cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Optional use of default JOSE algorithms by filters
Date Thu, 04 Dec 2014 17:15:29 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes d6b11c3e6 -> 893c21759


Optional use of default JOSE algorithms by filters


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/893c2175
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/893c2175
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/893c2175

Branch: refs/heads/3.0.x-fixes
Commit: 893c217594426661cc10ef1418e31a8bb18266c7
Parents: d6b11c3
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Thu Dec 4 17:13:56 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Thu Dec 4 17:14:59 2014 +0000

----------------------------------------------------------------------
 .../security/jose/jaxrs/KeyManagementUtils.java | 81 +++++++++++++++-----
 .../cxf/rs/security/jose/jwe/JweUtils.java      | 38 +++++----
 .../cxf/rs/security/jose/jwk/JwkUtils.java      | 47 ++----------
 .../cxf/rs/security/jose/jws/JwsUtils.java      | 19 +++--
 .../jaxrs/security/jwt/JAXRSJweJwsTest.java     |  1 +
 .../cxf/systest/jaxrs/security/jwt/server.xml   |  1 +
 .../jaxrs/security/public.jwk.properties        |  3 -
 7 files changed, 105 insertions(+), 85 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/893c2175/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
index cc69b84..6e256ed 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
@@ -30,10 +30,12 @@ import java.util.List;
 import java.util.Properties;
 
 import org.apache.cxf.Bus;
+import org.apache.cxf.common.util.PropertyUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.security.SecurityContext;
 
 
@@ -51,6 +53,7 @@ public final class KeyManagementUtils {
     public static final String RSSEC_KEY_PSWD_PROVIDER = "rs.security.key.password.provider";
     public static final String RSSEC_SIG_KEY_PSWD_PROVIDER = "rs.security.signature.key.password.provider";
     public static final String RSSEC_DECRYPT_KEY_PSWD_PROVIDER = "rs.security.decryption.key.password.provider";
+    public static final String RSSEC_DEFAULT_ALGORITHMS = "rs.security.default.algorithms";
     
     private KeyManagementUtils() {
     }
@@ -81,41 +84,74 @@ public final class KeyManagementUtils {
         }
         return propLoc;
     }
-    public static PrivateKey loadPrivateKey(Properties props, Bus bus, PrivateKeyPasswordProvider
provider) {
-        KeyStore keyStore = loadKeyStore(props, bus);
-        return loadPrivateKey(keyStore, props, bus, provider);
-    }
-    public static PrivateKey loadPrivateKey(KeyStore keyStore, 
+    private static PrivateKey loadPrivateKey(KeyStore keyStore, 
+                                            Message m,
                                             Properties props, 
                                             Bus bus, 
-                                            PrivateKeyPasswordProvider provider) {
+                                            PrivateKeyPasswordProvider provider,
+                                            String keyOper) {
         
         String keyPswd = props.getProperty(RSSEC_KEY_PSWD);
-        String alias = props.getProperty(RSSEC_KEY_STORE_ALIAS);
+        String alias = getKeyId(m, props, RSSEC_KEY_STORE_ALIAS, keyOper);
         char[] keyPswdChars = provider != null ? provider.getPassword(props) 
             : keyPswd != null ? keyPswd.toCharArray() : null;    
         return CryptoUtils.loadPrivateKey(keyStore, keyPswdChars, alias);
     }
     
-    public static PrivateKey loadPrivateKey(Message m, String keyStoreLocProp, String passwordProviderProp)
{
-        return loadPrivateKey(m, keyStoreLocProp, null, passwordProviderProp);
+    public static PrivateKey loadPrivateKey(Message m, String keyStoreLocProp, String keyOper)
{
+        return loadPrivateKey(m, keyStoreLocProp, null, keyOper);
     }
     public static PrivateKey loadPrivateKey(Message m, String keyStoreLocPropPreferred,
-                                            String keyStoreLocPropDefault, String passwordProviderProp)
{
+                                            String keyStoreLocPropDefault, String keyOper)
{
         String keyStoreLoc = getMessageProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault);
         Bus bus = m.getExchange().getBus();
         try {
             Properties props = ResourceUtils.loadProperties(keyStoreLoc, bus);
-            return KeyManagementUtils.loadPrivateKey(m, props, passwordProviderProp);
+            return loadPrivateKey(m, props, keyOper);
         } catch (Exception ex) {
             throw new SecurityException(ex);
         }
     }
-    public static PrivateKey loadPrivateKey(Message m, Properties props, String passwordProviderProp)
{
-        Bus bus = m.getExchange().getBus();
-        KeyStore keyStore = KeyManagementUtils.loadPersistKeyStore(m, props);
+    
+    public static String getKeyId(Message m, Properties props, String preferredPropertyName,
String keyOper) {
+        String kid = null;
+        String altPropertyName = null;
+        if (keyOper != null) {
+            if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) || keyOper.equals(JsonWebKey.KEY_OPER_DECRYPT))
{
+                altPropertyName = preferredPropertyName + ".jwe";
+            } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN) || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY))
{
+                altPropertyName = preferredPropertyName + ".jws";
+            }
+            String direction = m.getExchange().getOutMessage() == m ? ".out" : ".in";
+            kid = (String)MessageUtils.getContextualProperty(m, preferredPropertyName, altPropertyName
+ direction);
+        }
+        
+        if (kid == null) {
+            kid = props.getProperty(preferredPropertyName);
+        }
+        if (kid == null && altPropertyName != null) {
+            kid = props.getProperty(altPropertyName);
+        }
+        return kid;
+    }
+    public static PrivateKeyPasswordProvider loadPasswordProvider(Message m, Properties props,
String keyOper) {
         PrivateKeyPasswordProvider cb = 
-            (PrivateKeyPasswordProvider)m.getContextualProperty(passwordProviderProp);
+            (PrivateKeyPasswordProvider)m.getContextualProperty(RSSEC_KEY_PSWD_PROVIDER);
+        if (cb == null && keyOper != null) {
+            String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? RSSEC_SIG_KEY_PSWD_PROVIDER
+                : keyOper.equals(JsonWebKey.KEY_OPER_DECRYPT) 
+                ? RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null;
+            if (propName != null) {
+                cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName);
+            }
+        }
+        return cb;
+    }
+    
+    public static PrivateKey loadPrivateKey(Message m, Properties props, String keyOper)
{
+        Bus bus = m.getExchange().getBus();
+        KeyStore keyStore = loadPersistKeyStore(m, props);
+        PrivateKeyPasswordProvider cb = loadPasswordProvider(m, props, keyOper);
         if (cb != null && m.getExchange().getInMessage() != null) {
             SecurityContext sc = m.getExchange().getInMessage().get(SecurityContext.class);
             if (sc != null) {
@@ -125,13 +161,13 @@ public final class KeyManagementUtils {
                 }
             }
         }
-        return KeyManagementUtils.loadPrivateKey(keyStore, props, bus, cb);
+        return loadPrivateKey(keyStore, m, props, bus, cb, keyOper);
     }
     public static KeyStore loadPersistKeyStore(Message m, Properties props) {
-        KeyStore keyStore = (KeyStore)m.getExchange().get(props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE));
+        KeyStore keyStore = (KeyStore)m.getExchange().get(props.get(RSSEC_KEY_STORE_FILE));
         if (keyStore == null) {
-            keyStore = KeyManagementUtils.loadKeyStore(props, m.getExchange().getBus());
-            m.getExchange().put((String)props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE),
keyStore);
+            keyStore = loadKeyStore(props, m.getExchange().getBus());
+            m.getExchange().put((String)props.get(RSSEC_KEY_STORE_FILE), keyStore);
         }
         return keyStore;
     }
@@ -174,4 +210,11 @@ public final class KeyManagementUtils {
             return null;
         }
     }
+    public static String getKeyAlgorithm(Message m, Properties props, String propName, String
defaultAlg) {
+        String algo = props.getProperty(propName);
+        if (algo == null && PropertyUtils.isTrue(m.getContextualProperty(RSSEC_DEFAULT_ALGORITHMS)))
{
+            algo = defaultAlg;
+        }
+        return algo;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/893c2175/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 06859f3..956e143 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -231,30 +231,28 @@ public final class JweUtils {
     }
     public static JweEncryptionProvider loadEncryptionProvider(String propLoc, Message m)
{
         KeyEncryptionAlgorithm keyEncryptionProvider = null;
-        String keyEncryptionAlgo = null;
         Properties props = null;
         try {
             props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
         } catch (Exception ex) {
             throw new SecurityException(ex);
         }
-        
-        String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
+        String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null);
+        String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null);
         ContentEncryptionAlgorithm ctEncryptionProvider = null;
         if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE)))
{
             JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
-            keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm());
+            keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm());
             if ("direct".equals(keyEncryptionAlgo)) {
-                contentEncryptionAlgo = getContentEncryptionAlgo(props, jwk.getAlgorithm());
+                contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm());
                 ctEncryptionProvider = getContentEncryptionAlgorithm(jwk, contentEncryptionAlgo);
             } else {
                 keyEncryptionProvider = getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo);
             }
-            
         } else {
             keyEncryptionProvider = getRSAKeyEncryptionAlgorithm(
                 (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), 
-                getKeyEncryptionAlgo(props, keyEncryptionAlgo));
+                keyEncryptionAlgo);
         }
         return createJweEncryptionProvider(keyEncryptionProvider, 
                                     ctEncryptionProvider, 
@@ -283,14 +281,14 @@ public final class JweUtils {
         } catch (Exception ex) {
             throw new SecurityException(ex);
         }    
-        String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
+        String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null);
         SecretKey ctDecryptionKey = null;
-        String keyEncryptionAlgo = getKeyEncryptionAlgo(props, null);
+        String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null);
         if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE)))
{
             JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_DECRYPT);
-            keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm());
+            keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm());
             if ("direct".equals(keyEncryptionAlgo)) {
-                contentEncryptionAlgo = getContentEncryptionAlgo(props, contentEncryptionAlgo);
+                contentEncryptionAlgo = getContentEncryptionAlgo(m, props, contentEncryptionAlgo);
                 ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentEncryptionAlgo);
             } else {
                 keyDecryptionProvider = getKeyDecryptionAlgorithm(jwk, keyEncryptionAlgo);
@@ -298,7 +296,7 @@ public final class JweUtils {
         } else {
             keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(
                 (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(
-                    m, props, KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER), keyEncryptionAlgo);
+                    m, props, JsonWebKey.KEY_OPER_DECRYPT), keyEncryptionAlgo);
         }
         return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentEncryptionAlgo);
     }
@@ -424,11 +422,19 @@ public final class JweUtils {
             return getDirectKeyJweDecryption(ctDecryptionKey, contentDecryptionAlgo);
         }
     }
-    private static String getKeyEncryptionAlgo(Properties props, String algo) {
-        return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP) : algo;
+    private static String getKeyEncryptionAlgo(Message m, Properties props, String algo)
{
+        if (algo == null) {
+            return KeyManagementUtils.getKeyAlgorithm(m, props, 
+                JSON_WEB_ENCRYPTION_KEY_ALGO_PROP, JoseConstants.RSA_OAEP_ALGO);
+        }
+        return algo;
     }
-    private static String getContentEncryptionAlgo(Properties props, String algo) {
-        return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP) : algo;
+    private static String getContentEncryptionAlgo(Message m, Properties props, String algo)
{
+        if (algo == null) {
+            return KeyManagementUtils.getKeyAlgorithm(m, props, 
+                JSON_WEB_ENCRYPTION_CEK_ALGO_PROP, JoseConstants.A128GCM_ALGO);
+        }
+        return algo;
     }
     private static String encrypt(KeyEncryptionAlgorithm keyEncryptionProvider, 
                                   String contentAlgo, byte[] content, String ct) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/893c2175/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
index 817bdcd..cbdaa99 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
@@ -41,7 +41,6 @@ import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.jose.JoseConstants;
 import org.apache.cxf.rs.security.jose.JoseUtils;
 import org.apache.cxf.rs.security.jose.jaxrs.KeyManagementUtils;
@@ -256,9 +255,10 @@ public final class JwkUtils {
     }
 
     public static JsonWebKey loadJsonWebKey(Message m, Properties props, String keyOper,
JwkReaderWriter reader) {
-        PrivateKeyPasswordProvider cb = loadPasswordProvider(m, props, keyOper);
+        PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props,
keyOper);
         JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
-        String kid = getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS, keyOper);
+        String kid = 
+            KeyManagementUtils.getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS,
keyOper);
         if (kid != null) {
             return jwkSet.getKey(kid);
         } else if (keyOper != null) {
@@ -275,13 +275,13 @@ public final class JwkUtils {
 
     public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, String
keyOper, 
                                                    JwkReaderWriter reader) {
-        PrivateKeyPasswordProvider cb = loadPasswordProvider(m, props, keyOper);
+        PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props,
keyOper);
         JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
-        String kid = getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS, keyOper);
+        String kid = KeyManagementUtils.getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS,
keyOper);
         if (kid != null) {
             return Collections.singletonList(jwkSet.getKey(kid));
         }
-        String kids = getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIASES, keyOper);
+        String kids = KeyManagementUtils.getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIASES,
keyOper);
         if (kids != null) {
             String[] values = kids.split(",");
             List<JsonWebKey> keys = new ArrayList<JsonWebKey>(values.length);
@@ -386,40 +386,7 @@ public final class JwkUtils {
         return jwk;
     }
     
-    private static String getKeyId(Message m, Properties props, String preferredPropertyName,
String keyOper) {
-        String kid = null;
-        String altPropertyName = null;
-        if (keyOper != null) {
-            if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) || keyOper.equals(JsonWebKey.KEY_OPER_DECRYPT))
{
-                altPropertyName = preferredPropertyName + ".jwe";
-            } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN) || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY))
{
-                altPropertyName = preferredPropertyName + ".jws";
-            }
-            String direction = m.getExchange().getOutMessage() == m ? ".out" : ".in";
-            kid = (String)MessageUtils.getContextualProperty(m, altPropertyName, altPropertyName
+ direction);
-        }
-        
-        if (kid == null) {
-            kid = props.getProperty(preferredPropertyName);
-        }
-        if (kid == null && altPropertyName != null) {
-            kid = props.getProperty(altPropertyName);
-        }
-        return kid;
-    }
-    private static PrivateKeyPasswordProvider loadPasswordProvider(Message m, Properties
props, String keyOper) {
-        PrivateKeyPasswordProvider cb = 
-            (PrivateKeyPasswordProvider)m.getContextualProperty(KeyManagementUtils.RSSEC_KEY_PSWD_PROVIDER);
-        if (cb == null && keyOper != null) {
-            String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER
-                : keyOper.equals(JsonWebKey.KEY_OPER_DECRYPT) 
-                ? KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null;
-            if (propName != null) {
-                cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName);
-            }
-        }
-        return cb;
-    }
+    
     private static JweEncryptionProvider createDefaultEncryption(char[] password) {
         KeyEncryptionAlgorithm keyEncryption = 
             new PbesHmacAesWrapKeyEncryptionAlgorithm(password, Algorithm.PBES2_HS256_A128KW.getJwtName());

http://git-wip-us.apache.org/repos/asf/cxf/blob/893c2175/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index e9d228a..66be06c 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -32,6 +32,7 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.JoseConstants;
 import org.apache.cxf.rs.security.jose.JoseHeaders;
 import org.apache.cxf.rs.security.jose.JoseUtils;
 import org.apache.cxf.rs.security.jose.jaxrs.KeyManagementUtils;
@@ -219,13 +220,13 @@ public final class JwsUtils {
         if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE)))
{
             JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN);
             if (jwk != null) {
-                rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm());
+                rsaSignatureAlgo = getSignatureAlgo(m, props, jwk.getAlgorithm());
                 theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo);
             }
         } else {
-            rsaSignatureAlgo = getSignatureAlgo(props, null);
+            rsaSignatureAlgo = getSignatureAlgo(m, props, null);
             RSAPrivateKey pk = (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(m, props,

-                KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER);
+                JsonWebKey.KEY_OPER_SIGN);
             theSigProvider = getRSAKeySignatureProvider(pk, rsaSignatureAlgo);
         }
         if (theSigProvider == null && !ignoreNullProvider) {
@@ -240,12 +241,12 @@ public final class JwsUtils {
         if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE)))
{
             JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY);
             if (jwk != null) {
-                rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm());
+                rsaSignatureAlgo = getSignatureAlgo(m, props, jwk.getAlgorithm());
                 theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo);
             }
             
         } else {
-            rsaSignatureAlgo = getSignatureAlgo(props, null);
+            rsaSignatureAlgo = getSignatureAlgo(m, props, null);
             theVerifier = getRSAKeySignatureVerifier(
                               (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), rsaSignatureAlgo);
         }
@@ -261,8 +262,12 @@ public final class JwsUtils {
             throw new SecurityException(ex);
         }
     }
-    private static String getSignatureAlgo(Properties props, String algo) {
-        return algo == null ? props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP) : algo;
+    private static String getSignatureAlgo(Message m, Properties props, String algo) {
+        if (algo == null) {
+            return KeyManagementUtils.getKeyAlgorithm(m, props, 
+                                               JSON_WEB_SIGNATURE_ALGO_PROP, JoseConstants.RS_SHA_256_ALGO);
+        }
+        return algo;
     }
     private static JwsCompactConsumer verify(JwsSignatureVerifier v, String content) {
         JwsCompactConsumer jws = new JwsCompactConsumer(content);

http://git-wip-us.apache.org/repos/asf/cxf/blob/893c2175/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
index 08ea2cc..6520caa 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
@@ -217,6 +217,7 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase {
         
         WebClient.getConfig(bs).getRequestContext().put("rs.security.keystore.alias.jwe.out",
"AliceCert");
         WebClient.getConfig(bs).getRequestContext().put("rs.security.keystore.alias.jws.in",
"AliceCert");
+        WebClient.getConfig(bs).getRequestContext().put("rs.security.default.algorithms",
"true");
         String text = bs.echoText("book");
         assertEquals("book", text);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/893c2175/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
index 87e8bf9..a7c9323 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
@@ -118,6 +118,7 @@ under the License.
             <entry key="rs.security.keystore.alias.jws.in" value="BobCert"/>
             <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
             <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
+            <entry key="rs.security.default.algorithms" value="true"/>
         </jaxrs:properties>
     </jaxrs:server>
     <bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>

http://git-wip-us.apache.org/repos/asf/cxf/blob/893c2175/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
index 6cb973e..a5f89b7 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
@@ -18,6 +18,3 @@
 #
 rs.security.keystore.type=jwk
 rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
-rs.security.jwe.content.encryption.algorithm=A128GCM
-rs.security.jwe.key.encryption.algorithm=RSA-OAEP
-rs.security.jws.content.signature.algorithm=RS256


Mime
View raw message