jax-rs-jose.html

buildbot Fri, 16 Jun 2017 09:47:54 -0700

Author: buildbot
Date: Fri Jun 16 16:47:38 2017
New Revision: 1014143

Log:
Production update by buildbot for cxf


Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Jun 16 16:47:38 
2017
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p><style 
type="text/css">/*<![CDATA[*/
-div.rbtoc1497541625237 {padding: 0px;}
-div.rbtoc1497541625237 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1497541625237 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1497631622116 {padding: 0px;}
+div.rbtoc1497631622116 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1497631622116 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1497541625237">
+/*]]>*/</style></p><div class="toc-macro rbtoc1497631622116">
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a 
shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE 
Policy&#160;</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and 
Implementation</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification 
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS 
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS 
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS 
with Detached Content</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded 
Payload</a></li></ul>
@@ -679,7 +679,7 @@ Payload:
    "ciphertext":"alKm_g",
    "tag":"DkW2pZCd7lhR0KqIGQ69-A"
 }</pre>
-</div></div><p>Note the Base64Url encoded protected headers go first, followed 
by the 'recipients' array, with each element containing the encrypted content 
encryption key which can be decrypted by the recipient private key, with the 
array of recipients followed by the IV, ciphertext and authentication tag 
Base64Url sequences.</p><h2 
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT 
authentications to JWS or JWE content</h2><p>CXF introduced a "JWT" HTTP 
authentication scheme, with a Base64Url encoded JWT token representing a user 
authentication against an IDP capable of issuing JWT assertions (or simply JWT 
tokens). JWT assertion is like SAML assertion except that it is in a JSON 
format. If you'd like to cryptographically bind this JWT token to a data 
secured by JWS and/or JWE processors then simply add <a shape="rect" 
class="external-link" 
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/secu
 rity/jose/jaxrs/JwtAuthenticationClientFilter.java" 
rel="nofollow">JwtAuthenticationClientFilter</a>on the client side and <a 
shape="rect" class="external-link" 
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java";
 rel="nofollow">JwtAuthenticationFilter</a> on the server side. These filters 
link the authentication token with a randomly generated secure value which is 
added to both the token and the body JWS/JWE protected headers.</p><p>This 
approach is more effective compared to the ones where the body hash is 
calculated before it is submitted to a signature creation function, with the 
signature added as HTTP header.</p><h2 
id="JAX-RSJOSE-OptionalprotectionofHTTPheaders">Optional protection of HTTP 
headers</h2><p>Starting from CXF 3.1.12 it is possible to use JWS, JWS JSON, 
JWE and JWE JSON filters to protect the selected set of HTTP headers. The JOSE 
payloads produced b
 y these filters guarantee that the JOSE headers are integrity protected. Given 
this, if one enables a 'protectHttpHeaders' boolean property on the request 
filters, then, by default, HTTP Content-Type and Accept header values will be 
registered as JOSE header properties prefixed with "http.", example, 
"http.Accept":"text/plain". The list of the headers to be protected can be 
customized using a 'protectedHttpHeaders' set property.</p><p>These properties 
will be compared against the current HTTP headers on the receiving 
end.</p><p>This approach does not prevent the streaming of the outgoing data 
(which will also be protected by the filters) and offers a way to secure the 
HTTP headers which are really important for the correct processing of the 
incoming payloads</p><h1 id="JAX-RSJOSE-JOSEinJAX-RSapplicationcode">JOSE in 
JAX-RS application code</h1><p>In some cases you may need to create or process 
the JOSE data directly in the service or client application code. For example, 
one of the 
 properties in the request or response payload needs to be JWS signed/verified 
and/or JWE encrypted/decrypted. The following 2 options can be tried.</p><h2 
id="JAX-RSJOSE-Option1:ProcessJOSEdirectly">Option 1:&#160; Process JOSE 
directly</h2><p>This option is about using the CXF JOSE library to sign, 
encrypt, or/and decrypt and verify the data as <a shape="rect" 
href="jax-rs-jose.html">documented above</a>. This option should be preferred 
if one needs to keep a closer control, for example, set the custom JWS or JWE 
headers, etc.</p><h2 
id="JAX-RSJOSE-Option2:UseJOSElibraryhelpersandEndpointConfiguration">Option 
2:&#160; Use JOSE library helpers and Endpoint Configuration</h2><p>This option 
makes it straighforward to do JOSE in the application code. One has to extend 
or delegate to a specific JOSE helper instance and configure the endpoint with 
the locatiion of the key store.</p><h3 id="JAX-RSJOSE-ProduceJOSEdata">Produce 
JOSE data</h3><p>If you need to protect some non JWT property -
  extend or delegate to <strong>JoseProducer</strong>:</p><div class="code 
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>Note the Base64Url encoded protected headers go first, followed 
by the 'recipients' array, with each element containing the encrypted content 
encryption key which can be decrypted by the recipient private key, with the 
array of recipients followed by the IV, ciphertext and authentication tag 
Base64Url sequences.</p><h2 
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT 
authentications to JWS or JWE content</h2><p>CXF introduced a "JWT" HTTP 
authentication scheme, with a Base64Url encoded JWT token representing a user 
authentication against an IDP capable of issuing JWT assertions (or simply JWT 
tokens). JWT assertion is like SAML assertion except that it is in a JSON 
format. If you'd like to cryptographically bind this JWT token to a data 
secured by JWS and/or JWE processors then simply add <a shape="rect" 
class="external-link" 
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/secu
 rity/jose/jaxrs/JwtAuthenticationClientFilter.java" 
rel="nofollow">JwtAuthenticationClientFilter</a>on the client side and <a 
shape="rect" class="external-link" 
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java";
 rel="nofollow">JwtAuthenticationFilter</a> on the server side. These filters 
link the authentication token with a randomly generated secure value which is 
added to both the token and the body JWS/JWE protected headers.</p><p>This 
approach is more effective compared to the ones where the body hash is 
calculated before it is submitted to a signature creation function, with the 
signature added as HTTP header.</p><h2 
id="JAX-RSJOSE-OptionalprotectionofHTTPheaders">Optional protection of HTTP 
headers</h2><p>Starting from CXF 3.1.12 it is possible to use JWS, JWS JSON, 
JWE and JWE JSON filters to protect the selected set of HTTP headers. The JOSE 
payloads produced b
 y these filters guarantee that the JOSE headers are integrity protected. Given 
this, if one enables a 'protectHttpHeaders' boolean property on the request 
filters, then, by default, HTTP Content-Type and Accept header values will be 
registered as JOSE header properties prefixed with "http.", example, 
"http.Accept":"text/plain". The list of the headers to be protected can be 
customized using a 'protectedHttpHeaders' set property.</p><p>These properties 
will be compared against the current HTTP headers on the receiving 
end.</p><p>This approach does not prevent the streaming of the outgoing data 
(which will also be protected by the filters) and offers a way to secure the 
HTTP headers which are really important for the correct processing of the 
incoming payloads</p><h1 id="JAX-RSJOSE-JOSEinJAX-RSapplicationcode">JOSE in 
JAX-RS application code</h1><p>In some cases you may need to create or process 
the JOSE data directly in the service or client application code. For example, 
one of the 
 properties in the request or response payload needs to be JWS signed/verified 
and/or JWE encrypted/decrypted. The following 2 options can be tried.</p><h2 
id="JAX-RSJOSE-Option1:ProcessJOSEdirectly">Option 1:&#160; Process JOSE 
directly</h2><p>This option is about using the CXF JOSE library to sign, 
encrypt, or/and decrypt and verify the data as <a shape="rect" 
href="jax-rs-jose.html">documented above</a>. This option should be preferred 
if one needs to keep a closer control, for example, set the custom JWS or JWE 
headers, etc.</p><h2 
id="JAX-RSJOSE-Option2:UseJOSElibraryhelpersandEndpointConfiguration">Option 
2:&#160; Use JOSE library helpers and Endpoint Configuration</h2><p>This option 
makes it straighforward to do JOSE in the application code. One has to extend 
or delegate to a specific JOSE helper instance and configure the endpoint with 
the location of the JOSE properties file where the JWS or JWE algorithm and key 
store properties are set.</p><h3 id="JAX-RSJOSE-ProduceJOSEdat
 a">Produce JOSE data</h3><p>If you need to protect some non JWT property - 
extend or delegate to <strong>JoseProducer</strong>:</p><div class="code panel 
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" 
style="font-size:12px;">import 
org.apache.cxf.rs.security.jose.common.JoseProducer;
 @Path("service")
 public class SecureService extends JoseProducer {

svn commit: r1014143 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html

Reply via email to