cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r943700 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Date Fri, 13 Mar 2015 14:46:59 GMT
Author: buildbot
Date: Fri Mar 13 14:46:58 2015
New Revision: 943700

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Mar 13 14:46:58 2015
@@ -32,6 +32,7 @@
 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
 
 <script src='/resources/highlighter/scripts/shCore.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script src='/resources/highlighter/scripts/shBrushXml.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
@@ -117,22 +118,46 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1426254394846 {padding: 0px;}
-div.rbtoc1426254394846 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1426254394846 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1426257993585 {padding: 0px;}
+div.rbtoc1426257993585 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1426257993585 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1426254394846">
+/*]]>*/</style></p><div class="toc-macro rbtoc1426257993585">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK
Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS
Signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONEncryption">JSON
Encryption</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebTokens">JSON
Web Tokens</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSJOSE-JAX-RSJoseFilters">JAX-RS Jose
Filters</a></li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2
and Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS
Filters</a></li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a></li><li><a
shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</a></li><li><a
shape="rect" href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</a></li></ul>
 </div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p>CXF 3.0.x
implements <a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/"
rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven
Dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
 <script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;dependency&gt;
   &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
   &lt;artifactId&gt;cxf-rt-rs-security-jose&lt;/artifactId&gt;
-  &lt;version&gt;3.1.0&lt;/version&gt;
+  &lt;version&gt;3.0.4&lt;/version&gt;
 &lt;/dependency&gt;
 ]]></script>
-</div></div><p>&#160;</p><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE is a set of high quality specifications that specify how
data payloads can be signed and/or encrypted with the cryptographic properties set in JSON-formatted
metadata (headers).</p><p>Note that not only JSON documents but also documents
in the arbitrary formats can be secured: text, binary data, even XML.</p><p>&#160;</p><p>JOSE
is a key piece of the advanced OAuth2 applications but is also perfect at securing the regular
HTTP web service communications.</p><p>&#160;</p><p>At the moment
two signature and encryption output formats are supported: compact and JSON.</p><p>&#160;</p><p>Compact
format is a concatenation of Base64URL-encoded JOSE headers (where the cryptographic signature
or encryption properties are set),</p><p>Base64URL-encoded payload (in the original
form if it is signed, otherwise - encrypted), plus Base64URL-encoded signature of the payload
or some of encryption process input or outpu
 t data</p><p>such as an initialization vector, authentication tag, etc.</p><p>&#160;</p><p>The
JSON (full) format is where all the information describing a signature or encryption process
is presented in a not-compact, regular JSON document, offering a non-optimized but easier
to understand format.</p><p>The signature process also supports the detached body
mode where the body to be signed is not included in the actual output - assuming that both
the consumer and producer know how to access the original payload in order to</p><p>validate
the signature.</p><p>&#160;</p><p>The following subsections will
have the examples with more details.</p><h2 id="JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</h2><p>All JOSE signature and encryption algorithms are grouped and
described in a <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40"
rel="nofollow">JSON Web Algorithms</a> (JWA) specification.</p><p>The
algorithms are split into 3 catego
 ries: signature algorithms (MAC, RSA, Elliptic Curve), algorithms for supporting the encryption
of content encryption keys (RSA-OAEP, Key Wrap, etc),</p><p>algorithms for encrypting
the actual content (AES GCM, etc).</p><p>All encryption algorithms produce authentication
tags which provides the protection against manipulating the already encrypted content.</p><p>Refer
to this specification to get all the information needed (with the follow up links to the corresponding
RFC when applicable) about a particular signature or encryption</p><p>algorithm:
the properties, recommended key sizes, other security considerations related to all of or
some specific algorithms.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK Keys</h2><p>&#160;</p><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41"
rel="nofollow">Json Web Key</a> (JWK) is a JSON document describing the cryptographic
key properties. JWKs are very flexible and light-weight (in most cases) and
  one can expect JWKs becoming one of the major</p><p>mechanisms for representing
and storing cryptographic keys. What is important is that one does not have to use a JWK in
order to sign or encrypt the document, working directly with Java JCA secret and asymmetric
key</p><p>representations is sufficient but JWK is a first class citizen in JOSE
with all of JOSE examples using JWK representations.</p><h2 id="JAX-RSJOSE-JWSSignature">JWS
Signature</h2><p>&#160;</p><h2 id="JAX-RSJOSE-JSONEncryption">JSON
Encryption</h2><h2 id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h2><p>&#160;</p><h1
id="JAX-RSJOSE-JAX-RSJoseFilters">JAX-RS Jose Filters</h1><p>&#160;</p><h1
id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>&#160;</p><h1
id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p>Jose4J.
Etc.</p><p>&#160;</p></div>
+</div></div><p>&#160;</p><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE is a set of high quality specifications that specify how
data payloads can be signed and/or encrypted with the cryptographic properties set in JSON-formatted
metadata (headers).</p><p>Note that not only JSON documents but also documents
in the arbitrary formats can be secured: text, binary data, even XML.</p><p>&#160;</p><p>JOSE
is a key piece of the advanced OAuth2 applications but is also perfect at securing the regular
HTTP web service communications.</p><p>&#160;</p><p>At the moment
two signature and encryption output formats are supported: compact and JSON.</p><p>&#160;</p><p>Compact
format is a concatenation of Base64URL-encoded JOSE headers (where the cryptographic signature
or encryption properties are set),</p><p>Base64URL-encoded payload (in the original
form if it is signed, otherwise - encrypted), plus Base64URL-encoded signature of the payload
or some of encryption process input or outpu
 t data</p><p>such as an initialization vector, authentication tag, etc.</p><p>&#160;</p><p>The
JSON (full) format is where all the information describing a signature or encryption process
is presented in a not-compact, regular JSON document, offering a non-optimized but easier
to understand format.</p><p>The JSON format also supports multiple signatures
when signing the content or multiple content key encryptions when encrypting the content which
can be useful when multiple recipients are involved.</p><p>The signature process
also supports the detached body mode where the body to be signed is not included in the actual
output - assuming that both the consumer and producer know how to access the original payload
in order to</p><p>validate the signature.</p><p>&#160;</p><p>The
following subsections will have the examples with more details.</p><h2 id="JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</h2><p>All JOSE signature and encryption algorithms are grouped and
described in a <a shape="re
 ct" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40"
rel="nofollow">JSON Web Algorithms</a> (JWA) specification.</p><p>The
algorithms are split into 3 categories: signature algorithms (MAC, RSA, Elliptic Curve), algorithms
for supporting the encryption of content encryption keys (RSA-OAEP, Key Wrap, etc),</p><p>algorithms
for encrypting the actual content (AES GCM, etc).</p><p>All encryption algorithms
produce authentication tags which provides the protection against manipulating the already
encrypted content.</p><p>Refer to this specification to get all the information
needed (with the follow up links to the corresponding RFC when applicable) about a particular
signature or encryption</p><p>algorithm: the properties, recommended key sizes,
other security considerations related to all of or some specific algorithms.</p><p>CXF
offers the initial utility support for working with JWA algorithms in <a shape="rect" class="external-link"
href
 ="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD">this
package</a>.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK Keys</h2><p>&#160;</p><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41"
rel="nofollow">Json Web Key</a> (JWK) is a JSON document describing the cryptographic
key properties. JWKs are very flexible and light-weight (in most cases) and one can expect
JWKs becoming one of the major</p><p>mechanisms for representing and storing cryptographic
keys. What is important is that one does not have to use a JWK in order to sign or encrypt
the document, working directly with Java JCA secret and asymmetric key</p><p>representations
is sufficient but JWK is a first class citizen in JOSE with all of JOSE examples using JWK
representations.</p><p>CXF offers a utility support for reading and writing JWK
keys and
  key sets and for working with the encrypted inlined and standalone JWK stores in <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD">this
package</a>.</p><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41"
rel="nofollow">JSON Web Signature</a> (JWS) document describes how a document content
can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC key.</p><p>Here
is one of the ways you can do it in CXF, where a Json Web Token (JWT, see one of the next
sections) is signed by a MAC key:<br clear="none">&#160;</p><div class="code
panel
  pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent
pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[//
sign
+JoseHeaders headers = new JoseHeaders();
+headers.setAlgorithm(SignatureAlgorithm.HS256.getJwaName());
+
+JwtClaims claims = new JwtClaims();
+claims.setIssuer(&quot;joe&quot;);
+claims.setExpiryTime(1300819380L);
+claims.setClaim(&quot;http://example.com/is_root&quot;, Boolean.TRUE);
+JwtToken token = new JwtToken(headers, claims);
+
+JwsCompactProducer jws = new JwsJwtCompactProducer(token);
+
+jws.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, SignatureAlgorithm.HS256));
+assertEquals(ENCODED_TOKEN_SIGNED_BY_MAC, jws.getSignedEncodedJws());
+
+// validate
+JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_SIGNED_BY_MAC);
+assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+                                      SignatureAlgorithm.HS256)));
+JwtToken token = jws.getJwtToken();
+JoseHeaders headers = token.getHeaders();
+assertEquals(SignatureAlgorithm.HS256.getJwaName(), headers.getAlgorithm());
+validateClaims(token.getClaims());]]></script>
+</div></div><p>&#160;</p><p>CXF ships JWS related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws;h=46610253c8a71916e1955019ea1b01215a7745e6;hb=HEAD">this
package</a>.</p><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD">JwsSignatureProvider</a>
supports signing the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD">JwsSignatureVerifier</a>
- validating the signatures. Providers and verifiers supporting RSA, HMac and Elliptic Curve
signature al
 gorithms are shipped.</p><p>JwsCompactConsumer and JwsCompactProducer offer a
utility support for creating and validating JWS compact serialization and accept keys in a
variety of formats</p><p>(as JWKs, JCA representations, created out of band and
wrapped in either JwsSignatureProvider or JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer
and JwsJwtCompactProducer are JwsCompactConsumer and JwsCompactProducer specializations that
offer a utility support for signing Json Web Tokens in a compact format.</p><p>JwsJsonConsumer
and JwsJsonProducer support JWS JSON (full) serialization.</p><p>JwsOutputStream
and&#160;JwsJsonOutputStream are specialized output streams that can be used in conjunction
with JWS JAX-RS filters (see one of the next sections)</p><p>to support the best
effort at streaming the content while signing it.&#160; These classes will use <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/ja
 va/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a>&#160;
optionally returned from JwsSignatureProvider</p><p>instead of working with the
consumer utility classes which deal with the signature process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h2 id="JAX-RSJOSE-JSONEncryption">JSON Encryption</h2><p>&#160;</p><h2
id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h2><p>&#160;</p><h1
id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><p>&#160;</p><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><p>&#160;</p><p>&#160;</p><h1
id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>&#160;</p><h1
id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p>Jose4J.
Etc.</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message