtering input stream
which updates the si
gnature verification object on every read operation. Once all the data have
been read it compares the calculated signature with the received
signature.</p><p>Note when the attachments are accessed by the receiving
application code, the read process will fail to complete if the validation
fails. For example, if the application code copies a given part's InputStream
to the disk then this copy operation will fail.</p><p>However, if the receiver
starts acting immediately on the attachment's InputStream, for example, the
attachment data returned from the service to the client are streamed to a UI
display which can activate a script then it is important that a
'<strong>bufferPayload</strong>' property is enabled on either <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartContainerRequestFilter.java";
rel="nofollow">JwsMultipartContainerRequestF
ilter</a> or <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartClientResponseFilter.java";
rel="nofollow">JwsMultipartClientResponseFilter</a>. It will ensure that the
data streams are validated first before the application gets an access to
them. </p><p>Here is the example showing how a Book object (represented as
an XML attachment on the wire) can be secured.</p><p>Given this client
code:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+</div></div><p>The client code and server configuration is nearly identical to
a code/configuration needed to set up JWS Compact filters as shown above,
simply replace JwsWriterInterceptor/JwsClientResponseFilter with
JwsJsonWriterInterceptor/JwsJsonClientResponseFilter in the client code, and
JwsContainerRequestFilter/JwsContainerResponseFilter with
JwsJsonContainerRequestFilter/JwsJsonContainerResponseFilter</p><h2
id="JAX-RSJOSE-SigningandVerificationofHTTPAttachments">Signing and
Verification of HTTP Attachments</h2><p>The signing and verification of HTTP
request and response attachments is supported starting from CXF
3.1.12.</p><p>This feature does not buffer the request and response attachment
data and is completely streaming-'friendly'.</p><p>It depends on <a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-F"; rel="nofollow">JWS with
Detached Content</a> and  <a shape="rect" class="external-link"
href="https://tools.ietf.org/html
/rfc7797" rel="nofollow">JWS with Unencoded Payload</a> options as well as on
the newly introduced CXF <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-multiparts.html#JAX-RSMultiparts-MultipartFilters";>multipart
filters</a> and works as follows.</p><p>When request or response attachment
parts are about to be submitted to the Multipart serialization provider, JWS
Multipart Output Filter (<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartClientRequestFilter.java";
rel="nofollow">JwsMultipartClientRequestFilter</a> and/or <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartContainerResponseFilter.java";
rel="nofollow">JwsMultipartContainerResponseFilter</a>) initializes a <a
shape="rect" cla
ss="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignature.java";
rel="nofollow">JWSSignature</a> object. Next every parts's output stream is
replaced with the filtering output stream which updates the signature object on
every write operation. Finally this multipart filter adds one more attachment
part to the list of the attachments to be written - this part holds a reference
to JWS Signature. When this last part is written, JWSSignature produces the
signature bytes which are encoded using either JWS Compact or JWS JSON format,
with the detached and unencoded content already being pushed to the output
stream.</p><p>When the attachment parts are about to be read by the Multipart
deserialization provider, their signature carried over in the last part will
need to be verified. Just before the parts are about to be read in order to be
made available to the application code, JWS Multipa
rt Input Filter (<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartContainerRequestFilter.java";
rel="nofollow">JwsMultipartContainerRequestFilter</a> and/or <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartClientResponseFilter.java";
rel="nofollow">JwsMultipartClientResponseFilter</a>) checks the last part and
initializes a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsVerificationSignature.java";
rel="nofollow">JWSVerificationSignature</a> object. Next for every attachment
but the last one it replaces the input stream with the filtering input stream
which updates the si
gnature verification object on every read operation. Once all the data have
been read it compares the calculated signature with the received
signature.</p><p>Note when the attachments are accessed by the receiving
application code, the read process will fail to complete if the validation
fails. For example, if the application code copies a given part's InputStream
to the disk then this copy operation will fail. For
example:</p><p> </p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">@POST
+@Path("/books")
+@Consumes("multipart/related")
+public void uploadBookMultipart(@Multipart(type = "application/xml") Book
book) {
+ // This method will not be even invoked if the data signature
verification fails
+ // causing the construction of Book bean to fail
+}
+
+
+@POST
+@Path("/pdf")
+@Consumes("multipart/related")
+public void uploadStreamMultipart(@Multipart(type = "application/pdf")
InputStream is) {
+ OutputStream os = getTargetOutputStream();
+ // This copy operation will fail
+ IOUtils.copy(is, os);
+}
+
+</pre>
+</div></div><p> </p><p>Note that besides the signature verification
process, CXF offers some other indirect support for ensuring the attachment
data have not been affected. For example, <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-multiparts.html#JAX-RSMultiparts-Readinglargeattachments";>the
size of the attachments can be restricted</a>, and if the data stream is
converted from XML then the conversion process will be controlled by the secure
XML parser. </p><p>However, if the receiver starts acting immediately on
the attachment's InputStream, for example, the attachment data returned from
the service to the client are streamed to a UI display which can activate a
script then it is important that a '<strong>bufferPayload</strong>' property is
enabled on either <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartContaine
rRequestFilter.java" rel="nofollow">JwsMultipartContainerRequestFilter</a> or
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/multipart/JwsMultipartClientResponseFilter.java";
rel="nofollow">JwsMultipartClientResponseFilter</a>. It will ensure that the
data streams are validated first before the application gets an access to them.
This property should also be enabled if the multipart payload contains many
attachment parts.</p><p>Here is an example showing how a Book object
(represented as an XML attachment on the wire) can be secured.</p><p>Given this
client code:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">@Test
public void testJwsJwkBookHMacMultipart() throws Exception {
String address = "https://localhost:"; + PORT + "/jwsjwkhmacSinglePart";
@@ -533,7 +553,8 @@ public class BookStore {
@Consumes("multipart/related")
@Multipart(type = "application/xml")
public Book echoBookMultipart(@Multipart(type = "application/xml") Book
book) {
- return book;
+ // This method will not be even invoked if the data signature
verification fails
+  return book;
}
}</pre>
</div></div><p>and server configuration:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
