This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 3.2.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 8b40fdba289c62f4defae51c1f76860f0159c441 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Thu Nov 14 15:24:32 2019 +0000 Some updates to the OIDC JWK Keys service (cherry picked from commit 6852cd5e4927f8e651c0a0589b5ee3f61e753186) (cherry picked from commit 2de7e14eb95626fffef6f61365186de9a1c9de3d) --- .../cxf/rs/security/jose/jwk/JsonWebKeys.java | 8 +- .../apache/cxf/rs/security/jose/jwk/JwkUtils.java | 32 ++++ .../apache/cxf/rs/security/jose/jws/JwsUtils.java | 37 ++-- .../cxf/rs/security/jose/jws/JwsUtilsTest.java | 4 +- .../cxf/rs/security/oidc/idp/OidcKeysService.java | 18 +- .../jaxrs/security/oidc/OIDCKeysServiceTest.java | 196 +++++++++++++++++++++ .../jaxrs/security/oidc/oidc-keys-jcache.xml | 178 +++++++++++++++++++ 7 files changed, 452 insertions(+), 21 deletions(-) diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java index 7141e65..53ac2b1 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java @@ -35,11 +35,13 @@ public class JsonWebKeys extends JsonMapObject { } public JsonWebKeys(JsonWebKey key) { - setInitKey(key); - } - private void setInitKey(JsonWebKey key) { setKey(key); } + + public JsonWebKeys(List<JsonWebKey> keys) { + setKeys(keys); + } + public List<JsonWebKey> getKeys() { List<?> list = (List<?>)super.getProperty(KEYS_PROPERTY); if (list != null && !list.isEmpty()) { diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java index 6b71325..7477ecf 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java @@ -37,6 +37,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.HashMap; +import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Properties; @@ -322,10 +323,18 @@ public final class JwkUtils { } return null; } + public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, KeyOperation keyOper) { PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper); + return loadJsonWebKeys(m, props, keyOper, cb); + } + + public static List<JsonWebKey> loadJsonWebKeys(Message m, + Properties props, + KeyOperation keyOper, + PrivateKeyPasswordProvider cb) { JsonWebKeys jwkSet = loadJwkSet(m, props, cb); String kid = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIAS, keyOper); if (kid != null) { @@ -570,4 +579,27 @@ public final class JwkUtils { headers.setJsonWebKey(jwkPublic); } } + + public static List<JsonWebKey> stripPrivateParameters(List<JsonWebKey> keys) { + if (keys == null) { + return Collections.emptyList(); + } + + List<JsonWebKey> parsedKeys = new ArrayList<>(keys.size()); + Iterator<JsonWebKey> iter = keys.iterator(); + while (iter.hasNext()) { + JsonWebKey key = iter.next(); + if (!(key.containsProperty("k") || key.getKeyType() == KeyType.OCTET)) { + // We don't allow secret keys in a public keyset + key.removeProperty(JsonWebKey.RSA_PRIVATE_EXP); + key.removeProperty(JsonWebKey.RSA_FIRST_PRIME_FACTOR); + key.removeProperty(JsonWebKey.RSA_SECOND_PRIME_FACTOR); + key.removeProperty(JsonWebKey.RSA_FIRST_PRIME_CRT); + key.removeProperty(JsonWebKey.RSA_SECOND_PRIME_CRT); + key.removeProperty(JsonWebKey.RSA_FIRST_CRT_COEFFICIENT); + parsedKeys.add(key); + } + } + return parsedKeys; + } } diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index c571248..8e2d92f 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -41,6 +41,7 @@ import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.PhaseInterceptorChain; import org.apache.cxf.rs.security.jose.common.JoseConstants; +import org.apache.cxf.rs.security.jose.common.JoseException; import org.apache.cxf.rs.security.jose.common.JoseUtils; import org.apache.cxf.rs.security.jose.common.KeyManagementUtils; import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils; @@ -160,8 +161,8 @@ public final class JwsUtils { if (algo == null) { LOG.warning("No signature algorithm was defined"); throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET); - } - + } + if (cert.getPublicKey() instanceof RSAPublicKey) { return new PublicKeyJwsSignatureVerifier(cert, algo); } else if (cert.getPublicKey() instanceof ECPublicKey) { @@ -267,8 +268,8 @@ public final class JwsUtils { Properties props = loadSignatureInProperties(required); return loadSignatureVerifier(props, headers); } - - + + public static boolean validateCriticalHeaders(JwsHeaders headers) { //TODO: validate JWS specific constraints return JoseUtils.validateCriticalHeaders(headers); @@ -278,7 +279,7 @@ public final class JwsUtils { return loadSignatureProvider(PhaseInterceptorChain.getCurrentMessage(), props, headers); } - + public static JwsSignatureProvider loadSignatureProvider(String propertiesLoc, Bus bus) { Properties props = loadSignatureProperties(propertiesLoc, bus); return loadSignatureProvider(props, null); @@ -289,11 +290,11 @@ public final class JwsUtils { JwsHeaders headers) { JwsSignatureProvider theSigProvider = null; - boolean includeCert = + boolean includeCert = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT); - boolean includeCertSha1 = + boolean includeCertSha1 = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT_SHA1); - boolean includeCertSha256 = + boolean includeCertSha256 = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT_SHA256); boolean includeKeyId = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_SIGNATURE_INCLUDE_KEY_ID); @@ -307,8 +308,8 @@ public final class JwsUtils { getDefaultKeyAlgorithm(jwk)); theSigProvider = JwsUtils.getSignatureProvider(jwk, signatureAlgo); - boolean includePublicKey = - JoseUtils.checkBooleanProperty(headers, props, m, + boolean includePublicKey = + JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_SIGNATURE_INCLUDE_PUBLIC_KEY); if (includeCert) { @@ -335,7 +336,7 @@ public final class JwsUtils { if (signatureAlgo == null) { signatureAlgo = getDefaultPrivateKeyAlgorithm(pk); } - + theSigProvider = getPrivateKeySignatureProvider(pk, signatureAlgo); if (includeCert) { headers.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(m, props)); @@ -344,7 +345,7 @@ public final class JwsUtils { KeyManagementUtils.setSha1DigestHeader(headers, m, props); } else if (includeCertSha256) { KeyManagementUtils.setSha256DigestHeader(headers, m, props); - } + } if (includeKeyId && props.containsKey(JoseConstants.RSSEC_KEY_STORE_ALIAS)) { headers.setKeyId(props.getProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS)); } @@ -521,10 +522,20 @@ public final class JwsUtils { throw new JwsException(JwsException.Error.INVALID_KEY); } } + + @Deprecated public static JsonWebKeys loadPublicVerificationKeys(Message m, Properties props) { + return loadPublicVerificationKeys(m, props, true); + } + + public static JsonWebKeys loadPublicVerificationKeys(Message m, Properties props, boolean stripPrivateParameters) { String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE); if ("jwk".equals(storeType)) { - return JwkUtils.loadPublicJwkSet(m, props); + List<JsonWebKey> jsonWebKeys = JwkUtils.loadJsonWebKeys(m, props, KeyOperation.SIGN, null); + if (jsonWebKeys == null || jsonWebKeys.isEmpty()) { + throw new JoseException("Error loading keys"); + } + return new JsonWebKeys(stripPrivateParameters ? JwkUtils.stripPrivateParameters(jsonWebKeys) : jsonWebKeys); } X509Certificate[] certs = null; if (PropertyUtils.isTrue(props.get(JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT))) { diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java index 9ff387f..d05280c 100644 --- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java +++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java @@ -86,7 +86,7 @@ public class JwsUtilsTest extends Assert { "org/apache/cxf/rs/security/jose/jws/alice.jks"); p.put(JoseConstants.RSSEC_KEY_STORE_PSWD, "password"); p.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "alice"); - JsonWebKeys keySet = JwsUtils.loadPublicVerificationKeys(createMessage(), p); + JsonWebKeys keySet = JwsUtils.loadPublicVerificationKeys(createMessage(), p, true); assertEquals(1, keySet.asMap().size()); List<JsonWebKey> keys = keySet.getRsaKeys(); assertEquals(1, keys.size()); @@ -106,7 +106,7 @@ public class JwsUtilsTest extends Assert { p.put(JoseConstants.RSSEC_KEY_STORE_PSWD, "password"); p.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "alice"); p.put(JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT, true); - JsonWebKeys keySet = JwsUtils.loadPublicVerificationKeys(createMessage(), p); + JsonWebKeys keySet = JwsUtils.loadPublicVerificationKeys(createMessage(), p, true); assertEquals(1, keySet.asMap().size()); List<JsonWebKey> keys = keySet.getRsaKeys(); assertEquals(1, keys.size()); diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java index fc1f0c7..ea5ad91 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java @@ -34,13 +34,14 @@ public class OidcKeysService { private volatile JsonWebKeys keySet; private WebClient keyServiceClient; + private boolean stripPrivateParameters = true; @GET @Produces("application/json") public JsonWebKeys getPublicVerificationKeys() { if (keySet == null) { if (keyServiceClient == null) { - keySet = getFromLocalStore(); + keySet = getFromLocalStore(stripPrivateParameters); } else { keySet = keyServiceClient.get(JsonWebKeys.class); } @@ -49,13 +50,24 @@ public class OidcKeysService { return keySet; } - private static JsonWebKeys getFromLocalStore() { + private static JsonWebKeys getFromLocalStore(boolean stripPrivateParameters) { Properties props = JwsUtils.loadSignatureInProperties(true); - return JwsUtils.loadPublicVerificationKeys(JAXRSUtils.getCurrentMessage(), props); + return JwsUtils.loadPublicVerificationKeys(JAXRSUtils.getCurrentMessage(), props, stripPrivateParameters); } public void setKeyServiceClient(WebClient keyServiceClient) { this.keyServiceClient = keyServiceClient; } + public boolean isStripPrivateParameters() { + return stripPrivateParameters; + } + + /** + * Whether to strip private parameters from the keys that are returned. The default is true. + */ + public void setStripPrivateParameters(boolean stripPrivateParameters) { + this.stripPrivateParameters = stripPrivateParameters; + } + } diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCKeysServiceTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCKeysServiceTest.java new file mode 100644 index 0000000..3144c4a --- /dev/null +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCKeysServiceTest.java @@ -0,0 +1,196 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.jaxrs.security.oidc; + +import java.net.URL; + +import javax.ws.rs.core.Response; + +import org.apache.cxf.jaxrs.client.WebClient; +import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; +import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys; +import org.apache.cxf.rs.security.jose.jwk.KeyType; +import org.apache.cxf.systest.jaxrs.security.SecurityTestUtil; +import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; + +import org.junit.AfterClass; +import org.junit.BeforeClass; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; + +/** + * Some tests for the OIDC Keys Service + */ +public class OIDCKeysServiceTest extends AbstractBusClientServerTestBase { + + private static final SpringBusTestServer JCACHE_SERVER = new SpringBusTestServer("oidc-keys-jcache"); + + + @BeforeClass + public static void startServers() throws Exception { + assertTrue("Server failed to launch", launchServer(JCACHE_SERVER)); + } + + @AfterClass + public static void cleanup() throws Exception { + SecurityTestUtil.cleanup(); + } + + @org.junit.Test + public void testGetRSAPublicKey() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + JCACHE_SERVER.getPort() + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + client.accept("application/json"); + + client.path("keys/"); + Response response = client.get(); + JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); + + assertEquals(1, jsonWebKeys.getKeys().size()); + + JsonWebKey jsonWebKey = jsonWebKeys.getKeys().get(0); + assertEquals(KeyType.RSA, jsonWebKey.getKeyType()); + assertEquals("alice", jsonWebKey.getKeyId()); + assertNotNull(jsonWebKey.getProperty("n")); + assertNotNull(jsonWebKey.getProperty("e")); + // Check we don't send the private key back + checkPrivateKeyParametersNotPresent(jsonWebKeys); + } + + @org.junit.Test + public void testGetJWKRSAPublicKey() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + JCACHE_SERVER.getPort() + "/services2/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + client.accept("application/json"); + + client.path("keys/"); + Response response = client.get(); + JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); + + assertEquals(1, jsonWebKeys.getKeys().size()); + + JsonWebKey jsonWebKey = jsonWebKeys.getKeys().get(0); + assertEquals(KeyType.RSA, jsonWebKey.getKeyType()); + assertEquals("2011-04-29", jsonWebKey.getKeyId()); + assertNotNull(jsonWebKey.getProperty("n")); + assertNotNull(jsonWebKey.getProperty("e")); + // Check we don't send the private key back + checkPrivateKeyParametersNotPresent(jsonWebKeys); + } + + @org.junit.Test + public void testGetJWKECPublicKey() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + JCACHE_SERVER.getPort() + "/services3/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + client.accept("application/json"); + + client.path("keys/"); + Response response = client.get(); + JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); + + assertEquals(1, jsonWebKeys.getKeys().size()); + + JsonWebKey jsonWebKey = jsonWebKeys.getKeys().get(0); + assertEquals(KeyType.EC, jsonWebKey.getKeyType()); + assertEquals("ECKey", jsonWebKey.getKeyId()); + assertNotNull(jsonWebKey.getProperty("x")); + assertNotNull(jsonWebKey.getProperty("y")); + // Check we don't send the private key back + checkPrivateKeyParametersNotPresent(jsonWebKeys); + } + + @org.junit.Test + public void testGetJWKHMAC() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + JCACHE_SERVER.getPort() + "/services4/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + client.accept("application/json"); + + client.path("keys/"); + Response response = client.get(); + JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); + + // We don't allow sending secret keys back from the key service by default + assertNull(jsonWebKeys.getKeys()); + } + + @org.junit.Test + public void testGetJWKHMACExplicitlyAllowed() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + JCACHE_SERVER.getPort() + "/services5/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + client.accept("application/json"); + + client.path("keys/"); + Response response = client.get(); + JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); + + // Here we explicitly allow sending back secret keys + assertEquals(1, jsonWebKeys.getKeys().size()); + } + + @org.junit.Test + public void testGetJWKMultipleKeys() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + JCACHE_SERVER.getPort() + "/services6/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + client.accept("application/json"); + + client.path("keys/"); + Response response = client.get(); + JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); + + assertEquals(2, jsonWebKeys.getKeys().size()); + + // Check we don't send the private key back + checkPrivateKeyParametersNotPresent(jsonWebKeys); + } + + private void checkPrivateKeyParametersNotPresent(JsonWebKeys jsonWebKeys) { + for (JsonWebKey jsonWebKey : jsonWebKeys.getKeys()) { + assertNull(jsonWebKey.getProperty("d")); + assertNull(jsonWebKey.getProperty("p")); + assertNull(jsonWebKey.getProperty("q")); + assertNull(jsonWebKey.getProperty("dp")); + assertNull(jsonWebKey.getProperty("dq")); + assertNull(jsonWebKey.getProperty("qi")); + } + } + + +} \ No newline at end of file diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-keys-jcache.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-keys-jcache.xml new file mode 100644 index 0000000..19647b7 --- /dev/null +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-keys-jcache.xml @@ -0,0 +1,178 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:http="http://cxf.apache.org/transports/http/configuration"; + xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"; + xmlns:sec="http://cxf.apache.org/configuration/security"; + xmlns:cxf="http://cxf.apache.org/core"; + xmlns:jaxrs="http://cxf.apache.org/jaxrs"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation="http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.2.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd";> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + <cxf:properties> + <entry key="org.apache.cxf.jaxrs.bus.providers" value-ref="busProviders"/> + </cxf:properties> + </cxf:bus> + <!-- providers --> + <util:list id="busProviders"> + <ref bean="oauthJson"/> + </util:list> + <bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/> + + <httpj:engine-factory id="tls-config"> + <httpj:engine port="${testutil.ports.oidc-keys-jcache}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="JKS" password="password" resource="keys/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="JKS" password="password" resource="keys/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="false" required="false"/> + </httpj:tlsServerParameters> + <httpj:sessionSupport>true</httpj:sessionSupport> + </httpj:engine> + </httpj:engine-factory> + + <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.oidc-keys-jcache}/services";> + <jaxrs:serviceBeans> + <ref bean="oidcKeysService"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="rs.security.keystore.type" value="jks" /> + <entry key="rs.security.keystore.alias" value="alice"/> + <entry key="rs.security.keystore.password" value="password"/> + <entry key="rs.security.key.password" value="password"/> + <entry key="rs.security.keystore.file" value="keys/alice.jks" /> + </jaxrs:properties> + </jaxrs:server> + + <bean id="oidcKeysService2" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.oidc-keys-jcache}/services2";> + <jaxrs:serviceBeans> + <ref bean="oidcKeysService2"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="rs.security.keystore.type" value="jwk" /> + <entry key="rs.security.keystore.alias" value="2011-04-29"/> + <entry key="rs.security.keystore.file" value="org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt" /> + </jaxrs:properties> + </jaxrs:server> + + <bean id="oidcKeysService3" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.oidc-keys-jcache}/services3";> + <jaxrs:serviceBeans> + <ref bean="oidcKeysService3"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="rs.security.keystore.type" value="jwk" /> + <entry key="rs.security.keystore.alias" value="ECKey"/> + <entry key="rs.security.keystore.file" value="org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt" /> + </jaxrs:properties> + </jaxrs:server> + + <bean id="oidcKeysService4" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.oidc-keys-jcache}/services4";> + <jaxrs:serviceBeans> + <ref bean="oidcKeysService4"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="rs.security.keystore.type" value="jwk" /> + <entry key="rs.security.keystore.alias" value="HMAC512Key"/> + <entry key="rs.security.keystore.file" value="org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt" /> + </jaxrs:properties> + </jaxrs:server> + + <bean id="oidcKeysService5" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"> + <property name="stripPrivateParameters" value="false"/> + </bean> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.oidc-keys-jcache}/services5";> + <jaxrs:serviceBeans> + <ref bean="oidcKeysService5"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="rs.security.keystore.type" value="jwk" /> + <entry key="rs.security.keystore.alias" value="HMAC512Key"/> + <entry key="rs.security.keystore.file" value="org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt" /> + </jaxrs:properties> + </jaxrs:server> + + + <bean id="oidcKeysService6" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.oidc-keys-jcache}/services6";> + <jaxrs:serviceBeans> + <ref bean="oidcKeysService6"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="rs.security.keystore.type" value="jwk" /> + <entry key="rs.security.keystore.aliases" value="2011-04-29,ECKey"/> + <entry key="rs.security.keystore.file" value="org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt" /> + </jaxrs:properties> + </jaxrs:server> + +</beans>
