cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject [2/2] git commit: [CXF-5311] Initial JWT code, more to follow
Date Tue, 20 May 2014 11:42:56 GMT
[CXF-5311] Initial JWT code, more to follow


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fd0528c0
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fd0528c0
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fd0528c0

Branch: refs/heads/master
Commit: fd0528c0f9dd112264f7aeffa04565e18d973884
Parents: 5bd695d
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue May 20 12:42:39 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue May 20 12:42:39 2014 +0100

----------------------------------------------------------------------
 rt/rs/security/oauth-parent/oauth2-jwt/pom.xml  |  56 ++++
 rt/rs/security/oauth-parent/oauth2-jwt/pom.xml~ |  56 ++++
 .../oauth2/jwe/ContentEncryptionProvider.java   |  29 +++
 .../security/oauth2/jwe/JweCompactConsumer.java | 114 ++++++++
 .../security/oauth2/jwe/JweCompactProducer.java | 101 ++++++++
 .../rs/security/oauth2/jwe/JweDecryptor.java    | 119 +++++++++
 .../rs/security/oauth2/jwe/JweEncryptor.java    | 130 ++++++++++
 .../cxf/rs/security/oauth2/jwe/JweHeaders.java  |  96 +++++++
 .../rs/security/oauth2/jwe/RSAJweDecryptor.java |  33 +++
 .../rs/security/oauth2/jwe/RSAJweEncryptor.java |  53 ++++
 .../security/oauth2/jws/JwsCompactConsumer.java | 113 ++++++++
 .../security/oauth2/jws/JwsCompactProducer.java |  84 ++++++
 .../oauth2/jws/JwsSignatureProvider.java        |  25 ++
 .../oauth2/jws/JwsSignatureValidator.java       |  25 ++
 .../security/oauth2/jwt/AbstractJwtObject.java  |  61 +++++
 .../cxf/rs/security/oauth2/jwt/Algorithms.java  | 100 ++++++++
 .../cxf/rs/security/oauth2/jwt/JwtClaims.java   | 100 ++++++++
 .../rs/security/oauth2/jwt/JwtConstants.java    |  65 +++++
 .../cxf/rs/security/oauth2/jwt/JwtHeaders.java  | 122 +++++++++
 .../security/oauth2/jwt/JwtHeadersReader.java   |  24 ++
 .../security/oauth2/jwt/JwtHeadersWriter.java   |  27 ++
 .../cxf/rs/security/oauth2/jwt/JwtToken.java    |  45 ++++
 .../rs/security/oauth2/jwt/JwtTokenJson.java    |  37 +++
 .../rs/security/oauth2/jwt/JwtTokenReader.java  |  26 ++
 .../oauth2/jwt/JwtTokenReaderWriter.java        | 254 ++++++++++++++++++
 .../rs/security/oauth2/jwt/JwtTokenWriter.java  |  28 ++
 .../oauth2/jwt/grant/AbstractJwtHandler.java    |  92 +++++++
 .../rs/security/oauth2/jwt/grant/Constants.java |  33 +++
 .../oauth2/jwt/grant/JwtBearerGrantHandler.java |  91 +++++++
 .../jwt/jaxrs/JweContainerRequestFilter.java    |  36 +++
 .../jwt/jaxrs/JwsContainerRequestFilter.java    |  36 +++
 .../rs/security/oauth2/jwt/jwk/JsonWebKey.java  | 132 ++++++++++
 .../oauth2/jwe/JweCompactReaderWriterTest.java  | 121 +++++++++
 .../oauth2/jws/JwsCompactReaderWriterTest.java  | 257 +++++++++++++++++++
 rt/rs/security/oauth-parent/pom.xml             |   1 +
 35 files changed, 2722 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/pom.xml
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/pom.xml b/rt/rs/security/oauth-parent/oauth2-jwt/pom.xml
new file mode 100644
index 0000000..6a675d5
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/pom.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>cxf-rt-rs-security-oauth2-jwt</artifactId>
+    <packaging>bundle</packaging>
+    <name>Apache CXF Runtime OAuth 2.0 JWT</name>
+    <description>Apache CXF Runtime OAuth 2.0 JWT</description>
+    <url>http://cxf.apache.org</url>
+    <parent>
+        <artifactId>cxf-rt-rs-security-oauth-parent</artifactId>
+        <groupId>org.apache.cxf</groupId>
+        <version>3.0.1-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-security-oauth2</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+         <groupId>org.bouncycastle</groupId>
+         <artifactId>bcprov-ext-jdk15on</artifactId>
+         <version>1.50</version>
+        </dependency>
+        <!--test dependencies-->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.easymock</groupId>
+            <artifactId>easymock</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/pom.xml~
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/pom.xml~ b/rt/rs/security/oauth-parent/oauth2-jwt/pom.xml~
new file mode 100644
index 0000000..30ceada
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/pom.xml~
@@ -0,0 +1,56 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>cxf-rt-rs-security-oauth2-jwt</artifactId>
+    <packaging>bundle</packaging>
+    <name>Apache CXF Runtime OAuth 2.0 JWT</name>
+    <description>Apache CXF Runtime OAuth 2.0 JWT</description>
+    <url>http://cxf.apache.org</url>
+    <parent>
+        <artifactId>cxf-rt-rs-security-oauth-parent</artifactId>
+        <groupId>org.apache.cxf</groupId>
+        <version>3.0.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-security-oauth2</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+         <groupId>org.bouncycastle</groupId>
+         <artifactId>bcprov-ext-jdk15on</artifactId>
+         <version>1.50</version>
+        </dependency>
+        <!--test dependencies-->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.easymock</groupId>
+            <artifactId>easymock</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionProvider.java
new file mode 100644
index 0000000..0c1a8a1
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionProvider.java
@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+public interface ContentEncryptionProvider {
+    byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey);
+    
+    AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers, 
+                                                          int authTagLength,
+                                                          byte[] initVector);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
new file mode 100644
index 0000000..d59667b
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
@@ -0,0 +1,114 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.io.UnsupportedEncodingException;
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+import org.apache.cxf.common.util.Base64Exception;
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithms;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+
+public class JweCompactConsumer {
+    private String headersJson;
+    private byte[] encryptedCEK;
+    private byte[] initVector;
+    private byte[] encryptedContentWithTag;
+    private byte[] authTag;
+    private JweHeaders jweHeaders;
+    public JweCompactConsumer(String jweContent) {
+        String[] parts = jweContent.split("\\.");
+        if (parts.length != 5) {
+            throw new SecurityException("5 JWE parts are expected");
+        }
+        try {
+            headersJson = new String(Base64UrlUtility.decode(parts[0]));
+            encryptedCEK = Base64UrlUtility.decode(parts[1]);
+            initVector = Base64UrlUtility.decode(parts[2]);
+            
+            byte[] cipherText = Base64UrlUtility.decode(parts[3]);
+            authTag = Base64UrlUtility.decode(parts[4]);
+            encryptedContentWithTag = new byte[cipherText.length + authTag.length];
+            System.arraycopy(cipherText, 0, encryptedContentWithTag, 0, cipherText.length);
+            System.arraycopy(authTag, 0, encryptedContentWithTag, cipherText.length, authTag.length);
+            jweHeaders = new JweHeaders(new JwtTokenReaderWriter().fromJsonHeaders(headersJson).asMap());
+        } catch (Base64Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public String getDecodedJsonHeaders() {
+        return headersJson;
+    }
+    
+    public JweHeaders getJweHeaders() {
+        return jweHeaders;
+    }
+    
+    public byte[] getEncryptedContentEncryptionKey() {
+        return encryptedCEK;
+    }
+    
+    public byte[] getContentDecryptionCipherInitVector() {
+        return initVector;
+    }
+    
+    public byte[] getContentEncryptionCipherAAD() {
+        return JweHeaders.toCipherAdditionalAuthData(headersJson);
+    }
+    
+    public byte[] getEncryptionAuthenticationTag() {
+        return authTag;
+    }
+    
+    public byte[] getEncryptedContentWithAuthTag() {
+        return encryptedContentWithTag;
+    }
+    
+    public byte[] getDecryptedContent(ContentEncryptionProvider provider) {
+        byte[] cek = provider.getContentEncryptionKey(getJweHeaders(), getEncryptedContentEncryptionKey());
+        KeyProperties keyProperties = new KeyProperties(
+            Algorithms.toJavaName(getJweHeaders().getContentEncryptionAlgorithm()));
+        keyProperties.setAdditionalData(getContentEncryptionCipherAAD());
+        
+        AlgorithmParameterSpec spec = provider.getContentEncryptionCipherSpec(getJweHeaders(),
+                                                         getEncryptionAuthenticationTag().length * 8,
+                                                         getContentDecryptionCipherInitVector());
+        keyProperties.setAlgoSpec(spec);
+        boolean compressionSupported = 
+            JwtConstants.DEFLATE_ZIP_ALGORITHM.equals(getJweHeaders().getZipAlgorithm());
+        keyProperties.setCompressionSupported(compressionSupported);
+        Key secretKey = CryptoUtils.createSecretKeySpec(cek, keyProperties.getKeyAlgo());
+        return CryptoUtils.decryptBytes(getEncryptedContentWithAuthTag(), secretKey, keyProperties);
+    }
+    public String getDecryptedContentText(ContentEncryptionProvider provider) {
+        try {
+            return new String(getDecryptedContent(provider), "UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            throw new SecurityException(ex);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
new file mode 100644
index 0000000..cb61690
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
@@ -0,0 +1,101 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+
+public class JweCompactProducer {
+    private String encodedHeaders;
+    private String encodedContentEncryptionKey;
+    private String encodedInitVector;
+    private String encodedEncryptedContent;
+    private String encodedAuthTag;
+    public JweCompactProducer(JweHeaders headers,
+                       byte[] encryptedContentEncryptionKey,
+                       byte[] cipherInitVector,
+                       byte[] encryptedContentNoTag,
+                       byte[] authenticationTag) {    
+        this(headers, null, encryptedContentEncryptionKey, 
+             cipherInitVector, encryptedContentNoTag, authenticationTag);
+    }
+    
+    public JweCompactProducer(JweHeaders headers,
+                       JwtHeadersWriter writer,
+                       byte[] encryptedContentEncryptionKey,
+                       byte[] cipherInitVector,
+                       byte[] encryptedContentNoTag,
+                       byte[] authenticationTag) {    
+        this.encodedEncryptedContent = Base64UrlUtility.encode(encryptedContentNoTag);
+        this.encodedAuthTag = Base64UrlUtility.encode(authenticationTag);
+        finalizeInit(headers, writer, encryptedContentEncryptionKey, cipherInitVector);
+    }
+    
+    public JweCompactProducer(JweHeaders headers,
+                       byte[] encryptedContentEncryptionKey,
+                       byte[] cipherInitVector,
+                       byte[] encryptedContentWithTag,
+                       int authTagLengthBits) {    
+        this(headers, null, encryptedContentEncryptionKey, 
+             cipherInitVector, encryptedContentWithTag, authTagLengthBits);
+    }
+    public JweCompactProducer(JweHeaders headers,
+                       JwtHeadersWriter writer,
+                       byte[] encryptedContentEncryptionKey,
+                       byte[] cipherInitVector,
+                       byte[] encryptedContentWithTag,
+                       int authTagLengthBits) {    
+        this.encodedEncryptedContent = Base64UrlUtility.encodeChunk(
+            encryptedContentWithTag, 
+            0, 
+            encryptedContentWithTag.length - authTagLengthBits / 8);
+        this.encodedAuthTag = Base64UrlUtility.encodeChunk(
+            encryptedContentWithTag, 
+            encryptedContentWithTag.length - authTagLengthBits / 8, 
+            encryptedContentWithTag.length);
+        finalizeInit(headers, writer, encryptedContentEncryptionKey, cipherInitVector);
+    }
+    
+    private void finalizeInit(JweHeaders headers,
+                              JwtHeadersWriter writer, 
+                              byte[] encryptedContentEncryptionKey,
+                              byte[] cipherInitVector) {
+        writer = writer == null ? new JwtTokenReaderWriter() : writer;
+        this.encodedHeaders = Base64UrlUtility.encode(writer.headersToJson(headers));
+        this.encodedContentEncryptionKey = Base64UrlUtility.encode(encryptedContentEncryptionKey);
+        this.encodedInitVector = Base64UrlUtility.encode(cipherInitVector);
+    }
+    
+    public String getJweContent() {
+        StringBuilder sb = new StringBuilder();
+        return sb.append(encodedHeaders)
+                 .append('.')
+                 .append(encodedContentEncryptionKey)
+                 .append('.')
+                 .append(encodedInitVector)
+                 .append('.')
+                 .append(encodedEncryptedContent)
+                 .append('.')
+                 .append(encodedAuthTag)
+                 .toString();
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
new file mode 100644
index 0000000..f23cdbb
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
@@ -0,0 +1,119 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithms;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public class JweDecryptor {
+    private JweCompactConsumer jweConsumer;
+    private Key privateKey;
+    private boolean unwrap;
+    private CeProvider ceProvider = new CeProvider();
+    public JweDecryptor(String jweContent, Key privateKey, boolean unwrap) {    
+        this.jweConsumer = new JweCompactConsumer(jweContent);
+        this.privateKey = privateKey;
+        this.unwrap = unwrap;
+    }
+    
+    protected Key getPrivateKey() {
+        return privateKey;
+    }
+    
+    protected byte[] getDecryptedContentEncryptionKey() {
+        // This can be overridden if needed
+        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm());
+        if (!unwrap) {
+            keyProps.setBlockSize(getKeyCipherBlockSize());
+            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), privateKey, keyProps);
+        } else {
+            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), 
+                                               getContentEncryptionAlgorithm(), 
+                                               privateKey, 
+                                               keyProps).getEncoded();
+        }
+    }
+    protected int getKeyCipherBlockSize() {
+        return -1;
+    }
+    public byte[] getDecryptedContent() {
+        
+        return jweConsumer.getDecryptedContent(ceProvider);
+        
+    }
+    public String getDecryptedContentText() {
+        return jweConsumer.getDecryptedContentText(ceProvider);
+    }
+    public JweHeaders getJweHeaders() {
+        return getJweConsumer().getJweHeaders();
+    }
+    
+    protected AlgorithmParameterSpec getContentDecryptionCipherSpec() {
+        // this can be overridden if needed
+        return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(), 
+                                                   getContentEncryptionCipherInitVector());
+    }
+    protected String getKeyEncryptionAlgorithm() {
+        return Algorithms.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
+    }
+    protected String getContentEncryptionAlgorithm() {
+        return Algorithms.toJavaName(getJweHeaders().getContentEncryptionAlgorithm());
+    }
+    protected byte[] getEncryptedContentEncryptionKey() {
+        return getJweConsumer().getEncryptedContentEncryptionKey();
+    }
+    protected byte[] getContentEncryptionCipherAAD() {
+        return getJweConsumer().getContentEncryptionCipherAAD();
+    }
+    protected byte[] getEncryptedContentWithAuthTag() {
+        return getJweConsumer().getEncryptedContentWithAuthTag();
+    }
+    protected byte[] getContentEncryptionCipherInitVector() { 
+        return getJweConsumer().getContentDecryptionCipherInitVector();
+    }
+    protected byte[] getEncryptionAuthenticationTag() {
+        return getJweConsumer().getEncryptionAuthenticationTag();
+    }
+    protected int getEncryptionAuthenticationTagLenBits() {
+        return getEncryptionAuthenticationTag().length * 8;
+    }
+    protected JweCompactConsumer getJweConsumer() { 
+        return jweConsumer;
+    }
+    
+    private class CeProvider implements ContentEncryptionProvider {
+
+        @Override
+        public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) {
+            return getDecryptedContentEncryptionKey();
+        }
+
+        @Override
+        public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers,
+                                                                     int authTagLength,
+                                                                     byte[] initVector) {
+            return getContentDecryptionCipherSpec();
+        }
+        
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
new file mode 100644
index 0000000..2c2c32b
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
@@ -0,0 +1,130 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.io.UnsupportedEncodingException;
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithms;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public class JweEncryptor {
+    private Key cekEncryptionKey;
+    private JweHeaders headers;
+    private JwtHeadersWriter writer = new JwtTokenReaderWriter();
+    private byte[] cek;
+    private byte[] iv;
+    private int authTagLen;
+    private boolean wrap;
+    
+    public JweEncryptor(JweHeaders headers, byte[] iv, int authTagLen) {
+        this.headers = headers;
+        this.iv = iv;
+        this.authTagLen = authTagLen;
+    }
+    public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, 
+                                   int authTagLen, boolean wrap) {
+        this(headers, iv, authTagLen);
+        this.cekEncryptionKey = cekEncryptionKey;
+        this.cek = cek;
+        this.wrap = wrap;
+    }
+    public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen, 
+                                   boolean wrap, JwtHeadersWriter writer) {
+        this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
+        if (writer != null) {
+            this.writer = writer;
+        }
+    }
+    
+    protected AlgorithmParameterSpec getContentEncryptionCipherSpec() {
+        return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), getIv());
+    }
+    
+    protected byte[] getIv() {
+        return iv;
+    }
+    
+    protected byte[] cek() {
+        return cek;
+    }
+    
+    protected byte[] getEncryptedContentEncryptionKey() {
+        if (cekEncryptionKey == null) {
+            // direct key encryption
+            return new byte[]{};
+        } else  {
+            KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
+            if (!wrap) {
+                return CryptoUtils.encryptBytes(cek, cekEncryptionKey, secretKeyProperties);
+            } else {
+                return CryptoUtils.wrapSecretKey(cek, getContentEncryptionAlgo(), cekEncryptionKey, 
+                                                 secretKeyProperties.getKeyAlgo());
+            }
+        }
+    }
+    
+    protected String getContentEncryptionKeyEncryptionAlgo() {
+        return Algorithms.toJavaName(headers.getKeyEncryptionAlgorithm());
+    }
+    protected String getContentEncryptionAlgo() {
+        return Algorithms.toJavaName(headers.getContentEncryptionAlgorithm());
+    }
+    
+    protected int getAuthTagLen() {
+        return authTagLen;
+    }
+    
+    public String getJweContent(byte[] content) {
+        byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey();
+        
+        String contentEncryptionAlgoJavaName = Algorithms.toJavaName(headers.getContentEncryptionAlgorithm());
+        KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
+        byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer);
+        keyProps.setAdditionalData(additionalEncryptionParam);
+        AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec();
+        keyProps.setAlgoSpec(specParams);
+        
+        byte[] cipherText = CryptoUtils.encryptBytes(
+            content, 
+            CryptoUtils.createSecretKeySpec(cek, contentEncryptionAlgoJavaName),
+            keyProps);
+        
+        JweCompactProducer producer = new JweCompactProducer(headers, 
+                                             jweContentEncryptionKey,
+                                             iv,
+                                             cipherText,
+                                             getAuthTagLen());
+        return producer.getJweContent();
+    }
+    
+    public String getJweContent(String text) {
+        try {
+            return getJweContent(text.getBytes("UTF-8"));
+        } catch (UnsupportedEncodingException ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweHeaders.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweHeaders.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweHeaders.java
new file mode 100644
index 0000000..de4395e
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweHeaders.java
@@ -0,0 +1,96 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Map;
+
+import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+
+
+
+public class JweHeaders extends JwtHeaders {
+    
+    public JweHeaders() {
+    }
+    
+    public JweHeaders(Map<String, Object> values) {
+        super(values);
+    }
+    public JweHeaders(String keyEncAlgo, String ctEncAlgo) {
+        this(keyEncAlgo, ctEncAlgo, false);
+    }
+    public JweHeaders(String keyEncAlgo, String ctEncAlgo, boolean deflate) {
+        init(keyEncAlgo, ctEncAlgo, deflate);
+    }
+    
+    private void init(String keyEncAlgo, String ctEncAlgo, boolean deflate) {
+        setKeyEncryptionAlgorithm(keyEncAlgo);
+        setContentEncryptionAlgorithm(ctEncAlgo);
+        if (deflate) {
+            setZipAlgorithm(JwtConstants.DEFLATE_ZIP_ALGORITHM);
+        }
+    }
+    
+    public void setKeyEncryptionAlgorithm(String type) {
+        super.setAlgorithm(type);
+    }
+    
+    public String getKeyEncryptionAlgorithm() {
+        return super.getAlgorithm();
+    }
+    
+    public void setContentEncryptionAlgorithm(String type) {
+        setHeader(JwtConstants.JWE_HEADER_CONTENT_ENC_ALGORITHM, type);
+    }
+    
+    public String getContentEncryptionAlgorithm() {
+        return (String)getHeader(JwtConstants.JWE_HEADER_CONTENT_ENC_ALGORITHM);
+    }
+    
+    public void setZipAlgorithm(String type) {
+        setHeader(JwtConstants.JWE_HEADER_ZIP_ALGORITHM, type);
+    }
+    
+    public String getZipAlgorithm() {
+        return (String)getHeader(JwtConstants.JWE_HEADER_ZIP_ALGORITHM);
+    }
+    
+    @Override
+    public JwtHeaders setHeader(String name, Object value) {
+        return (JwtHeaders)super.setHeader(name, value);
+    }
+    
+    public byte[] toCipherAdditionalAuthData(JwtHeadersWriter writer) { 
+        return toCipherAdditionalAuthData(writer.headersToJson(this));
+    }
+    public static byte[] toCipherAdditionalAuthData(String headersJson) { 
+        try {
+            String base64UrlHeadersInJson = Base64UrlUtility.encode(headersJson.getBytes("UTF-8"));
+            return base64UrlHeadersInJson.getBytes("US-ASCII");
+        } catch (UnsupportedEncodingException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
new file mode 100644
index 0000000..dfb4b61
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.interfaces.RSAPrivateKey;
+
+public class RSAJweDecryptor extends JweDecryptor {
+    public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) {    
+        super(jweContent, privateKey, unwrap);
+    }
+    public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey) {    
+        this(jweContent, privateKey, true);
+    }
+    protected int getKeyCipherBlockSize() {
+        return ((RSAPrivateKey)getPrivateKey()).getModulus().toByteArray().length;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
new file mode 100644
index 0000000..2311c26
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.interfaces.RSAPublicKey;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithms;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+
+public class RSAJweEncryptor extends JweEncryptor {
+    public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv) {
+        this(publicKey, headers, cek, iv, 128, true);
+    }
+    public RSAJweEncryptor(RSAPublicKey publicKey, SecretKey secretKey, byte[] iv) {
+        this(publicKey, 
+             new JweHeaders(Algorithms.RSA_OAEP_ALGO.getJwtName(),
+                            Algorithms.toJwtName(secretKey.getAlgorithm())), 
+             secretKey.getEncoded(), iv, 128, true);
+    }
+    
+    public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, 
+                           int authTagLen, boolean wrap) {
+        this(publicKey, headers, cek, iv, authTagLen, wrap, null);
+    }
+    
+    public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, 
+                              JwtHeadersWriter writer) {
+        this(publicKey, headers, cek, iv, 128, true, null);
+    }
+    public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, 
+                              int authTagLen, boolean wrap, JwtHeadersWriter writer) {
+        super(headers, publicKey, cek, iv, authTagLen, wrap, writer);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
new file mode 100644
index 0000000..a7ac432
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
@@ -0,0 +1,113 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jws;
+
+import java.io.UnsupportedEncodingException;
+
+import org.apache.cxf.common.util.Base64Exception;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtClaims;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenJson;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReader;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+public class JwsCompactConsumer {
+    private JwtTokenReader reader = new JwtTokenReaderWriter();
+    private String encodedSequence;
+    private String encodedSignature;
+    private String headersJson;
+    private String claimsJson;
+    private JwtToken token;
+    public JwsCompactConsumer(String encodedJws) {
+        this(encodedJws, null);
+    }
+    public JwsCompactConsumer(String encodedJws, JwtTokenReader r) {
+        if (r != null) {
+            this.reader = r;
+        }
+        
+        String[] parts = encodedJws.split("\\.");
+        if (parts.length != 3) {
+            if (parts.length == 2 && encodedJws.endsWith(".")) {
+                encodedSignature = "";
+            } else {
+                throw new OAuthServiceException("Invalid JWS Compact sequence");
+            }
+        } else {
+            encodedSignature = parts[2];
+        }
+        headersJson = decodeToString(parts[0]);
+        claimsJson = decodeToString(parts[1]);
+        
+        encodedSequence = parts[0] + "." + parts[1];
+        
+    }
+    public String getUnsignedEncodedToken() {
+        return encodedSequence;
+    }
+    public String getEncodedSignature() {
+        return encodedSignature;
+    }
+    public String getDecodedJsonHeaders() {
+        return headersJson;
+    }
+    public String getDecodedJsonClaims() {
+        return claimsJson;
+    }
+    public JwtTokenJson getDecodedJsonToken() {
+        return new JwtTokenJson(getDecodedJsonHeaders(), getDecodedJsonClaims());
+    }
+    public byte[] getDecodedSignature() {
+        return encodedSignature.isEmpty() ? new byte[]{} : decode(encodedSignature);
+    }
+    public JwtHeaders getJwtHeaders() {
+        return getJwtToken().getHeaders();
+    }
+    public JwtClaims getJwtClaims() {
+        return getJwtToken().getClaims();
+    }
+    public JwtToken getJwtToken() {
+        if (token == null) {
+            token = reader.fromJson(headersJson, claimsJson);
+        }
+        return token;
+    }
+    public void validateSignatureWith(JwsSignatureValidator validator) {
+        validator.validate(getJwtHeaders(), getUnsignedEncodedToken(), getDecodedSignature());
+    }
+    private static String decodeToString(String encoded) {
+        try {
+            return new String(decode(encoded), "UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            throw new OAuthServiceException(ex);
+        }
+        
+    }
+    
+    private static byte[] decode(String encoded) {
+        try {
+            return Base64UrlUtility.decode(encoded);
+        } catch (Base64Exception ex) {
+            throw new OAuthServiceException(ex);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
new file mode 100644
index 0000000..d3b6931
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jws;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtClaims;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenWriter;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+public class JwsCompactProducer {
+    private JwtTokenWriter writer = new JwtTokenReaderWriter();
+    private JwtToken token;
+    private String signature;
+    private String plainRep;
+    
+    public JwsCompactProducer(JwtToken token) {
+        this(token, null);
+    }
+    public JwsCompactProducer(JwtToken token, JwtTokenWriter w) {
+        this.token = token;
+        if (w != null) {
+            this.writer = w;
+        }
+    }
+    public JwsCompactProducer(JwtHeaders headers, JwtClaims claims) {
+        this(headers, claims, null);
+    }
+    public JwsCompactProducer(JwtHeaders headers, JwtClaims claims, JwtTokenWriter w) {
+        this(new JwtToken(headers, claims), w);
+    }
+    
+    public String getUnsignedEncodedToken() {
+        if (plainRep == null) {
+            plainRep = Base64UrlUtility.encode(writer.headersToJson(token.getHeaders())) 
+                + "." 
+                + Base64UrlUtility.encode(writer.claimsToJson(token.getClaims()));
+        }
+        return plainRep;
+    }
+    
+    public String getSignedEncodedToken() {
+        boolean noSignature = StringUtils.isEmpty(signature);
+        if (noSignature && !isPlainText()) {
+            throw new IllegalStateException("Signature is not available");
+        }
+        return getUnsignedEncodedToken() + "." + (noSignature ? "" : signature);
+    }
+    public void signWith(JwsSignatureProvider signer) { 
+        setSignatureOctets(signer.sign(token.getHeaders(), getUnsignedEncodedToken()));
+    }
+    
+    public void setSignatureText(String sig) {
+        setEncodedSignature(Base64UrlUtility.encode(sig));
+    }
+    public void setSignatureOctets(byte[] bytes) {
+        setEncodedSignature(Base64UrlUtility.encode(bytes));
+    }
+    private void setEncodedSignature(String sig) {
+        this.signature = sig;
+    }
+    private boolean isPlainText() {
+        return JwtConstants.PLAIN_TEXT_ALGO.equals(token.getHeaders().getAlgorithm());
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
new file mode 100644
index 0000000..1e3c44f
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jws;
+
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders;
+
+public interface JwsSignatureProvider {
+    byte[] sign(JwtHeaders headers, String text);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureValidator.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureValidator.java
new file mode 100644
index 0000000..c1ebe71
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureValidator.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jws;
+
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders;
+
+public interface JwsSignatureValidator {
+    void validate(JwtHeaders headers, String unsignedText, byte[] signature);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObject.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObject.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObject.java
new file mode 100644
index 0000000..85b1210
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObject.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+public abstract class AbstractJwtObject {
+    protected Map<String, Object> values = new LinkedHashMap<String, Object>();
+    
+    protected AbstractJwtObject() {
+        
+    }
+    
+    protected AbstractJwtObject(Map<String, Object> values) {
+        this.values = values;
+    }
+    
+    protected void setValue(String name, Object value) {
+        values.put(name, value);
+    }
+    
+    protected Object getValue(String name) {
+        return values.get(name);
+    }
+
+    public Map<String, Object> asMap() {
+        return new LinkedHashMap<String, Object>(values);
+    }
+    
+    protected Integer getIntDate(String name) {
+        Object object = getValue(name);
+        return object instanceof Integer ? (Integer)object : Integer.valueOf(object.toString());
+    }
+    
+    public int hashCode() { 
+        return values.hashCode();
+    }
+    
+    public boolean equals(Object obj) {
+        return obj instanceof AbstractJwtObject && ((AbstractJwtObject)obj).values.equals(this.values);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithms.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithms.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithms.java
new file mode 100644
index 0000000..6f20864
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithms.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+import java.util.HashMap;
+import java.util.Map;
+
+
+
+
+public enum Algorithms {
+    // Signature
+    HmacSHA256(JwtConstants.HMAC_SHA_256_ALGO),
+    HmacSHA384(JwtConstants.HMAC_SHA_384_ALGO),
+    HmacSHA512(JwtConstants.HMAC_SHA_512_ALGO),
+    
+    SHA256withRSA(JwtConstants.RS_SHA_256_ALGO),
+    SHA384withRSA(JwtConstants.RS_SHA_384_ALGO),
+    SHA512withRSA(JwtConstants.RS_SHA_512_ALGO),
+    
+    // Key Encryption
+    RSA_OAEP_ALGO(JwtConstants.RSA_OAEP_ALGO, "RSA/ECB/OAEPWithSHA-1AndMGF1Padding"),
+    // Content Encryption
+    A256GCM_ALGO(JwtConstants.A256GCM_ALGO, "AES/GCM/NoPadding");
+    
+    public static final String HMAC_SHA_256_JAVA = "HmacSHA256";
+    public static final String HMAC_SHA_384_JAVA = "HmacSHA384";
+    public static final String HMAC_SHA_512_JAVA = "HmacSHA512";
+    public static final String RS_SHA_256_JAVA = "SHA256withRSA";
+    public static final String RS_SHA_384_JAVA = "SHA384withRSA";
+    public static final String RS_SHA_512_JAVA = "SHA512withRSA";
+    public static final String RSA_OAEP_ALGO_JAVA = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";
+    public static final String A256GCM_ALGO_JAVA = "AES/GCM/NoPadding";
+    
+    private static final Map<String, String> JAVA_TO_JWT_NAMES;
+    private static final Map<String, String> JWT_TO_JAVA_NAMES;
+    static {
+        JAVA_TO_JWT_NAMES = new HashMap<String, String>();
+        JAVA_TO_JWT_NAMES.put(HMAC_SHA_256_JAVA, JwtConstants.HMAC_SHA_256_ALGO);
+        JAVA_TO_JWT_NAMES.put(HMAC_SHA_384_JAVA, JwtConstants.HMAC_SHA_384_ALGO);
+        JAVA_TO_JWT_NAMES.put(HMAC_SHA_512_JAVA, JwtConstants.HMAC_SHA_512_ALGO);
+        JAVA_TO_JWT_NAMES.put(RS_SHA_256_JAVA, JwtConstants.RS_SHA_256_ALGO);
+        JAVA_TO_JWT_NAMES.put(RS_SHA_384_JAVA, JwtConstants.RS_SHA_384_ALGO);
+        JAVA_TO_JWT_NAMES.put(RS_SHA_512_JAVA, JwtConstants.RS_SHA_512_ALGO);
+        JAVA_TO_JWT_NAMES.put(RSA_OAEP_ALGO_JAVA, JwtConstants.RSA_OAEP_ALGO);
+        JAVA_TO_JWT_NAMES.put(A256GCM_ALGO_JAVA, JwtConstants.A256GCM_ALGO);
+        JWT_TO_JAVA_NAMES = new HashMap<String, String>();
+        JWT_TO_JAVA_NAMES.put(JwtConstants.HMAC_SHA_256_ALGO, HMAC_SHA_256_JAVA);
+        JWT_TO_JAVA_NAMES.put(JwtConstants.HMAC_SHA_384_ALGO, HMAC_SHA_384_JAVA);
+        JWT_TO_JAVA_NAMES.put(JwtConstants.HMAC_SHA_512_ALGO, HMAC_SHA_512_JAVA);
+        JWT_TO_JAVA_NAMES.put(JwtConstants.RS_SHA_256_ALGO, RS_SHA_256_JAVA);
+        JWT_TO_JAVA_NAMES.put(JwtConstants.RS_SHA_384_ALGO, RS_SHA_384_JAVA);
+        JWT_TO_JAVA_NAMES.put(JwtConstants.RS_SHA_512_ALGO, RS_SHA_512_JAVA);
+        JWT_TO_JAVA_NAMES.put(JwtConstants.RSA_OAEP_ALGO, RSA_OAEP_ALGO_JAVA);
+        JWT_TO_JAVA_NAMES.put(JwtConstants.A256GCM_ALGO, A256GCM_ALGO_JAVA);
+    }
+    private final String jwtName;
+    private final String javaName;
+
+    private Algorithms(String jwtName) {
+        this(jwtName, null);
+    }
+    private Algorithms(String jwtName, String javaName) {
+        this.jwtName = jwtName;
+        this.javaName = javaName;
+    }
+
+    public String getJwtName() {
+        return jwtName;
+    }
+
+    public String getJavaName() {
+        return javaName == null ? name() : javaName;
+    }
+
+    public static String toJwtName(String javaName) {    
+        return JAVA_TO_JWT_NAMES.get(javaName);
+    }
+    public static String toJavaName(String jwtName) {    
+        return JWT_TO_JAVA_NAMES.get(jwtName);
+    }
+    
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtClaims.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtClaims.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtClaims.java
new file mode 100644
index 0000000..5cef4fc
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtClaims.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+import java.util.Map;
+
+
+
+
+public class JwtClaims extends AbstractJwtObject {
+    
+    public JwtClaims() {
+    }
+    
+    public JwtClaims(Map<String, Object> values) {
+        super(values);
+    }
+    
+    public void setIssuer(String issuer) {
+        setClaim(JwtConstants.CLAIM_ISSUER, issuer);
+    }
+    
+    public String getIssuer() {
+        return (String)getValue(JwtConstants.CLAIM_ISSUER);
+    }
+    
+    public void setSubject(String subject) {
+        setClaim(JwtConstants.CLAIM_SUBJECT, subject);
+    }
+    
+    public String getSubject() {
+        return (String)getClaim(JwtConstants.CLAIM_SUBJECT);
+    }
+    
+    public void setAudience(String audience) {
+        setClaim(JwtConstants.CLAIM_AUDIENCE, audience);
+    }
+    
+    public String getAudience() {
+        return (String)getClaim(JwtConstants.CLAIM_AUDIENCE);
+    }
+    
+    public void setExpiryTime(Integer expiresIn) {
+        setClaim(JwtConstants.CLAIM_EXPIRY, expiresIn);
+    }
+    
+    public Integer getExpiryTime() {
+        return getIntDate(JwtConstants.CLAIM_EXPIRY);
+    }
+    
+    public void setNotBefore(Integer notBefore) {
+        setClaim(JwtConstants.CLAIM_NOT_BEFORE, notBefore);
+    }
+    
+    public Integer getNotBefore() {
+        return getIntDate(JwtConstants.CLAIM_NOT_BEFORE);
+    }
+    
+    public void setIssuedAt(Integer issuedAt) {
+        setClaim(JwtConstants.CLAIM_ISSUED_AT, issuedAt);
+    }
+    
+    public Integer getIssuedAt() {
+        return getIntDate(JwtConstants.CLAIM_ISSUED_AT);
+    }
+    
+    public void setTokenId(String id) {
+        setValue(JwtConstants.CLAIM_JWT_ID, id);
+    }
+    
+    public String getTokenId() {
+        return (String)getClaim(JwtConstants.CLAIM_JWT_ID);
+    }
+    
+    public JwtClaims setClaim(String name, Object value) {
+        setValue(name, value);
+        return this;
+    }
+    
+    public Object getClaim(String name) {
+        return getValue(name);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java
new file mode 100644
index 0000000..f7fb859
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+public final class JwtConstants {
+    public static final String HEADER_TYPE = "typ";
+    public static final String HEADER_ALGORITHM = "alg";
+    public static final String HEADER_CONTENT_TYPE = "cty";
+    public static final String HEADER_CRITICAL = "crit";
+    
+    public static final String HEADER_KEY_ID = "kid";
+    public static final String HEADER_X509_URL = "x5u";
+    public static final String HEADER_X509_CHAIN = "x5c";
+    public static final String HEADER_X509_THUMBPRINT = "x5t";
+    public static final String HEADER_JSON_WEB_KEY = "jwk";
+    public static final String HEADER_JSON_WEB_KEY_SET = "jku";
+    
+    public static final String JWE_HEADER_KEY_ENC_ALGORITHM = HEADER_ALGORITHM;
+    public static final String JWE_HEADER_CONTENT_ENC_ALGORITHM = "enc";
+    public static final String JWE_HEADER_ZIP_ALGORITHM = "zip";
+    public static final String DEFLATE_ZIP_ALGORITHM = "DEF";
+    
+    public static final String TYPE_JWT = "JWT";
+    public static final String TYPE_JOSE = "JOSE";
+    public static final String TYPE_JOSE_JSON = "JOSE+JSON";
+    
+    public static final String CLAIM_ISSUER = "iss";
+    public static final String CLAIM_SUBJECT = "sub";
+    public static final String CLAIM_AUDIENCE = "aud";
+    public static final String CLAIM_EXPIRY = "exp";
+    public static final String CLAIM_NOT_BEFORE = "nbf";
+    public static final String CLAIM_ISSUED_AT = "iat";
+    public static final String CLAIM_JWT_ID = "jti";
+    
+    public static final String PLAIN_TEXT_ALGO = "none";
+    public static final String HMAC_SHA_256_ALGO = "HS256";
+    public static final String HMAC_SHA_384_ALGO = "HS384";
+    public static final String HMAC_SHA_512_ALGO = "HS512";
+    public static final String RS_SHA_256_ALGO = "RS256";
+    public static final String RS_SHA_384_ALGO = "RS384";
+    public static final String RS_SHA_512_ALGO = "RS512";
+    public static final String RSA_OAEP_ALGO = "RSA-OAEP";
+    public static final String A256GCM_ALGO = "A256GCM";
+    
+    private JwtConstants() {
+        
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeaders.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeaders.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeaders.java
new file mode 100644
index 0000000..96cc6f7
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeaders.java
@@ -0,0 +1,122 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.rs.security.oauth2.jwt.jwk.JsonWebKey;
+
+public class JwtHeaders extends AbstractJwtObject {
+    
+    public JwtHeaders() {
+    }
+    
+    public JwtHeaders(Map<String, Object> values) {
+        super(values);
+    }
+    
+    public void setType(String type) {
+        setHeader(JwtConstants.HEADER_TYPE, type);
+    }
+    
+    public String getType() {
+        return (String)getHeader(JwtConstants.HEADER_TYPE);
+    }
+    
+    public void setContentType(String type) {
+        setHeader(JwtConstants.HEADER_CONTENT_TYPE, type);
+    }
+    
+    public String getContentType() {
+        return (String)getHeader(JwtConstants.HEADER_CONTENT_TYPE);
+    }
+    
+    public void setAlgorithm(String algo) {
+        setHeader(JwtConstants.HEADER_ALGORITHM, algo);
+    }
+    
+    public String getAlgorithm() {
+        return (String)getHeader(JwtConstants.HEADER_ALGORITHM);
+    }
+    
+    public void setKeyId(String kid) {
+        setHeader(JwtConstants.HEADER_KEY_ID, kid);
+    }
+    
+    public String getKeyId() {
+        return (String)getHeader(JwtConstants.HEADER_KEY_ID);
+    }
+    
+    public void setX509Url(String x509Url) {
+        setHeader(JwtConstants.HEADER_X509_URL, x509Url);
+    }
+
+    public String getX509Url() {
+        return (String)getHeader(JwtConstants.HEADER_X509_URL);
+    }
+    
+    public void setX509Chain(String x509Chain) {
+        setHeader(JwtConstants.HEADER_X509_CHAIN, x509Chain);
+    }
+
+    public String getX509Chain() {
+        return (String)getHeader(JwtConstants.HEADER_X509_CHAIN);
+    }
+    
+    public void setX509Thumbprint(String x509Thumbprint) {
+        setHeader(JwtConstants.HEADER_X509_THUMBPRINT, x509Thumbprint);
+    }
+    
+    public String getX509Thumbprint() {
+        return (String)getHeader(JwtConstants.HEADER_X509_THUMBPRINT);
+    }
+    
+    public void setCritical(List<String> crit) {
+        setHeader(JwtConstants.HEADER_CRITICAL, crit);
+    }
+    
+    public List<String> getCritical() {
+        return CastUtils.cast((List<?>)getHeader(JwtConstants.HEADER_CRITICAL));
+    }
+    
+    public void setJsonWebKey(JsonWebKey key) {
+        setValue(JwtConstants.HEADER_JSON_WEB_KEY, key);
+    }
+    
+    public JsonWebKey getJsonWebKey() {
+        Object jsonWebKey = getValue(JwtConstants.HEADER_JSON_WEB_KEY);
+        if (jsonWebKey == null || jsonWebKey instanceof JsonWebKey) {
+            return (JsonWebKey)jsonWebKey;
+        }  
+        Map<String, Object> map = CastUtils.cast((Map<?, ?>)jsonWebKey);
+        return new JsonWebKey(map);
+    }
+    
+    public JwtHeaders setHeader(String name, Object value) {
+        setValue(name, value);
+        return this;
+    }
+    
+    public Object getHeader(String name) {
+        return getValue(name);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeadersReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeadersReader.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeadersReader.java
new file mode 100644
index 0000000..3527428
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeadersReader.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+
+public interface JwtHeadersReader {
+    JwtHeaders fromJsonHeaders(String jsonHeaders);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeadersWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeadersWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeadersWriter.java
new file mode 100644
index 0000000..0a7213c
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeadersWriter.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+
+
+public interface JwtHeadersWriter {
+    
+    String headersToJson(JwtHeaders headers);
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtToken.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtToken.java
new file mode 100644
index 0000000..15f1b8b
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtToken.java
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+
+
+public class JwtToken {
+    private JwtHeaders headers;
+    private JwtClaims claims;
+    public JwtToken(JwtHeaders headers, JwtClaims claims) {
+        this.headers = headers;
+        this.claims = claims;
+    }
+    public JwtHeaders getHeaders() {
+        return headers;
+    }
+    public JwtClaims getClaims() {
+        return claims;
+    }
+    public int hashCode() { 
+        return headers.hashCode() + 37 * claims.hashCode();
+    }
+    
+    public boolean equals(Object obj) {
+        return obj instanceof JwtToken 
+            && ((JwtToken)obj).headers.equals(this.headers)
+            && ((JwtToken)obj).claims.equals(this.claims);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenJson.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenJson.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenJson.java
new file mode 100644
index 0000000..646fb0a
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenJson.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+
+
+public class JwtTokenJson {
+    private String headersJson;
+    private String claimsJson;
+    public JwtTokenJson(String headersJson, String claimsJson) {
+        this.headersJson = headersJson;
+        this.claimsJson = claimsJson;
+    }
+    public String getHeadersJson() {
+        return headersJson;
+    }
+    public String getClaimsJson() {
+        return claimsJson;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd0528c0/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
new file mode 100644
index 0000000..9be3a0a
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
@@ -0,0 +1,26 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwt;
+
+
+public interface JwtTokenReader extends JwtHeadersReader {
+    JwtClaims fromJsonClaims(String jsonClaims);
+    JwtToken fromJson(String jsonHeaders, String jsonClaims);
+    JwtToken fromJson(JwtTokenJson jsonPair);
+}


Mime
View raw message