Author: buildbot Date: Wed Apr 11 11:57:31 2018 New Revision: 1028232 Log: Production update by buildbot for cxf
Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/a-simple-jax-ws-service.html websites/production/cxf/content/docs/jax-rs-jose.html websites/production/cxf/content/docs/jax-ws-configuration.html Modified: websites/production/cxf/content/cache/docs.pageCache ============================================================================== Binary files - no diff available. Modified: websites/production/cxf/content/docs/a-simple-jax-ws-service.html ============================================================================== --- websites/production/cxf/content/docs/a-simple-jax-ws-service.html (original) +++ websites/production/cxf/content/docs/a-simple-jax-ws-service.html Wed Apr 11 11:57:31 2018 @@ -28,6 +28,15 @@ <meta name="description" content="Apache CXF, Services Framework - A simple JAX-WS service"> +<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css"> +<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css"> + +<script src='/resources/highlighter/scripts/shCore.js'></script> +<script src='/resources/highlighter/scripts/shBrushJava.js'></script> +<script> + SyntaxHighlighter.defaults['toolbar'] = false; + SyntaxHighlighter.all(); +</script> <title> @@ -107,82 +116,75 @@ Apache CXF -- A simple JAX-WS service <td height="100%"> <!-- Content --> <div class="wiki-content"> -<div id="ConfluenceContent"><p>This example will lead you through creating your first service with doing "code first" development with JAX-WS.</p> - - - - -<p>This example corresponds to the <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/java_first_jaxws/">java_first_jaxws</a> example in the CXF distribution.</p> - -<h1 id="AsimpleJAX-WSservice-Settingupyourbuild">Setting up your build</h1> - -<p>The use of <a shape="rect" class="external-link" href="http://maven.apache.org/">Apache Maven</a> is recommended for your web service projects, as it will automatically bring in all necessary dependencies for your web service project. See the Maven <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/java_first_jaxws/pom.xml?view=co&revision=1373526&content-type=text%2Fplain">pom.xml</a> for this sample for the configuration needed. All samples provided by CXF use Apache Maven, except for the <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/antbuild/">antbuild sample</a> which shows how you can build CXF projects with Apache Ant instead.</p> - -<p>The mvn dependency:list and mvn dependency:tree commands from the <a shape="rect" class="external-link" href="http://maven.apache.org/plugins/maven-dependency-plugin/">Maven Dependency Plugin</a> will show all dependencies used by your project.</p> - - -<h1 id="AsimpleJAX-WSservice-WritingyourService">Writing your Service</h1> -<p>First we'll write our service interface. It will have one operation called <code>sayHi</code> which says "Hello" to whoever submits their name.</p> -<plain-text-body>{snippet:id=service|lang=java|url=cxf/trunk/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/server/HelloWorld.java}</plain-text-body> - -<p>To make sure your parameter is named correctly in the xml you should use:</p> - -<plain-text-body> -@WebService +<div id="ConfluenceContent"><p>This example will lead you through creating your first service with doing "code first" development with JAX-WS.</p><p>This example corresponds to the <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/java_first_jaxws" rel="nofollow">java_first_jaxws</a> example in the CXF distribution.</p><h1 id="AsimpleJAX-WSservice-Settingupyourbuild">Setting up your build</h1><p>The use of <a shape="rect" class="external-link" href="http://maven.apache.org/">Apache Maven</a> is recommended for your web service projects, as it will automatically bring in all necessary dependencies for your web service project. See the Maven <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/java_first_jaxws/pom.xml" rel="nofollow">pom.xml</a> for this sample for the configuration needed. All samples provided by CXF use Apache Maven, except for the <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/antbuild" rel="nofollow">antbuild sample</a> which shows how you can build CXF projects with Apache Ant instead.</p><p>The mvn dependency:list and mvn dependency:tree commands from the <a shape="rect" class="external-link" href="http://maven.apache.org/plugins/maven-dependency-plugin/">Maven Dependency Plugin</a> will show all dependencies used by your project.</p><h1 id="AsimpleJAX-WSservice-WritingyourService">Writing your Service</h1><p>First we'll write our service interface. It will have one operation called <code>sayHi</code> which says "Hello" to whoever submits their name.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>HelloWorld</b></div><div class="codeContent panelContent pdl"> +<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">@WebService public interface HelloWorld { - String sayHi(@WebParam(name="text") String text); -} -</plain-text-body> - -<p>The @WebParam annotation is necessary as java interfaces do not store the Parameter name in the .class file. So if you leave out the annotation your parameter will be named arg0.</p> - -<p>Our implementation will then look like this:</p> -<plain-text-body>{snippet:id=service|lang=java|url=cxf/trunk/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/server/HelloWorldImpl.java}</plain-text-body> - -<p>The @WebService annotation on the implementation class lets CXF know which interface we want to create our WSDL with. In this case its simply our HelloWorld interface.</p> - -<h1 id="AsimpleJAX-WSservice-Publishingyourservice">Publishing your service</h1> -<plain-text-body>{snippet:id=publish|lang=java|url=cxf/trunk/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/server/Server.java}</plain-text-body> - -<p>whole code at -<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/server/Server.java">http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/server/Server.java</a></p> - -<p>Alternatively you can use the following code. This gives you more control over the behaviour. For example you can add a logging interceptor:</p> - -<plain-text-body> -HelloWorldImpl implementor = new HelloWorldImpl(); -JaxWsServerFactoryBean svrFactory = new JaxWsServerFactoryBean(); -svrFactory.setServiceClass(HelloWorld.class); -svrFactory.setAddress("http://localhost:9000/helloWorld"); -svrFactory.setServiceBean(implementor); -svrFactory.getInInterceptors().add(new LoggingInInterceptor()); -svrFactory.getOutInterceptors().add(new LoggingOutInterceptor()); -svrFactory.create(); -</plain-text-body> - -<p>You could leave out the ServiceClass. But it is better to use it so the server and the client are created from the same interface. If you instead only use the implementation class subtle problems may occur.</p> - -<p>Pointing your browser at <a shape="rect" class="external-link" href="http://localhost:9000/helloWorld?wsdl" rel="nofollow">http://localhost:9000/helloWorld?wsdl</a> will display the wsdl for this service</p> - -<h1 id="AsimpleJAX-WSservice-Accessingyourservice">Accessing your service</h1> - -<p>and client code to see it working is at -<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/client/Client.java">http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/client/Client.java</a></p> - -<p>For the client there is also the alternative approach that gives you more flexibility. Of course like above the logging interceptors are optional but they help a lot when starting:</p> -<plain-text-body> -JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); -factory.getInInterceptors().add(new LoggingInInterceptor()); -factory.getOutInterceptors().add(new LoggingOutInterceptor()); -factory.setServiceClass(HelloWorld.class); -factory.setAddress("http://localhost:9000/helloWorld"); -HelloWorld client = (HelloWorld) factory.create(); + String sayHi(String text); -String reply = client.sayHi("HI"); -System.out.println("Server said: " + reply); -System.exit(0); -</plain-text-body></div> + /* Advanced usecase of passing an Interface in. JAX-WS/JAXB does not + * support interfaces directly. Special XmlAdapter classes need to + * be written to handle them + */ + String sayHiToUser(User user); + + /* Map passing + * JAXB also does not support Maps. It handles Lists great, but Maps are + * not supported directly. They also require use of a XmlAdapter to map + * the maps into beans that JAXB can use. + */ + @XmlJavaTypeAdapter(IntegerUserMapAdapter.class) + Map<Integer, User> getUsers(); +} </pre> +</div></div><p>To make sure your parameter is named correctly in the xml you should use:</p><p>@WebService public interface HelloWorld { String sayHi(@WebParam(name="text") String text); }</p><p>The @WebParam annotation is necessary as java interfaces do not store the Parameter name in the .class file. So if you leave out the annotation your parameter will be named arg0.</p><p>Our implementation will then look like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>HelloWorldImpl</b></div><div class="codeContent panelContent pdl"> +<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">package demo.hw.server; + +import java.util.LinkedHashMap; +import java.util.Map; +import javax.jws.WebService; + +@WebService(endpointInterface = "demo.hw.server.HelloWorld", + serviceName = "HelloWorld") +public class HelloWorldImpl implements HelloWorld { + + Map<Integer, User> users = new LinkedHashMap<Integer, User>(); + + public String sayHi(String text) { + System.out.println("sayHi called"); + return "Hello " + text; + } + + public String sayHiToUser(User user) { + System.out.println("sayHiToUser called"); + users.put(users.size() + 1, user); + return "Hello " + user.getName(); + } + + public Map<Integer, User> getUsers() { + System.out.println("getUsers called"); + return users; + } +}</pre> +</div></div><p> </p><p>The @WebService annotation on the implementation class lets CXF know which interface we want to create our WSDL with. In this case its simply our HelloWorld interface.</p><h1 id="AsimpleJAX-WSservice-Publishingyourservice">Publishing your service</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Server</b></div><div class="codeContent panelContent pdl"> +<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">HelloWorldImpl implementor = new HelloWorldImpl(); +String address = "http://localhost:9000/helloWorld"; +Endpoint.publish(address, implementor);</pre> +</div></div><p>whole code at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/server/Server.java" rel="nofollow">https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/server/Server.java</a></p><p>Alternatively you can use the following code. This gives you more control over the behaviour. For example you can add a logging interceptor:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>ServerFactoryBean</b></div><div class="codeContent panelContent pdl"> +<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">HelloWorldImpl implementor = new HelloWorldImpl(); +JaxWsServerFactoryBean svrFactory = new JaxWsServerFactoryBean(); +svrFactory.setServiceClass(HelloWorld.class); +svrFactory.setAddress("http://localhost:9000/helloWorld"); +svrFactory.setServiceBean(implementor); +svrFactory.create();</pre> +</div></div><p>You could leave out the ServiceClass. But it is better to use it so the server and the client are created from the same interface. If you instead only use the implementation class subtle problems may occur.</p><p>Pointing your browser at <a shape="rect" class="external-link" href="http://localhost:9000/helloWorld?wsdl" rel="nofollow">http://localhost:9000/helloWorld?wsdl</a> will display the wsdl for this service</p><h1 id="AsimpleJAX-WSservice-Accessingyourservice">Accessing your service</h1><p>and client code to see it working is at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/client/Client.java" rel="nofollow">https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/java_first_jaxws/src/main/java/demo/hw/client/Client.java</a></p><p>For the client there is also the alternative approach that gives you more flexibility:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Client</b></div><div class="codeContent panelContent pdl"> +<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); +factory.setServiceClass(HelloWorld.class); +factory.setAddress("http://localhost:9000/helloWorld"); +HelloWorld client = (HelloWorld) factory.create(); +String reply = client.sayHi("HI"); +System.out.println("Server said: " + reply); +</pre> +</div></div></div> </div> <!-- Content --> </td> Modified: websites/production/cxf/content/docs/jax-rs-jose.html ============================================================================== --- websites/production/cxf/content/docs/jax-rs-jose.html (original) +++ websites/production/cxf/content/docs/jax-rs-jose.html Wed Apr 11 11:57:31 2018 @@ -32,10 +32,10 @@ <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css"> <script src='/resources/highlighter/scripts/shCore.js'></script> -<script src='/resources/highlighter/scripts/shBrushBash.js'></script> -<script src='/resources/highlighter/scripts/shBrushXml.js'></script> <script src='/resources/highlighter/scripts/shBrushJava.js'></script> +<script src='/resources/highlighter/scripts/shBrushXml.js'></script> <script src='/resources/highlighter/scripts/shBrushJScript.js'></script> +<script src='/resources/highlighter/scripts/shBrushBash.js'></script> <script> SyntaxHighlighter.defaults['toolbar'] = false; SyntaxHighlighter.all(); @@ -119,12 +119,12 @@ Apache CXF -- JAX-RS JOSE <td height="100%"> <!-- Content --> <div class="wiki-content"> -<div id="ConfluenceContent"><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/ -div.rbtoc1508777354982 {padding: 0px;} -div.rbtoc1508777354982 ul {list-style: disc;margin-left: 0px;} -div.rbtoc1508777354982 li {margin-left: 0px;padding-left: 0px;} +<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/ +div.rbtoc1523447812407 {padding: 0px;} +div.rbtoc1523447812407 ul {list-style: disc;margin-left: 0px;} +div.rbtoc1523447812407 li {margin-left: 0px;padding-left: 0px;} -/*]]>*/</style></p><div class="toc-macro rbtoc1508777354982"> +/*]]>*/</style></p><div class="toc-macro rbtoc1523447812407"> <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE Policy </a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and Implementation</a> <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS Signature</a> <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded Payload</a></li></ul> @@ -851,7 +851,7 @@ JweDecryptionProvider jweIn = JweUtils.l </div></div><p>The providers may be initialized from a single properties file or each of them may have specific properties allocated to it.</p><p>Sometimes it can be useful to load the properties only and check the signature or encryption algorithm and load a JWS or JWE provider directly as shown in JWS and JWE sections above.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Loading JWS and JWE properties</b></div><div class="codeContent panelContent pdl"> <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">Properties jwsProps = JweUtils.loadEncryptionProperties("jws.properties", true); Properties jweProps = JweUtils.loadEncryptionProperties("jwe.properties", true);</pre> -</div></div><p>After loading the properties one can check various property values (signature algorithm, etc) and use it to create a required provider.</p><p>The above code needs to be executed in the context of the current request (in server or client in/out interceptors or server service code) as it expects the current CXF Message be available in order to deduce where to load the configuration properties from. However <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java" rel="nofollow">JwsUtils</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java" rel="nofollow">JweUtils</a> provide a number of utility methods for loading the providers without loading the properties first which can be used when setting up the c lient code or when no properties are available in the current request context.</p><p> </p><p>When the code needs to load the configuration properties it first looks for the property 'container' file which contains the specific properties instructing which keys and algorithms need to be used. Singature or encryption properties for in/out operations can be provided.  </p><h2 id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration Property Containers</h2><h3 id="JAX-RSJOSE-Signature">Signature</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for Compact or JSON signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td colspan="1" rowspa n="1" class="confluenceTd"><p>The signature properties file for Compact or JSON signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for Compact or JSON signature creation/verification.</td></tr></tbody></table></div><h3 id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The encryption properties file for Compact or JSON encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td colspan="1" rowspan="1" class="conflue nceTd"><p>The encryption properties file for Compact or JSON decryption. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption properties file for encryption/decryption.</td></tr></tbody></table></div><p>Note that these property containers can be used for creating/processing JWS and JWE Compact and JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more than one signature or encryption be created then let the property value be a commas separated list of locations, with each location pointing to a unique signature or encryption operation property file.</p><p>Once the properties are loaded the runtime proceeds with initializing JWS/JWE providers accordingly. The following section lists the properties, some oif them being common and some - unique to the signature/verification and encryption/decryption processes.</p><p>Note that one can override some of the properties, for example, 'rs.security.store' can be set as a dynamic request property pointing to a preloaded Java KeyStore object.</p><h2 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1" rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are "jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan ="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" class="confluenceTd"> The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jwe.out<br clear="none">     - jwe.in<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h2 id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that ap plies to signature only</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for signature. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td>< td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest for signature in the "x5t" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha256</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-256 digest for signature in the "x5t#S256" header.</td></tr></tbody></table></div><h2 id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to encryption only</h2><div class="table-wrap"><table class="confluenceTable"><t body><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for decryption. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.content.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, 'ECDH-ES-A128KW'  if the key is an EC key and 'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for encryption in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for encryption in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for encryption in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Inclu de the X.509 certificate SHA-1 digest for encryption in the "x5t" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha256</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-256 digest for encryption in the "x5t#S256" header.</td></tr></tbody></table></div><h2 id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT tokens only</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is false.</p></td></tr></tbody></table></div><h1 id="JAX-RSJOSE-Interoperability">Interoperability</h1><p> </p><p><a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">J OSE</a> is already widely supported in OAuth2 and OIDC applications. Besides that CXF JOSE client or server will interoperate with a 3rd party client/server able to produce or consume JWS/JWE sequences.  For example, see a <a shape="rect" class="external-link" href="https://www.w3.org/TR/WebCryptoAPI/#jose" rel="nofollow">WebCrypto API use case</a> and  <a shape="rect" class="external-link" href="https://mobilepki.org/WCPPSignatureDemo/home" rel="nofollow">the demo</a> which demonstrates how a JWS sequence produced by a browser-hosted script can be validated by a server application capable of processing JWS, with the demo browser client being tested against a CXF JWS server too. </p><p> </p><h1 id="JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link" href="http://connect2id.com/products/nimbus-jose- jwt" rel="nofollow">Nimbus JOSE</a></p><p> </p></div> +</div></div><p>After loading the properties one can check various property values (signature algorithm, etc) and use it to create a required provider.</p><p>The above code needs to be executed in the context of the current request (in server or client in/out interceptors or server service code) as it expects the current CXF Message be available in order to deduce where to load the configuration properties from. However <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java" rel="nofollow">JwsUtils</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java" rel="nofollow">JweUtils</a> provide a number of utility methods for loading the providers without loading the properties first which can be used when setting up the c lient code or when no properties are available in the current request context.</p><p> </p><p>When the code needs to load the configuration properties it first looks for the property 'container' file which contains the specific properties instructing which keys and algorithms need to be used. Singature or encryption properties for in/out operations can be provided.  </p><h2 id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration Property Containers</h2><h3 id="JAX-RSJOSE-Signature">Signature</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for Compact or JSON signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td colspan="1" rowspa n="1" class="confluenceTd"><p>The signature properties file for Compact or JSON signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for Compact or JSON signature creation/verification.</td></tr></tbody></table></div><h3 id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The encryption properties file for Compact or JSON encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td colspan="1" rowspan="1" class="conflue nceTd"><p>The encryption properties file for Compact or JSON decryption. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption properties file for encryption/decryption.</td></tr></tbody></table></div><p>Note that these property containers can be used for creating/processing JWS and JWE Compact and JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more than one signature or encryption be created then let the property value be a commas separated list of locations, with each location pointing to a unique signature or encryption operation property file.</p><p>Once the properties are loaded the runtime proceeds with initializing JWS/JWE providers accordingly. The following section lists the properties, some oif them being common and some - unique to the signature/verification and encryption/decryption processes.</p><p>Note that one can override some of the properties, for example, 'rs.security.store' can be set as a dynamic request property pointing to a preloaded Java KeyStore object.</p><h2 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1" rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are "jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan ="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" class="confluenceTd"> The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jwe.out<br clear="none">     - jwe.in<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h2 id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that ap plies to signature only</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for signature. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td>< td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest for signature in the "x5t" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha256</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-256 digest for signature in the "x5t#S256" header.</td></tr></tbody></table></div><h2 id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to encryption only</h2><div class="table-wrap"><table class="confluenceTable"><t body><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for decryption. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.content.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, 'ECDH-ES-A128KW'  if the key is an EC key and 'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for encryption in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for encryption in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for encryption in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Inclu de the X.509 certificate SHA-1 digest for encryption in the "x5t" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha256</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-256 digest for encryption in the "x5t#S256" header.</td></tr></tbody></table></div><h2 id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT tokens only</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is false.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">expected.claim.audience</td><td colspan="1" rowspan="1" class="confluenceTd">If this property is defined, the received JWT must have an "aud" claim with a value matching this property.</td></tr></tbody></table></div><h1 id="JAX-RSJOSE-Interoperability">Interoperability</h1><p> </p><p><a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">JOSE</a> is already widely supported in OAuth2 and OIDC applications. Besides that CXF JOSE client or server will interoperate with a 3rd party client/server able to produce or consume JWS/JWE sequences.  For example, see a <a shape="rect" class="external-link" href="https://www.w3.org/TR/WebCryptoAPI/#jose" rel="nofollow">WebCrypto API use case</a> and  <a shape="rect" class="external-link" href="https://mobilepki.org/WCPPSignatureDemo/home" rel="nofollow">the demo</a> which demonstrates how a JWS sequence produced by a browser-hosted script can be validated by a server application capable of processing JWS, with the demo browser client being tested against a CXF JWS server too. </p><p> </p><h1 id="JAX-RSJOSE-Third-Party Libraries">Third-Party Libraries</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link" href="http://connect2id.com/products/nimbus-jose-jwt" rel="nofollow">Nimbus JOSE</a></p><p> </p></div> </div> <!-- Content --> </td>