cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject [2/2] git commit: [CXF-5311] Working toward finalizing the interfaces
Date Tue, 15 Jul 2014 13:02:31 GMT
[CXF-5311] Working toward finalizing the interfaces


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/50c57d9b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/50c57d9b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/50c57d9b

Branch: refs/heads/master
Commit: 50c57d9bec5f088086548d00afb70796cd0a7e91
Parents: 217d41a
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Jul 15 14:02:15 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Jul 15 14:02:15 2014 +0100

----------------------------------------------------------------------
 .../oauth2/jwe/AbstractJweDecryption.java       |  89 +++++++++
 .../oauth2/jwe/AbstractJweDecryptor.java        |  89 ---------
 .../oauth2/jwe/AbstractJweEncryption.java       | 169 +++++++++++++++++
 .../oauth2/jwe/AbstractJweEncryptor.java        | 184 -------------------
 .../oauth2/jwe/DirectKeyJweDecryption.java      |  40 ++++
 .../oauth2/jwe/DirectKeyJweDecryptor.java       |  40 ----
 .../oauth2/jwe/DirectKeyJweEncryption.java      |  39 ++++
 .../oauth2/jwe/DirectKeyJweEncryptor.java       |  39 ----
 .../rs/security/oauth2/jwe/JweDecryption.java   |  24 +++
 .../rs/security/oauth2/jwe/JweDecryptor.java    |  24 ---
 .../rs/security/oauth2/jwe/JweEncryption.java   |  60 ++++++
 .../oauth2/jwe/JweEncryptionProvider.java       |  26 +++
 .../rs/security/oauth2/jwe/JweEncryptor.java    |  27 ---
 .../security/oauth2/jwe/RSAJweDecryption.java   |  40 ++++
 .../rs/security/oauth2/jwe/RSAJweDecryptor.java |  40 ----
 .../security/oauth2/jwe/RSAJweEncryption.java   |  62 +++++++
 .../rs/security/oauth2/jwe/RSAJweEncryptor.java |  62 -------
 .../oauth2/jwe/WrappedKeyJweDecryption.java     |  67 +++++++
 .../oauth2/jwe/WrappedKeyJweDecryptor.java      |  67 -------
 .../oauth2/jwe/WrappedKeyJweEncryption.java     |  77 ++++++++
 .../oauth2/jwe/WrappedKeyJweEncryptor.java      |  77 --------
 .../jws/AbstractJwsSignatureProvider.java       |  26 +--
 .../oauth2/jws/HmacJwsSignatureProvider.java    |  12 +-
 .../security/oauth2/jws/JwsCompactProducer.java |  12 +-
 .../rs/security/oauth2/jws/JwsOutputStream.java |   4 +-
 .../rs/security/oauth2/jws/JwsSignature.java    |  25 +++
 .../oauth2/jws/JwsSignatureProvider.java        |   6 +-
 .../oauth2/jws/JwsSignatureProviderWorker.java  |  25 ---
 .../jws/PrivateKeyJwsSignatureProvider.java     |  19 +-
 .../jwt/jaxrs/AbstractJweDecryptingFilter.java  |  20 +-
 .../oauth2/jwt/jaxrs/JweWriterInterceptor.java  |  50 ++++-
 .../oauth2/jwt/jaxrs/JwsWriterInterceptor.java  |  19 +-
 .../oauth2/jwe/JweCompactReaderWriterTest.java  |   8 +-
 33 files changed, 811 insertions(+), 757 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java
new file mode 100644
index 0000000..5837e66
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+
+public abstract class AbstractJweDecryption implements JweDecryption {
+    private JweCryptoProperties props;
+    protected AbstractJweDecryption(JweCryptoProperties props) {
+        this.props = props;
+    }
+    
+    protected abstract byte[] getContentEncryptionKey(JweCompactConsumer consumer);
+    
+    public JweDecryptionOutput decrypt(String content) {
+        JweCompactConsumer consumer = new JweCompactConsumer(content, props);
+        return doDecrypt(consumer);
+    }
+    
+    protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer) {
+        CeProvider ceProvider = new CeProvider(consumer);
+        byte[] bytes = consumer.getDecryptedContent(ceProvider);
+        return new JweDecryptionOutput(consumer.getJweHeaders(), bytes);
+    }
+    protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
+        return consumer.getEncryptedContentEncryptionKey();
+    }
+    protected AlgorithmParameterSpec getContentDecryptionCipherSpec(JweCompactConsumer consumer) {
+        return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(consumer), 
+                                                   getContentEncryptionCipherInitVector(consumer));
+    }
+    protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
+        return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());
+    }
+    protected byte[] getContentEncryptionCipherAAD(JweCompactConsumer consumer) {
+        return consumer.getContentEncryptionCipherAAD();
+    }
+    protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) {
+        return consumer.getEncryptedContentWithAuthTag();
+    }
+    protected byte[] getContentEncryptionCipherInitVector(JweCompactConsumer consumer) { 
+        return consumer.getContentDecryptionCipherInitVector();
+    }
+    protected byte[] getEncryptionAuthenticationTag(JweCompactConsumer consumer) {
+        return consumer.getEncryptionAuthenticationTag();
+    }
+    protected int getEncryptionAuthenticationTagLenBits(JweCompactConsumer consumer) {
+        return getEncryptionAuthenticationTag(consumer).length * 8;
+    }
+    
+    protected class CeProvider implements ContentEncryptionProvider {
+
+        private JweCompactConsumer consumer;
+        public CeProvider(JweCompactConsumer consumer) {
+            this.consumer = consumer;
+        }
+        @Override
+        public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) {
+            return AbstractJweDecryption.this.getContentEncryptionKey(consumer);
+        }
+
+        @Override
+        public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers,
+                                                                     int authTagLength,
+                                                                     byte[] initVector) {
+            return getContentDecryptionCipherSpec(consumer);
+        }
+        
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
deleted file mode 100644
index 1279e7f..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.spec.AlgorithmParameterSpec;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-
-public abstract class AbstractJweDecryptor implements JweDecryptor {
-    private JweCryptoProperties props;
-    protected AbstractJweDecryptor(JweCryptoProperties props) {
-        this.props = props;
-    }
-    
-    protected abstract byte[] getContentEncryptionKey(JweCompactConsumer consumer);
-    
-    public JweDecryptionOutput decrypt(String content) {
-        JweCompactConsumer consumer = new JweCompactConsumer(content, props);
-        return doDecrypt(consumer);
-    }
-    
-    protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer) {
-        CeProvider ceProvider = new CeProvider(consumer);
-        byte[] bytes = consumer.getDecryptedContent(ceProvider);
-        return new JweDecryptionOutput(consumer.getJweHeaders(), bytes);
-    }
-    protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
-        return consumer.getEncryptedContentEncryptionKey();
-    }
-    protected AlgorithmParameterSpec getContentDecryptionCipherSpec(JweCompactConsumer consumer) {
-        return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(consumer), 
-                                                   getContentEncryptionCipherInitVector(consumer));
-    }
-    protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
-        return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());
-    }
-    protected byte[] getContentEncryptionCipherAAD(JweCompactConsumer consumer) {
-        return consumer.getContentEncryptionCipherAAD();
-    }
-    protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) {
-        return consumer.getEncryptedContentWithAuthTag();
-    }
-    protected byte[] getContentEncryptionCipherInitVector(JweCompactConsumer consumer) { 
-        return consumer.getContentDecryptionCipherInitVector();
-    }
-    protected byte[] getEncryptionAuthenticationTag(JweCompactConsumer consumer) {
-        return consumer.getEncryptionAuthenticationTag();
-    }
-    protected int getEncryptionAuthenticationTagLenBits(JweCompactConsumer consumer) {
-        return getEncryptionAuthenticationTag(consumer).length * 8;
-    }
-    
-    protected class CeProvider implements ContentEncryptionProvider {
-
-        private JweCompactConsumer consumer;
-        public CeProvider(JweCompactConsumer consumer) {
-            this.consumer = consumer;
-        }
-        @Override
-        public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) {
-            return AbstractJweDecryptor.this.getContentEncryptionKey(consumer);
-        }
-
-        @Override
-        public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers,
-                                                                     int authTagLength,
-                                                                     byte[] initVector) {
-            return getContentDecryptionCipherSpec(consumer);
-        }
-        
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
new file mode 100644
index 0000000..871bfd8
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
@@ -0,0 +1,169 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public abstract class AbstractJweEncryption implements JweEncryptionProvider {
+    protected static final int DEFAULT_IV_SIZE = 96;
+    protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
+    private JweHeaders headers;
+    private JwtHeadersWriter writer = new JwtTokenReaderWriter();
+    private byte[] cek;
+    private byte[] iv;
+    private AtomicInteger providedIvUsageCount;
+    private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
+    
+    protected AbstractJweEncryption(SecretKey cek, byte[] iv) {
+        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
+                                                cek.getEncoded().length * 8)),
+                                                cek.getEncoded(), iv);
+    }
+    protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv) {
+        this.headers = headers;
+        this.cek = cek;
+        this.iv = iv;
+        if (iv != null && iv.length > 0) {
+            providedIvUsageCount = new AtomicInteger();
+        }
+    }
+    protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
+        this(headers, cek, iv);
+        this.authTagLen = authTagLen;
+    }
+    protected AbstractJweEncryption(JweHeaders headers) {
+        this.headers = headers;
+    }
+    protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen, 
+                                   JwtHeadersWriter writer) {
+        this(headers, cek, iv, authTagLen);
+        if (writer != null) {
+            this.writer = writer;
+        }
+    }
+    
+    protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) {
+        return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
+    }
+    
+    protected byte[] getContentEncryptionCipherInitVector() {
+        if (iv == null) {
+            return CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE);
+        } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) {
+            throw new SecurityException();
+        } else {
+            return iv;
+        }
+    }
+    
+    protected byte[] getContentEncryptionKey() {
+        return cek;
+    }
+    
+    protected abstract byte[] getEncryptedContentEncryptionKey(byte[] theCek);
+    
+    protected String getContentEncryptionAlgoJwt() {
+        return headers.getContentEncryptionAlgorithm();
+    }
+    protected String getContentEncryptionAlgoJava() {
+        return Algorithm.toJavaName(getContentEncryptionAlgoJwt());
+    }
+    
+    protected int getAuthTagLen() {
+        return authTagLen;
+    }
+    protected JweHeaders getJweHeaders() {
+        return headers;
+    }
+    public String encrypt(byte[] content, String contentType) {
+        JweEncryptionInternal state = getInternalState(contentType);
+        
+        byte[] cipherText = CryptoUtils.encryptBytes(
+            content, 
+            state.secretKey,
+            state.keyProps);
+        
+        
+        JweCompactProducer producer = new JweCompactProducer(state.theHeaders, 
+                                             writer,                
+                                             state.jweContentEncryptionKey,
+                                             state.theIv,
+                                             cipherText,
+                                             getAuthTagLen());
+        return producer.getJweContent();
+    }
+    
+    @Override
+    public JweEncryption createJweEncryption(String contentType) {
+        JweEncryptionInternal state = getInternalState(contentType);
+        Cipher c = CryptoUtils.initCipher(state.secretKey, state.keyProps, 
+                                          Cipher.ENCRYPT_MODE);
+        return new JweEncryption(c, getAuthTagLen(), state.theHeaders, state.jweContentEncryptionKey, 
+                                state.theIv, state.keyProps.isCompressionSupported());
+    }
+    
+    private JweEncryptionInternal getInternalState(String contentType) {
+        JweHeaders theHeaders = headers;
+        if (contentType != null) {
+            theHeaders = new JweHeaders(theHeaders.asMap());
+            theHeaders.setContentType(contentType);
+        }
+        
+        byte[] theCek = getContentEncryptionKey();
+        String contentEncryptionAlgoJavaName = Algorithm.toJavaName(theHeaders.getContentEncryptionAlgorithm());
+        KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
+        keyProps.setCompressionSupported(compressionRequired(theHeaders));
+        byte[] additionalEncryptionParam = theHeaders.toCipherAdditionalAuthData(writer);
+        keyProps.setAdditionalData(additionalEncryptionParam);
+        
+        byte[] theIv = getContentEncryptionCipherInitVector();
+        AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv);
+        keyProps.setAlgoSpec(specParams);
+        byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
+        JweEncryptionInternal state = new JweEncryptionInternal();
+        state.theHeaders = theHeaders;
+        state.jweContentEncryptionKey = jweContentEncryptionKey;
+        state.keyProps = keyProps;
+        state.secretKey = CryptoUtils.createSecretKeySpec(theCek, 
+                                        contentEncryptionAlgoJavaName);
+        state.theIv = theIv;
+        return state;
+    }
+    private boolean compressionRequired(JweHeaders theHeaders) {
+        return JwtConstants.DEFLATE_ZIP_ALGORITHM.equals(theHeaders.getZipAlgorithm());
+    }
+    private static class JweEncryptionInternal {
+        JweHeaders theHeaders;
+        byte[] jweContentEncryptionKey;
+        byte[] theIv;
+        KeyProperties keyProps;
+        SecretKey secretKey;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
deleted file mode 100644
index 3d5231d..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
+++ /dev/null
@@ -1,184 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.io.IOException;
-import java.io.OutputStream;
-import java.security.spec.AlgorithmParameterSpec;
-import java.util.concurrent.atomic.AtomicInteger;
-import java.util.zip.DeflaterOutputStream;
-
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public abstract class AbstractJweEncryptor implements JweEncryptor {
-    protected static final int DEFAULT_IV_SIZE = 96;
-    protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
-    private JweHeaders headers;
-    private JwtHeadersWriter writer = new JwtTokenReaderWriter();
-    private byte[] cek;
-    private byte[] iv;
-    private AtomicInteger providedIvUsageCount;
-    private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
-    
-    protected AbstractJweEncryptor(SecretKey cek, byte[] iv) {
-        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
-                                                cek.getEncoded().length * 8)),
-                                                cek.getEncoded(), iv);
-    }
-    protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
-        this.headers = headers;
-        this.cek = cek;
-        this.iv = iv;
-        if (iv != null && iv.length > 0) {
-            providedIvUsageCount = new AtomicInteger();
-        }
-    }
-    protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
-        this(headers, cek, iv);
-        this.authTagLen = authTagLen;
-    }
-    protected AbstractJweEncryptor(JweHeaders headers) {
-        this.headers = headers;
-    }
-    protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen, 
-                                   JwtHeadersWriter writer) {
-        this(headers, cek, iv, authTagLen);
-        if (writer != null) {
-            this.writer = writer;
-        }
-    }
-    
-    protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) {
-        return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
-    }
-    
-    protected byte[] getContentEncryptionCipherInitVector() {
-        if (iv == null) {
-            return CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE);
-        } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) {
-            throw new SecurityException();
-        } else {
-            return iv;
-        }
-    }
-    
-    protected byte[] getContentEncryptionKey() {
-        return cek;
-    }
-    
-    protected abstract byte[] getEncryptedContentEncryptionKey(byte[] theCek);
-    
-    protected String getContentEncryptionAlgoJwt() {
-        return headers.getContentEncryptionAlgorithm();
-    }
-    protected String getContentEncryptionAlgoJava() {
-        return Algorithm.toJavaName(getContentEncryptionAlgoJwt());
-    }
-    
-    protected int getAuthTagLen() {
-        return authTagLen;
-    }
-    protected JweHeaders getJweHeaders() {
-        return headers;
-    }
-    public String encrypt(byte[] content, String contentType) {
-        JweEncryptorInternalState state = getInternalState(contentType);
-        
-        byte[] cipherText = CryptoUtils.encryptBytes(
-            content, 
-            state.secretKey,
-            state.keyProps);
-        
-        
-        JweCompactProducer producer = new JweCompactProducer(state.theHeaders, 
-                                             writer,                
-                                             state.jweContentEncryptionKey,
-                                             state.theIv,
-                                             cipherText,
-                                             getAuthTagLen());
-        return producer.getJweContent();
-    }
-    
-    @Override
-    public OutputStream createJweStream(OutputStream os, String contentType) {
-        JweEncryptorInternalState state = getInternalState(contentType);
-        Cipher c = CryptoUtils.initCipher(state.secretKey, state.keyProps, 
-                                          Cipher.ENCRYPT_MODE);
-        try {
-            JweCompactProducer.startJweContent(os,
-                                               state.theHeaders, 
-                                               writer, 
-                                               state.jweContentEncryptionKey, 
-                                               state.theIv);
-        } catch (IOException ex) {
-            throw new SecurityException(ex);
-        }
-        OutputStream jweStream = new JweOutputStream(os, c, getAuthTagLen());
-        if (state.keyProps.isCompressionSupported()) {
-            jweStream = new DeflaterOutputStream(jweStream);
-        }
-        return jweStream;
-    }
-    
-    private JweEncryptorInternalState getInternalState(String contentType) {
-        JweHeaders theHeaders = headers;
-        if (contentType != null) {
-            theHeaders = new JweHeaders(theHeaders.asMap());
-            theHeaders.setContentType(contentType);
-        }
-        
-        byte[] theCek = getContentEncryptionKey();
-        String contentEncryptionAlgoJavaName = Algorithm.toJavaName(theHeaders.getContentEncryptionAlgorithm());
-        KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
-        keyProps.setCompressionSupported(compressionRequired(theHeaders));
-        byte[] additionalEncryptionParam = theHeaders.toCipherAdditionalAuthData(writer);
-        keyProps.setAdditionalData(additionalEncryptionParam);
-        
-        byte[] theIv = getContentEncryptionCipherInitVector();
-        AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv);
-        keyProps.setAlgoSpec(specParams);
-        byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
-        JweEncryptorInternalState state = new JweEncryptorInternalState();
-        state.theHeaders = theHeaders;
-        state.jweContentEncryptionKey = jweContentEncryptionKey;
-        state.keyProps = keyProps;
-        state.secretKey = CryptoUtils.createSecretKeySpec(theCek, 
-                                        contentEncryptionAlgoJavaName);
-        state.theIv = theIv;
-        return state;
-    }
-    private boolean compressionRequired(JweHeaders theHeaders) {
-        return JwtConstants.DEFLATE_ZIP_ALGORITHM.equals(theHeaders.getZipAlgorithm());
-    }
-    private static class JweEncryptorInternalState {
-        JweHeaders theHeaders;
-        byte[] jweContentEncryptionKey;
-        byte[] theIv;
-        KeyProperties keyProps;
-        SecretKey secretKey;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java
new file mode 100644
index 0000000..d7f3801
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+public class DirectKeyJweDecryption extends AbstractJweDecryption {
+    private byte[] contentDecryptionKey;
+    public DirectKeyJweDecryption(Key contentDecryptionKey) {    
+        this(contentDecryptionKey, null);
+    }
+    public DirectKeyJweDecryption(Key contentDecryptionKey, JweCryptoProperties props) {    
+        super(props);
+        this.contentDecryptionKey = contentDecryptionKey.getEncoded();
+    }
+    @Override
+    protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
+        byte[] encryptedCEK = getEncryptedContentEncryptionKey(consumer);
+        if (encryptedCEK != null && encryptedCEK.length > 0) {
+            throw new SecurityException();
+        }
+        return contentDecryptionKey;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
deleted file mode 100644
index b733031..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.Key;
-
-public class DirectKeyJweDecryptor extends AbstractJweDecryptor {
-    private byte[] contentDecryptionKey;
-    public DirectKeyJweDecryptor(Key contentDecryptionKey) {    
-        this(contentDecryptionKey, null);
-    }
-    public DirectKeyJweDecryptor(Key contentDecryptionKey, JweCryptoProperties props) {    
-        super(props);
-        this.contentDecryptionKey = contentDecryptionKey.getEncoded();
-    }
-    @Override
-    protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
-        byte[] encryptedCEK = getEncryptedContentEncryptionKey(consumer);
-        if (encryptedCEK != null && encryptedCEK.length > 0) {
-            throw new SecurityException();
-        }
-        return contentDecryptionKey;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
new file mode 100644
index 0000000..88caeec
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+
+public class DirectKeyJweEncryption extends AbstractJweEncryption {
+    public DirectKeyJweEncryption(SecretKey cek, byte[] iv) {
+        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
+                                                cek.getEncoded().length * 8)), cek.getEncoded(), iv);
+    }
+    public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv) {
+        super(headers, cek, iv);
+    }
+    public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
+        super(headers, cek, iv, authTagLen);
+    }
+    protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+        return new byte[0];
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
deleted file mode 100644
index 7f1b59d..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-
-public class DirectKeyJweEncryptor extends AbstractJweEncryptor {
-    public DirectKeyJweEncryptor(SecretKey cek, byte[] iv) {
-        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
-                                                cek.getEncoded().length * 8)), cek.getEncoded(), iv);
-    }
-    public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
-        super(headers, cek, iv);
-    }
-    public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
-        super(headers, cek, iv, authTagLen);
-    }
-    protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
-        return new byte[0];
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryption.java
new file mode 100644
index 0000000..814c0a7
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryption.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+
+public interface JweDecryption {
+    JweDecryptionOutput decrypt(String jweContent);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
deleted file mode 100644
index e1e2f4d..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-
-public interface JweDecryptor {
-    JweDecryptionOutput decrypt(String jweContent);
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryption.java
new file mode 100644
index 0000000..66ce657
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryption.java
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import javax.crypto.Cipher;
+
+public class JweEncryption {
+    private Cipher cipher;
+    private int authTagLen;
+    private JweHeaders headers;
+    private byte[] contentEncryptionKey;
+    private byte[] iv;
+    private boolean compressionSupported;
+    
+    public JweEncryption(Cipher cipher, int authTagLen, JweHeaders headers, 
+                        byte[] contentEncryptionKey, 
+                        byte[] iv, boolean compressionSupported) {
+        this.cipher = cipher;
+        this.authTagLen = authTagLen;
+        this.headers = headers;
+        this.contentEncryptionKey = contentEncryptionKey;
+        this.iv = iv;
+        this.compressionSupported = compressionSupported;
+    }
+    public Cipher getCipher() {
+        return cipher;
+    }
+    public JweHeaders getHeaders() {
+        return headers;
+    }
+    public byte[] getContentEncryptionKey() {
+        return contentEncryptionKey;
+    }
+    public byte[] getIv() {
+        return iv;
+    }
+    public boolean isCompressionSupported() {
+        return compressionSupported;
+    }
+    public int getAuthTagLen() {
+        return authTagLen;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionProvider.java
new file mode 100644
index 0000000..71bd02e
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionProvider.java
@@ -0,0 +1,26 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+
+
+public interface JweEncryptionProvider {
+    String encrypt(byte[] jweContent, String contentType);
+    JweEncryption createJweEncryption(String contentType);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
deleted file mode 100644
index c304dbf..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.io.OutputStream;
-
-
-public interface JweEncryptor {
-    String encrypt(byte[] jweContent, String contentType);
-    OutputStream createJweStream(OutputStream os, String contentType);
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryption.java
new file mode 100644
index 0000000..15b46ce
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryption.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.interfaces.RSAPrivateKey;
+
+
+public class RSAJweDecryption extends WrappedKeyJweDecryption {
+    
+    public RSAJweDecryption(RSAPrivateKey privateKey) {    
+        this(privateKey, true);
+    }
+    public RSAJweDecryption(RSAPrivateKey privateKey, boolean unwrap) {    
+        this(privateKey, unwrap, null);
+    }
+    public RSAJweDecryption(RSAPrivateKey privateKey, boolean unwrap,
+                           JweCryptoProperties props) {    
+        super(privateKey, unwrap, props);
+    }
+    
+    protected int getKeyCipherBlockSize() {
+        return ((RSAPrivateKey)getCekDecryptionKey()).getModulus().toByteArray().length;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
deleted file mode 100644
index 0bba471..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.interfaces.RSAPrivateKey;
-
-
-public class RSAJweDecryptor extends WrappedKeyJweDecryptor {
-    
-    public RSAJweDecryptor(RSAPrivateKey privateKey) {    
-        this(privateKey, true);
-    }
-    public RSAJweDecryptor(RSAPrivateKey privateKey, boolean unwrap) {    
-        this(privateKey, unwrap, null);
-    }
-    public RSAJweDecryptor(RSAPrivateKey privateKey, boolean unwrap,
-                           JweCryptoProperties props) {    
-        super(privateKey, unwrap, props);
-    }
-    
-    protected int getKeyCipherBlockSize() {
-        return ((RSAPrivateKey)getCekDecryptionKey()).getModulus().toByteArray().length;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
new file mode 100644
index 0000000..b45c800
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.interfaces.RSAPublicKey;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+
+public class RSAJweEncryption extends WrappedKeyJweEncryption {
+    public RSAJweEncryption(RSAPublicKey publicKey, String contentEncryptionAlgo) {
+        super(new JweHeaders(Algorithm.RSA_OAEP.getJwtName(),
+                             contentEncryptionAlgo), publicKey);
+    }
+    public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv) {
+        this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
+    }
+    public RSAJweEncryption(RSAPublicKey publicKey, SecretKey secretKey, String secretKeyJwtAlgorithm,
+                           byte[] iv) {
+        this(publicKey, 
+             new JweHeaders(Algorithm.RSA_OAEP.getJwtName(), secretKeyJwtAlgorithm),
+             secretKey != null ? secretKey.getEncoded() : null, iv, DEFAULT_AUTH_TAG_LENGTH, true);
+    }
+    public RSAJweEncryption(RSAPublicKey publicKey, SecretKey secretKey, byte[] iv) {
+        this(publicKey, secretKey, 
+             Algorithm.toJwtName(secretKey.getAlgorithm(),
+                                 secretKey.getEncoded().length * 8), iv);
+    }
+    
+    public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, 
+                           int authTagLen, boolean wrap) {
+        this(publicKey, headers, cek, iv, authTagLen, wrap, null);
+    }
+    
+    public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, 
+                              JwtHeadersWriter writer) {
+        this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true, null);
+    }
+    public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, 
+                              int authTagLen, boolean wrap, JwtHeadersWriter writer) {
+        super(headers, publicKey, cek, iv, authTagLen, wrap, writer);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
deleted file mode 100644
index e0974f1..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.interfaces.RSAPublicKey;
-
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-
-public class RSAJweEncryptor extends WrappedKeyJweEncryptor {
-    public RSAJweEncryptor(RSAPublicKey publicKey, String contentEncryptionAlgo) {
-        super(new JweHeaders(Algorithm.RSA_OAEP.getJwtName(),
-                             contentEncryptionAlgo), publicKey);
-    }
-    public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv) {
-        this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
-    }
-    public RSAJweEncryptor(RSAPublicKey publicKey, SecretKey secretKey, String secretKeyJwtAlgorithm,
-                           byte[] iv) {
-        this(publicKey, 
-             new JweHeaders(Algorithm.RSA_OAEP.getJwtName(), secretKeyJwtAlgorithm),
-             secretKey != null ? secretKey.getEncoded() : null, iv, DEFAULT_AUTH_TAG_LENGTH, true);
-    }
-    public RSAJweEncryptor(RSAPublicKey publicKey, SecretKey secretKey, byte[] iv) {
-        this(publicKey, secretKey, 
-             Algorithm.toJwtName(secretKey.getAlgorithm(),
-                                 secretKey.getEncoded().length * 8), iv);
-    }
-    
-    public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, 
-                           int authTagLen, boolean wrap) {
-        this(publicKey, headers, cek, iv, authTagLen, wrap, null);
-    }
-    
-    public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, 
-                              JwtHeadersWriter writer) {
-        this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true, null);
-    }
-    public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, 
-                              int authTagLen, boolean wrap, JwtHeadersWriter writer) {
-        super(headers, publicKey, cek, iv, authTagLen, wrap, writer);
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
new file mode 100644
index 0000000..62a69eb
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
@@ -0,0 +1,67 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public class WrappedKeyJweDecryption extends AbstractJweDecryption {
+    private Key cekDecryptionKey;
+    private boolean unwrap;
+    public WrappedKeyJweDecryption(Key cekDecryptionKey) {    
+        this(cekDecryptionKey, true);
+    }
+    public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap) {    
+        this(cekDecryptionKey, unwrap, null);
+    }
+    public WrappedKeyJweDecryption(Key cekDecryptionKey, JweCryptoProperties props) {
+        this(cekDecryptionKey, true, props);
+    }
+    public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap,
+                                  JweCryptoProperties props) {    
+        super(props);
+        this.cekDecryptionKey = cekDecryptionKey;
+        this.unwrap = unwrap;
+    }
+    protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
+        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer));
+        if (!unwrap) {
+            keyProps.setBlockSize(getKeyCipherBlockSize());
+            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer), 
+                                            getCekDecryptionKey(), keyProps);
+        } else {
+            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer), 
+                                               getContentEncryptionAlgorithm(consumer), 
+                                               getCekDecryptionKey(), 
+                                               keyProps).getEncoded();
+        }
+    }
+    protected Key getCekDecryptionKey() {
+        return cekDecryptionKey;
+    }
+    protected int getKeyCipherBlockSize() {
+        return -1;
+    }
+    protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) {
+        return Algorithm.toJavaName(consumer.getJweHeaders().getKeyEncryptionAlgorithm());
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
deleted file mode 100644
index 6688670..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
+++ /dev/null
@@ -1,67 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.Key;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public class WrappedKeyJweDecryptor extends AbstractJweDecryptor {
-    private Key cekDecryptionKey;
-    private boolean unwrap;
-    public WrappedKeyJweDecryptor(Key cekDecryptionKey) {    
-        this(cekDecryptionKey, true);
-    }
-    public WrappedKeyJweDecryptor(Key cekDecryptionKey, boolean unwrap) {    
-        this(cekDecryptionKey, unwrap, null);
-    }
-    public WrappedKeyJweDecryptor(Key cekDecryptionKey, JweCryptoProperties props) {
-        this(cekDecryptionKey, true, props);
-    }
-    public WrappedKeyJweDecryptor(Key cekDecryptionKey, boolean unwrap,
-                                  JweCryptoProperties props) {    
-        super(props);
-        this.cekDecryptionKey = cekDecryptionKey;
-        this.unwrap = unwrap;
-    }
-    protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
-        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer));
-        if (!unwrap) {
-            keyProps.setBlockSize(getKeyCipherBlockSize());
-            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer), 
-                                            getCekDecryptionKey(), keyProps);
-        } else {
-            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer), 
-                                               getContentEncryptionAlgorithm(consumer), 
-                                               getCekDecryptionKey(), 
-                                               keyProps).getEncoded();
-        }
-    }
-    protected Key getCekDecryptionKey() {
-        return cekDecryptionKey;
-    }
-    protected int getKeyCipherBlockSize() {
-        return -1;
-    }
-    protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) {
-        return Algorithm.toJavaName(consumer.getJweHeaders().getKeyEncryptionAlgorithm());
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
new file mode 100644
index 0000000..9b37515
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
@@ -0,0 +1,77 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public class WrappedKeyJweEncryption extends AbstractJweEncryption {
+    private Key cekEncryptionKey;
+    private boolean wrap;
+    private AtomicInteger providedCekUsageCount;
+    public WrappedKeyJweEncryption(JweHeaders headers, Key cekEncryptionKey) {
+        this(headers, cekEncryptionKey, null, null);
+    }
+    public WrappedKeyJweEncryption(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) {
+        this(headers, cekEncryptionKey, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
+    }
+    public WrappedKeyJweEncryption(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, 
+                                   int authTagLen, boolean wrap) {
+        this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, null);
+    }
+    
+    public WrappedKeyJweEncryption(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen, 
+                                   boolean wrap, JwtHeadersWriter writer) {
+        super(headers, cek, iv, authTagLen, writer);
+        this.cekEncryptionKey = cekEncryptionKey;
+        this.wrap = wrap;
+        if (cek != null) {
+            providedCekUsageCount = new AtomicInteger();
+        }
+    }
+    protected byte[] getContentEncryptionKey() {
+        byte[] theCek = super.getContentEncryptionKey();
+        if (theCek == null) {
+            String algoJava = getContentEncryptionAlgoJava();
+            String algoJwt = getContentEncryptionAlgoJwt();
+            theCek = CryptoUtils.getSecretKey(Algorithm.stripAlgoProperties(algoJava), 
+                Algorithm.valueOf(algoJwt).getKeySizeBits()).getEncoded();
+        } else if (providedCekUsageCount.addAndGet(1) > 1) {
+            throw new SecurityException();
+        }
+        return theCek;
+    }
+    protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+        KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
+        if (!wrap) {
+            return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
+        } else {
+            return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgoJava(), cekEncryptionKey, 
+                                             secretKeyProperties.getKeyAlgo());
+        }
+    }
+    protected String getContentEncryptionKeyEncryptionAlgo() {
+        return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
deleted file mode 100644
index 998be77..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.Key;
-import java.util.concurrent.atomic.AtomicInteger;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public class WrappedKeyJweEncryptor extends AbstractJweEncryptor {
-    private Key cekEncryptionKey;
-    private boolean wrap;
-    private AtomicInteger providedCekUsageCount;
-    public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
-        this(headers, cekEncryptionKey, null, null);
-    }
-    public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) {
-        this(headers, cekEncryptionKey, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
-    }
-    public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, 
-                                   int authTagLen, boolean wrap) {
-        this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, null);
-    }
-    
-    public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen, 
-                                   boolean wrap, JwtHeadersWriter writer) {
-        super(headers, cek, iv, authTagLen, writer);
-        this.cekEncryptionKey = cekEncryptionKey;
-        this.wrap = wrap;
-        if (cek != null) {
-            providedCekUsageCount = new AtomicInteger();
-        }
-    }
-    protected byte[] getContentEncryptionKey() {
-        byte[] theCek = super.getContentEncryptionKey();
-        if (theCek == null) {
-            String algoJava = getContentEncryptionAlgoJava();
-            String algoJwt = getContentEncryptionAlgoJwt();
-            theCek = CryptoUtils.getSecretKey(Algorithm.stripAlgoProperties(algoJava), 
-                Algorithm.valueOf(algoJwt).getKeySizeBits()).getEncoded();
-        } else if (providedCekUsageCount.addAndGet(1) > 1) {
-            throw new SecurityException();
-        }
-        return theCek;
-    }
-    protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
-        KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
-        if (!wrap) {
-            return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
-        } else {
-            return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgoJava(), cekEncryptionKey, 
-                                             secretKeyProperties.getKeyAlgo());
-        }
-    }
-    protected String getContentEncryptionKeyEncryptionAlgo() {
-        return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java
index b78c63b..1e0ceee 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java
@@ -18,12 +18,9 @@
  */
 package org.apache.cxf.rs.security.oauth2.jws;
 
-import java.io.OutputStream;
 import java.util.Set;
 
 import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
-import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
 
 public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvider {
     private Set<String> supportedAlgorithms;
@@ -32,8 +29,8 @@ public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvid
     protected AbstractJwsSignatureProvider(Set<String> supportedAlgorithms) {
         this.supportedAlgorithms = supportedAlgorithms;
     }
-    @Override
-    public JwtHeaders prepareHeaders(JwtHeaders headers) {
+    
+    protected JwtHeaders prepareHeaders(JwtHeaders headers) {
         if (headers == null) {
             headers = new JwtHeaders();
         }
@@ -47,24 +44,11 @@ public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvid
     }
     
     @Override
-    public JwsOutputStream createJwsStream(OutputStream os, String contentType) {
-        JwtHeaders headers = prepareHeaders(null);
-        if (contentType != null) {
-            headers.setContentType(contentType);
-        }
-        JwsSignatureProviderWorker worker = createJwsSignatureWorker(headers);
-        JwsOutputStream jwsStream = new JwsOutputStream(os, worker);
-        try {
-            byte[] headerBytes = new JwtTokenReaderWriter().headersToJson(headers).getBytes("UTF-8");
-            Base64UrlUtility.encodeAndStream(headerBytes, 0, headerBytes.length, jwsStream);
-            jwsStream.write(new byte[]{'.'});
-        } catch (Exception ex) {
-            throw new SecurityException(ex);
-        }
-        return jwsStream;
+    public JwsSignature createJwsSignature(JwtHeaders headers) {
+        return doCreateJwsSignature(prepareHeaders(headers));
     }
     
-    protected abstract JwsSignatureProviderWorker createJwsSignatureWorker(JwtHeaders headers);
+    protected abstract JwsSignature doCreateJwsSignature(JwtHeaders headers);
     
     public void setDefaultJwtAlgorithm(String algo) {
         this.defaultJwtAlgorithm = algo;

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java
index aa387fb..a71da3b 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java
@@ -56,13 +56,6 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider imple
         }
     }
     
-    
-    @Override
-    public byte[] sign(JwtHeaders headers, String unsignedText) {
-        headers = prepareHeaders(headers);
-        return computeMac(headers, unsignedText);
-    }
-    
     @Override
     public boolean verify(JwtHeaders headers, String unsignedText, byte[] signature) {
         byte[] expected = computeMac(headers, unsignedText);
@@ -75,11 +68,10 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider imple
                                      hmacSpec,
                                      text);
     }
-    @Override
-    protected JwsSignatureProviderWorker createJwsSignatureWorker(JwtHeaders headers) {
+    protected JwsSignature doCreateJwsSignature(JwtHeaders headers) {
         final Mac mac = HmacUtils.getInitializedMac(key, Algorithm.toJavaName(headers.getAlgorithm()),
                                                     hmacSpec);
-        return new JwsSignatureProviderWorker() {
+        return new JwsSignature() {
 
             @Override
             public void update(byte[] src, int off, int len) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
index 0e0b1f7..55259d9 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
@@ -71,9 +71,15 @@ public class JwsCompactProducer {
     }
     
     public String signWith(JwsSignatureProvider signer) { 
-        signer.prepareHeaders(getHeaders());
-        signWith(signer.sign(getHeaders(), getUnsignedEncodedJws()));
-        return getSignedEncodedJws();
+        JwsSignature worker = signer.createJwsSignature(getHeaders());
+        try {
+            byte[] bytes = getUnsignedEncodedJws().getBytes("UTF-8");
+            worker.update(bytes, 0, bytes.length);
+            signWith(worker.sign());
+            return getSignedEncodedJws();
+        } catch (Exception ex) {
+            throw new SecurityException();
+        }
     }
     
     public String signWith(String signatureText) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java
index 26268d1..00d7c55 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java
@@ -27,8 +27,8 @@ import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
 
 public class JwsOutputStream extends FilterOutputStream {
     private boolean flushed;
-    private JwsSignatureProviderWorker signature;
-    public JwsOutputStream(OutputStream out, JwsSignatureProviderWorker signature) {
+    private JwsSignature signature;
+    public JwsOutputStream(OutputStream out, JwsSignature signature) {
         super(out);
         this.signature = signature;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignature.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignature.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignature.java
new file mode 100644
index 0000000..2d1581d
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignature.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jws;
+
+
+public interface JwsSignature {
+    void update(byte[] src, int off, int len);
+    byte[] sign();
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
index 4f97f91..1b25f48 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
@@ -18,12 +18,8 @@
  */
 package org.apache.cxf.rs.security.oauth2.jws;
 
-import java.io.OutputStream;
-
 import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders;
 
 public interface JwsSignatureProvider {
-    JwtHeaders prepareHeaders(JwtHeaders headers);
-    byte[] sign(JwtHeaders headers, String unsignedText);
-    JwsOutputStream createJwsStream(OutputStream os, String contentType);
+    JwsSignature createJwsSignature(JwtHeaders headers);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProviderWorker.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProviderWorker.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProviderWorker.java
deleted file mode 100644
index ca768d5..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProviderWorker.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jws;
-
-
-public interface JwsSignatureProviderWorker {
-    void update(byte[] src, int off, int len);
-    byte[] sign();
-}


Mime
View raw message