Author: buildbot
Date: Thu Jun 15 13:47:34 2017
New Revision: 1014078
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Thu Jun 15 13:47:34
2017
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1497530828795 {padding: 0px;}
-div.rbtoc1497530828795 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1497530828795 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1497534419938 {padding: 0px;}
+div.rbtoc1497534419938 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1497534419938 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1497530828795">
+/*]]>*/</style></p><div class="toc-macro rbtoc1497534419938">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE
Policy </a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS
with Detached Content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded
Payload</a></li></ul>
@@ -139,11 +139,11 @@ div.rbtoc1497530828795 li {margin-left:
</li><li><a shape="rect" href="#JAX-RSJOSE-JOSEinJAX-RSapplicationcode">JOSE
in JAX-RS application code</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Option1:ProcessJOSEdirectly">Option 1:  Process JOSE
directly</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Option2:UseJOSElibraryhelpersandEndpointConfiguration">Option
2:  Use JOSE library helpers and Endpoint Configuration</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-ProduceJOSEdata">Produce JOSE data</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Step1.UseJoseProducerorJoseJwtProducer">Step1. Use
JoseProducer or JoseJwtProducer</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Step2.Setthekeystorelocation">Step2. Set the key store
location</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Step1.UseJoseProducerorJoseJwtProducer">Step1. Use
JoseProducer or JoseJwtProducer</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Step2.Setthekeystorelocationandthealgorithminfo">Step2. Set
the key store location and the algorithm info</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-ConsumeJOSEdata">Consume JOSE
data</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Step1.UseJoseConsumerorJoseJwtConsumer">Step1. Use
JoseConsumer or JoseJwtConsumer</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Step2.Setthekeystorelocation.1">Step2. Set the key store
location</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Step1.UseJoseConsumerorJoseJwtConsumer">Step1. Use
JoseConsumer or JoseJwtConsumer</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Step2.Setthekeystorelocationandthealgorithminfo.1">Step2. Set
the key store location and the algorithm info</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-ProduceandConsumeJOSEdata">Produce
and Consume JOSE data</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Step1.UseJoseProducerConsumerorJoseJwtProducerConsumer">Step1.
Use JoseProducerConsumer or JoseJwtProducerConsumer</a></li><li><a
shape="rect" href="#JAX-RSJOSE-Step2.Setthekeystorelocation.2">Step2. Set the
key store location</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Step1.UseJoseProducerConsumerorJoseJwtProducerConsumer">Step1.
Use JoseProducerConsumer or JoseJwtProducerConsumer</a></li><li><a
shape="rect"
href="#JAX-RSJOSE-Step2.Setthekeystorelocationandthealgorithminfo.2">Step2. Set
the key store location and the algorithm info</a></li></ul>
</li></ul>
</li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
@@ -685,7 +685,69 @@ Payload:
"ciphertext":"alKm_g",
"tag":"DkW2pZCd7lhR0KqIGQ69-A"
}</pre>
-</div></div><p>Note the Base64Url encoded protected headers go first, followed
by the 'recipients' array, with each element containing the encrypted content
encryption key which can be decrypted by the recipient private key, with the
array of recipients followed by the IV, ciphertext and authentication tag
Base64Url sequences.</p><h2
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</h2><p>CXF introduced a "JWT" HTTP
authentication scheme, with a Base64Url encoded JWT token representing a user
authentication against an IDP capable of issuing JWT assertions (or simply JWT
tokens). JWT assertion is like SAML assertion except that it is in a JSON
format. If you'd like to cryptographically bind this JWT token to a data
secured by JWS and/or JWE processors then simply add <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/secu
rity/jose/jaxrs/JwtAuthenticationClientFilter.java"
rel="nofollow">JwtAuthenticationClientFilter</a>on the client side and <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java";
rel="nofollow">JwtAuthenticationFilter</a> on the server side. These filters
link the authentication token with a randomly generated secure value which is
added to both the token and the body JWS/JWE protected headers.</p><p>This
approach is more effective compared to the ones where the body hash is
calculated before it is submitted to a signature creation function, with the
signature added as HTTP header.</p><h2
id="JAX-RSJOSE-OptionalprotectionofHTTPheaders">Optional protection of HTTP
headers</h2><p>Starting from CXF 3.1.12 it is possible to use JWS, JWS JSON,
JWE and JWE JSON filters to protect the selected set of HTTP headers. The JOSE
payloads produced b
y these filters guarantee that the JOSE headers are integrity protected. Given
this, if one enables a 'protectHttpHeaders' boolean property on the request
filters, then, by default, HTTP Content-Type and Accept header values will be
registered as JOSE header properties prefixed with "http.", example,
"http.Accept":"text/plain". The list of the headers to be protected can be
customized using a 'protectedHttpHeaders' set property.</p><p>These properties
will be compared against the current HTTP headers on the receiving
end.</p><p>This approach does not prevent the streaming of the outgoing data
(which will also be protected by the filters) and offers a way to secure the
HTTP headers which are really important for the correct processing of the
incoming payloads</p><h1 id="JAX-RSJOSE-JOSEinJAX-RSapplicationcode">JOSE in
JAX-RS application code</h1><p>In some cases you may need to create or process
the JOSE data directly in the service or client application code. For example,
one of the
properties in the request or response payload needs to be JWS signed/verified
and/or JWE encrypted/decrypted. The following 2 options can be tried.</p><h2
id="JAX-RSJOSE-Option1:ProcessJOSEdirectly">Option 1:  Process JOSE
directly</h2><p>This option is about using the CXF JOSE library to sign,
encrypt, or/and decrypt and verify the data as <a shape="rect"
href="jax-rs-jose.html">documented above</a>. This option should be preferred
if one needs to keep a closer control, for example, set the custom JWS or JWE
headers, etc.</p><h2
id="JAX-RSJOSE-Option2:UseJOSElibraryhelpersandEndpointConfiguration">Option
2:  Use JOSE library helpers and Endpoint Configuration</h2><p>This option
makes it straighforward to do JOSE in the application code. One has to extend
or delegate to a specific JOSE helper instance and configure the endpoint with
the locatiion of the key store.</p><h3 id="JAX-RSJOSE-ProduceJOSEdata">Produce
JOSE data</h3><h4 id="JAX-RSJOSE-Step1.UseJoseProducerorJoseJwt
Producer">Step1. Use JoseProducer or JoseJwtProducer</h4><h4
id="JAX-RSJOSE-Step2.Setthekeystorelocation">Step2. Set the key store
location</h4><h3 id="JAX-RSJOSE-ConsumeJOSEdata">Consume JOSE data</h3><h4
id="JAX-RSJOSE-Step1.UseJoseConsumerorJoseJwtConsumer">Step1. Use JoseConsumer
or JoseJwtConsumer</h4><h4
id="JAX-RSJOSE-Step2.Setthekeystorelocation.1">Step2. Set the key store
location</h4><h3 id="JAX-RSJOSE-ProduceandConsumeJOSEdata">Produce and Consume
JOSE data</h3><h4
id="JAX-RSJOSE-Step1.UseJoseProducerConsumerorJoseJwtProducerConsumer">Step1.
Use JoseProducerConsumer or JoseJwtProducerConsumer</h4><h4
id="JAX-RSJOSE-Step2.Setthekeystorelocation.2">Step2. Set the key store
location</h4><h1 id="JAX-RSJOSE-Configuration">Configuration</h1><p>CXF JOSE
configuration provides for loading JWS and JWE keys and supporting various
processing options. Configuration properties can be shared between JWS and JWE
processors or in/out only JWS and or JWE properties can be set.</p><p>Typic
ally a secure JAX-RS endpoint or client is initialized with JWS and or JWE
properties.</p><p>For example, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L197";
rel="nofollow">this endpoint</a> is configured with a <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L207";
rel="nofollow">single JWS properties file</a> which will apply to both input
(signature verification) and output (signature creation) JWS operations. <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L210";
rel="nofollow">This endpoint</a> depends on <a shape="rect"
class="external-link" href="https://github.com/a
pache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L218"
rel="nofollow">two JWS properties files</a>, one - for input JWS, another one
- for output JWS. Similarly, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L153";
rel="nofollow">this endpoint</a> uses a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L162";
rel="nofollow">single JWE properties file</a> for encrypting/decrypting the
data, while <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L139";
rel="nofollow">this endpoint</a> uses <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L139";
rel="nofollow">two JWE properties files</a>. <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L178";
rel="nofollow">This endpoint</a> support both JWS and JSON with <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L189";
rel="nofollow">in/out specific properties</a>. If either JWS or JWE private
key needs to be loaded from the password-protected storage (JKS, encryped
JWK)  then a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/se
curity/jose/common/PrivateKeyPasswordProvider.java" rel="nofollow">password
provider</a> needs be <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L194";
rel="nofollow">registered</a> as well, it can be shared between JWS or JWS or
be in/out specific for either JWS or JWE.</p><p>These configuration propertie
are of major help when JAX-RS JOSE filters process the in/out payload without
the application service code being aware of it. While filters can be injected
with JWS or JWE providers directly, one would usually set the relevant
properties as part of the endpoint or client set-up and expect the filters load
the required JWS or JWE providers as needed. </p><p>If you need to do JWS
or JWE processing directly in your service or interceptor code then having the
properties may also be helpful, for example, the following code works because
it is i
ndirectly supported by the properties indicating which signature or encryption
algorithm is used, where to get the key if needed, etc:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Loading JWS and JWE Providers
</b></div><div class="codeContent panelContent pdl">
+</div></div><p>Note the Base64Url encoded protected headers go first, followed
by the 'recipients' array, with each element containing the encrypted content
encryption key which can be decrypted by the recipient private key, with the
array of recipients followed by the IV, ciphertext and authentication tag
Base64Url sequences.</p><h2
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</h2><p>CXF introduced a "JWT" HTTP
authentication scheme, with a Base64Url encoded JWT token representing a user
authentication against an IDP capable of issuing JWT assertions (or simply JWT
tokens). JWT assertion is like SAML assertion except that it is in a JSON
format. If you'd like to cryptographically bind this JWT token to a data
secured by JWS and/or JWE processors then simply add <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/secu
rity/jose/jaxrs/JwtAuthenticationClientFilter.java"
rel="nofollow">JwtAuthenticationClientFilter</a>on the client side and <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java";
rel="nofollow">JwtAuthenticationFilter</a> on the server side. These filters
link the authentication token with a randomly generated secure value which is
added to both the token and the body JWS/JWE protected headers.</p><p>This
approach is more effective compared to the ones where the body hash is
calculated before it is submitted to a signature creation function, with the
signature added as HTTP header.</p><h2
id="JAX-RSJOSE-OptionalprotectionofHTTPheaders">Optional protection of HTTP
headers</h2><p>Starting from CXF 3.1.12 it is possible to use JWS, JWS JSON,
JWE and JWE JSON filters to protect the selected set of HTTP headers. The JOSE
payloads produced b
y these filters guarantee that the JOSE headers are integrity protected. Given
this, if one enables a 'protectHttpHeaders' boolean property on the request
filters, then, by default, HTTP Content-Type and Accept header values will be
registered as JOSE header properties prefixed with "http.", example,
"http.Accept":"text/plain". The list of the headers to be protected can be
customized using a 'protectedHttpHeaders' set property.</p><p>These properties
will be compared against the current HTTP headers on the receiving
end.</p><p>This approach does not prevent the streaming of the outgoing data
(which will also be protected by the filters) and offers a way to secure the
HTTP headers which are really important for the correct processing of the
incoming payloads</p><h1 id="JAX-RSJOSE-JOSEinJAX-RSapplicationcode">JOSE in
JAX-RS application code</h1><p>In some cases you may need to create or process
the JOSE data directly in the service or client application code. For example,
one of the
properties in the request or response payload needs to be JWS signed/verified
and/or JWE encrypted/decrypted. The following 2 options can be tried.</p><h2
id="JAX-RSJOSE-Option1:ProcessJOSEdirectly">Option 1:  Process JOSE
directly</h2><p>This option is about using the CXF JOSE library to sign,
encrypt, or/and decrypt and verify the data as <a shape="rect"
href="jax-rs-jose.html">documented above</a>. This option should be preferred
if one needs to keep a closer control, for example, set the custom JWS or JWE
headers, etc.</p><h2
id="JAX-RSJOSE-Option2:UseJOSElibraryhelpersandEndpointConfiguration">Option
2:  Use JOSE library helpers and Endpoint Configuration</h2><p>This option
makes it straighforward to do JOSE in the application code. One has to extend
or delegate to a specific JOSE helper instance and configure the endpoint with
the locatiion of the key store.</p><h3 id="JAX-RSJOSE-ProduceJOSEdata">Produce
JOSE data</h3><h4 id="JAX-RSJOSE-Step1.UseJoseProducerorJoseJwt
Producer">Step1. Use JoseProducer or JoseJwtProducer</h4><p>If you need to
protect some non JWT property - extend or delegate to JoseProducer:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">import
org.apache.cxf.rs.security.jose.common.JoseProducer;
+@Path("service")
+public class SecureService extends JoseProducer {
+ @GET
+ public String getProtectedValue() {
+ // encrypt and/or sign the data
+ return super.processData("some data");
+ }
+}
+
+// or
+
+@Path("service")
+public class SecureService {
+
+ private JoseProducer producer = new JoseProducer();
+ @GET
+ public String getProtectedValue() {
+ // encrypt and/or sign the data
+ return producer.processData("some data");
+ }
+}</pre>
+</div></div><p> </p><p>If you need to protect some JWT property - extend
or delegate to JoseJwtProducer:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">import
org.apache.cxf.rs.security.jose.jwt.JoseJwtProducer;
+@Path("service")
+public class SecureService extends JoseJwtProducer {
+ @GET
+ public String getProtectedToken() {
+ // encrypt and/or sign JWT
+ JwtClaims claims = new JwtClaims();
+ claims.setIssuer("some issuer");
+ // set other claims
+ return super.processJwt(new JwtToken(claims));
+ }
+}
+
+// or
+
+@Path("service")
+public class SecureService extends AbstractSecureService {
+
+ private JoseJwtProducer producer = new JoseJwtProducer();
+ @GET
+ public String getProtectedValue() {
+ // encrypt and/or sign JWT
+ return producer.processData(new JwtToken(new JwtClaims()));
+ }
+}</pre>
+</div></div><p> In both cases the producer helpers will detect the
endpoint specific configuration thus they do not need to be preconfigured -
however if needed they have the 'encryptionProvider' and 'signatureProvider'
setters which can be used to inject JwsSignatureProvider and/or
JweSignatureProvider instances instead.</p><p>The producer helpers require a
signature creation only by default. Use their 'setJwsRequired' or
'setJwsRequired' properties to customize it - example, disable JWS but require
JWE, or enable JWE to get JWS-protected data encrypted as well.</p><h4
id="JAX-RSJOSE-Step2.Setthekeystorelocationandthealgorithminfo">Step2. Set the
key store location and the algorithm info</h4><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><beans
xmlns="http://www.springframework.org/schema/beans";
xmlns:jaxrs="http://cxf.apache.org/jaxrs">
+ <bean id="serviceBean"
class="org.apache.cxf.systest.jaxrs.security.jose.SecureService"/>
+ <jaxrs:server address="/secure">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:properties>
+ <entry key="rs.security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/>
+ <entry key="rs.security.encryption.properties"
value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+</beans</pre>
+</div></div><p>See the <a shape="rect" href="jax-rs-jose.html">Configuration
section</a> for all the available configuration options.</p><h3
id="JAX-RSJOSE-ConsumeJOSEdata">Consume JOSE data</h3><h4
id="JAX-RSJOSE-Step1.UseJoseConsumerorJoseJwtConsumer">Step1. Use JoseConsumer
or JoseJwtConsumer</h4><h4
id="JAX-RSJOSE-Step2.Setthekeystorelocationandthealgorithminfo.1">Step2. Set
the key store location and the algorithm info</h4><h3
id="JAX-RSJOSE-ProduceandConsumeJOSEdata">Produce and Consume JOSE data</h3><h4
id="JAX-RSJOSE-Step1.UseJoseProducerConsumerorJoseJwtProducerConsumer">Step1.
Use JoseProducerConsumer or JoseJwtProducerConsumer</h4><h4
id="JAX-RSJOSE-Step2.Setthekeystorelocationandthealgorithminfo.2">Step2. Set
the key store location and the algorithm info</h4><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><p>CXF JOSE configuration
provides for loading JWS and JWE keys and supporting various processing
options. Configuration properties can be shared between JWS and JW
E processors or in/out only JWS and or JWE properties can be
set.</p><p>Typically a secure JAX-RS endpoint or client is initialized with JWS
and or JWE properties.</p><p>For example, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L197";
rel="nofollow">this endpoint</a> is configured with a <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L207";
rel="nofollow">single JWS properties file</a> which will apply to both input
(signature verification) and output (signature creation) JWS operations. <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L210";
rel="nofollow">This endpoint</a
> depends on <a shape="rect" class="external-link"
> href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L218";
> rel="nofollow">two JWS properties files</a>, one - for input JWS, another
> one - for output JWS. Similarly, <a shape="rect" class="external-link"
> href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L153";
> rel="nofollow">this endpoint</a> uses a <a shape="rect"
> class="external-link"
> href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L162";
> rel="nofollow">single JWE properties file</a> for encrypting/decrypting the
> data, while <a shape="rect" class="external-link"
> href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/j
wejws/server.xml#L139" rel="nofollow">this endpoint</a> uses <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L139";
rel="nofollow">two JWE properties files</a>. <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L178";
rel="nofollow">This endpoint</a> support both JWS and JSON with <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L189";
rel="nofollow">in/out specific properties</a>. If either JWS or JWE private
key needs to be loaded from the password-protected storage (JKS, encryped
JWK)  then a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/b
lob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java"
rel="nofollow">password provider</a> needs be <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml#L194";
rel="nofollow">registered</a> as well, it can be shared between JWS or JWS or
be in/out specific for either JWS or JWE.</p><p>These configuration propertie
are of major help when JAX-RS JOSE filters process the in/out payload without
the application service code being aware of it. While filters can be injected
with JWS or JWE providers directly, one would usually set the relevant
properties as part of the endpoint or client set-up and expect the filters load
the required JWS or JWE providers as needed. </p><p>If you need to do JWS
or JWE processing directly in your service or interceptor code then having the
properti
es may also be helpful, for example, the following code works because it is
indirectly supported by the properties indicating which signature or encryption
algorithm is used, where to get the key if needed, etc:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Loading JWS and JWE Providers
</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">JwsSignatureProvider jwsOut =
JwsUtils.loadSignatureProvider(true);
JwsSignatureVerifier jwsIn = JwsUtils.loadSignatureVerifier(true);
@@ -694,7 +756,7 @@ JweDecryptionProvider jweIn = JweUtils.l
</div></div><p>The providers may be initialized from a single properties file
or each of them may have specific properties allocated to it.</p><p>Sometimes
it can be useful to load the properties only and check the signature or
encryption algorithm and load a JWS or JWE provider directly as shown in JWS
and JWE sections above.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>Loading JWS and JWE properties</b></div><div class="codeContent
panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">Properties jwsProps =
JweUtils.loadEncryptionProperties("jws.properties", true);
Properties jweProps = JweUtils.loadEncryptionProperties("jwe.properties",
true);</pre>
-</div></div><p>After loading the properties one can check various property
values (signature algorithm, etc) and use it to create a required
provider.</p><p>The above code needs to be executed in the context of the
current request (in server or client in/out interceptors or server service
code) as it expects the current CXF Message be available in order to deduce
where to load the configuration properties from. However <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java";
rel="nofollow">JwsUtils</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java";
rel="nofollow">JweUtils</a> provide a number of utility methods for loading
the providers without loading the properties first which can be used when
setting up the c
lient code or when no properties are available in the current request
context.</p><p> </p><p>When the code needs to load the configuration
properties it first looks for the property 'container' file which contains the
specific properties instructing which keys and algorithms need to be used.
Singature or encryption properties for in/out operations can be provided.
 </p><h2 id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration
Property Containers</h2><h3 id="JAX-RSJOSE-Signature">Signature</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for Compact or JSON signature creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspa
n="1" class="confluenceTd"><p>The signature properties file for Compact or
JSON signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
Compact or JSON signature
creation/verification.</td></tr></tbody></table></div><h3
id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption properties file for Compact
or JSON encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="conflue
nceTd"><p>The encryption properties file for Compact or JSON decryption. If
not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
encryption/decryption.</td></tr></tbody></table></div><p>Note that these
property containers can be used for creating/processing JWS and JWE Compact and
JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more
than one signature or encryption be created then let the property value be a
commas separated list of locations, with each location pointing to a unique
signature or encryption operation property file.</p><p>Once the properties are
loaded the runtime proceeds with initializing JWS/JWE providers accordingly.
The following section lists the properties, some oif them being common and some
- unique to the signature/verification a
nd encryption/decryption processes.</p><p>Note that one can override some of
the properties, for example, 'rs.security.store' can be set as a dynamic
request property pointing to a preloaded Java KeyStore object.</p><h2
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h2><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyStore Object through
dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are
"jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan=
"1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     - j
ws.in</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1"
class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access
the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in
the header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that app
lies to signature only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><t
d colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwor
ds to access keys for decryption. If this is not specified it falls back to
use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm
to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and
'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td colspa
n="1" rowspan="1" class="confluenceTd">Include the JWK public key
for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id
for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for encryption in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT
tokens as SecurityContext Principals. The default is
false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-Interoperability">Interoperability</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/"; rel="nofollow">JOSE</a>
is already widely supported in OAuth2 and OIDC applications. Besides that CXF
JOSE client or server will interoperate with a 3rd party client/server able to
produce or consume JWS/JWE sequences.  For example, see a <a shape="rect"
class="external-link" href="https://www.w3.org/TR/WebCryptoAPI/#jose";
rel="nofollow">WebCrypto API use case</a> and  <a shape="rect"
class="external-link" href="https://mobilepki.org/WCPPSignatureDemo/home";
rel="nofollow">the demo</a> which demonstrates how a JWS sequence produced by a
bro
wser-hosted script can be validated by a server application capable of
processing JWS, with the demo browser client being tested against a CXF JWS
server too. </p><p> </p><h1
id="JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</h1><p><a
shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home";
rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link"
href="http://connect2id.com/products/nimbus-jose-jwt"; rel="nofollow">Nimbus
JOSE</a></p><p> </p></div>
+</div></div><p>After loading the properties one can check various property
values (signature algorithm, etc) and use it to create a required
provider.</p><p>The above code needs to be executed in the context of the
current request (in server or client in/out interceptors or server service
code) as it expects the current CXF Message be available in order to deduce
where to load the configuration properties from. However <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java";
rel="nofollow">JwsUtils</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java";
rel="nofollow">JweUtils</a> provide a number of utility methods for loading
the providers without loading the properties first which can be used when
setting up the c
lient code or when no properties are available in the current request
context.</p><p> </p><p>When the code needs to load the configuration
properties it first looks for the property 'container' file which contains the
specific properties instructing which keys and algorithms need to be used.
Singature or encryption properties for in/out operations can be provided.
 </p><h2 id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration
Property Containers</h2><h3 id="JAX-RSJOSE-Signature">Signature</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for Compact or JSON signature creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspa
n="1" class="confluenceTd"><p>The signature properties file for Compact or
JSON signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
Compact or JSON signature
creation/verification.</td></tr></tbody></table></div><h3
id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption properties file for Compact
or JSON encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="conflue
nceTd"><p>The encryption properties file for Compact or JSON decryption. If
not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption properties file for
encryption/decryption.</td></tr></tbody></table></div><p>Note that these
property containers can be used for creating/processing JWS and JWE Compact and
JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more
than one signature or encryption be created then let the property value be a
commas separated list of locations, with each location pointing to a unique
signature or encryption operation property file.</p><p>Once the properties are
loaded the runtime proceeds with initializing JWS/JWE providers accordingly.
The following section lists the properties, some oif them being common and some
- unique to the signature/verification
and encryption/decryption processes.</p><p>Note that one can override some of
the properties, for example, 'rs.security.store' can be set as a dynamic
request property pointing to a preloaded Java KeyStore object.</p><h2
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h2><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyStore Object through
dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are
"jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan
="1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     -
jws.in</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1"
class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access
the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in
the header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that ap
plies to signature only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><
td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwo
rds to access keys for decryption. If this is not specified it falls back to
use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm
to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and
'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td colsp
an="1" rowspan="1" class="confluenceTd">Include the JWK public key
for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id
for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for encryption in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT
tokens as SecurityContext Principals. The default is
false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-Interoperability">Interoperability</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/"; rel="nofollow">JOSE</a>
is already widely supported in OAuth2 and OIDC applications. Besides that CXF
JOSE client or server will interoperate with a 3rd party client/server able to
produce or consume JWS/JWE sequences.  For example, see a <a shape="rect"
class="external-link" href="https://www.w3.org/TR/WebCryptoAPI/#jose";
rel="nofollow">WebCrypto API use case</a> and  <a shape="rect"
class="external-link" href="https://mobilepki.org/WCPPSignatureDemo/home";
rel="nofollow">the demo</a> which demonstrates how a JWS sequence produced by a
br
owser-hosted script can be validated by a server application capable of
processing JWS, with the demo browser client being tested against a CXF JWS
server too. </p><p> </p><h1
id="JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</h1><p><a
shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home";
rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link"
href="http://connect2id.com/products/nimbus-jose-jwt"; rel="nofollow">Nimbus
JOSE</a></p><p> </p></div>
</div>
<!-- Content -->
</td>
