cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r943707 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Date Fri, 13 Mar 2015 15:46:51 GMT
Author: buildbot
Date: Fri Mar 13 15:46:50 2015
New Revision: 943707

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Mar 13 15:46:50 2015
@@ -118,14 +118,16 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1426257993585 {padding: 0px;}
-div.rbtoc1426257993585 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1426257993585 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1426261585363 {padding: 0px;}
+div.rbtoc1426261585363 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1426261585363 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1426257993585">
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a>
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK
Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS
Signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONEncryption">JSON
Encryption</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebTokens">JSON
Web Tokens</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS
Filters</a></li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a></li><li><a
shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</a></li><li><a
shape="rect" href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</a></li></ul>
+/*]]>*/</style></p><div class="toc-macro rbtoc1426261585363">
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications
to JWS or JWE content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWE">JWE</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting
JWK stores</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</a></li><li><a
shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and Jose</a></li><li><a
shape="rect" href="#JAX-RSJOSE-FutureWork">Future Work</a></li><li><a
shape="rect" href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</a></li></ul>
 </div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p>CXF 3.0.x
implements <a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/"
rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven
Dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
 <script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;dependency&gt;
   &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
@@ -133,7 +135,7 @@ div.rbtoc1426257993585 li {margin-left:
   &lt;version&gt;3.0.4&lt;/version&gt;
 &lt;/dependency&gt;
 ]]></script>
-</div></div><p>&#160;</p><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE is a set of high quality specifications that specify how
data payloads can be signed and/or encrypted with the cryptographic properties set in JSON-formatted
metadata (headers).</p><p>Note that not only JSON documents but also documents
in the arbitrary formats can be secured: text, binary data, even XML.</p><p>&#160;</p><p>JOSE
is a key piece of the advanced OAuth2 applications but is also perfect at securing the regular
HTTP web service communications.</p><p>&#160;</p><p>At the moment
two signature and encryption output formats are supported: compact and JSON.</p><p>&#160;</p><p>Compact
format is a concatenation of Base64URL-encoded JOSE headers (where the cryptographic signature
or encryption properties are set),</p><p>Base64URL-encoded payload (in the original
form if it is signed, otherwise - encrypted), plus Base64URL-encoded signature of the payload
or some of encryption process input or outpu
 t data</p><p>such as an initialization vector, authentication tag, etc.</p><p>&#160;</p><p>The
JSON (full) format is where all the information describing a signature or encryption process
is presented in a not-compact, regular JSON document, offering a non-optimized but easier
to understand format.</p><p>The JSON format also supports multiple signatures
when signing the content or multiple content key encryptions when encrypting the content which
can be useful when multiple recipients are involved.</p><p>The signature process
also supports the detached body mode where the body to be signed is not included in the actual
output - assuming that both the consumer and producer know how to access the original payload
in order to</p><p>validate the signature.</p><p>&#160;</p><p>The
following subsections will have the examples with more details.</p><h2 id="JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</h2><p>All JOSE signature and encryption algorithms are grouped and
described in a <a shape="re
 ct" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40"
rel="nofollow">JSON Web Algorithms</a> (JWA) specification.</p><p>The
algorithms are split into 3 categories: signature algorithms (MAC, RSA, Elliptic Curve), algorithms
for supporting the encryption of content encryption keys (RSA-OAEP, Key Wrap, etc),</p><p>algorithms
for encrypting the actual content (AES GCM, etc).</p><p>All encryption algorithms
produce authentication tags which provides the protection against manipulating the already
encrypted content.</p><p>Refer to this specification to get all the information
needed (with the follow up links to the corresponding RFC when applicable) about a particular
signature or encryption</p><p>algorithm: the properties, recommended key sizes,
other security considerations related to all of or some specific algorithms.</p><p>CXF
offers the initial utility support for working with JWA algorithms in <a shape="rect" class="external-link"
href
 ="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD">this
package</a>.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK Keys</h2><p>&#160;</p><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41"
rel="nofollow">Json Web Key</a> (JWK) is a JSON document describing the cryptographic
key properties. JWKs are very flexible and light-weight (in most cases) and one can expect
JWKs becoming one of the major</p><p>mechanisms for representing and storing cryptographic
keys. What is important is that one does not have to use a JWK in order to sign or encrypt
the document, working directly with Java JCA secret and asymmetric key</p><p>representations
is sufficient but JWK is a first class citizen in JOSE with all of JOSE examples using JWK
representations.</p><p>CXF offers a utility support for reading and writing JWK
keys and
  key sets and for working with the encrypted inlined and standalone JWK stores in <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD">this
package</a>.</p><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41"
rel="nofollow">JSON Web Signature</a> (JWS) document describes how a document content
can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC key.</p><p>Here
is one of the ways you can do it in CXF, where a Json Web Token (JWT, see one of the next
sections) is signed by a MAC key:<br clear="none">&#160;</p><div class="code
panel
  pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent
pdl">
+</div></div><p>&#160;</p><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE is a set of high quality specifications that specify how
data payloads can be signed and/or encrypted with the cryptographic properties set in JSON-formatted
metadata (headers).</p><p>Note that not only JSON documents but also documents
in the arbitrary formats can be secured: text, binary data, even XML.</p><p>&#160;</p><p>JOSE
is a key piece of the advanced OAuth2 applications but is also perfect at securing the regular
HTTP web service communications.</p><p>&#160;</p><p>At the moment
two signature and encryption output formats are supported: compact and JSON.</p><p>&#160;</p><p>Compact
format is a concatenation of Base64URL-encoded JOSE headers (where the cryptographic signature
or encryption properties are set),</p><p>Base64URL-encoded payload (in the original
form if it is signed, otherwise - encrypted), plus Base64URL-encoded signature of the payload
or some of encryption process input or outpu
 t data</p><p>such as an initialization vector, authentication tag, etc.</p><p>&#160;</p><p>The
JSON (full) format is where all the information describing a signature or encryption process
is presented in a not-compact, regular JSON document, offering a non-optimized but easier
to understand format.</p><p>The JSON format also supports multiple signatures
when signing the content or multiple content key encryptions when encrypting the content which
can be useful when multiple recipients are involved.</p><p>The signature process
also supports the detached body mode where the body to be signed is not included in the actual
output - assuming that both the consumer and producer know how to access the original payload
in order to</p><p>validate the signature.</p><p>&#160;</p><p>The
following subsections will have the examples with more details.</p><h1 id="JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</h1><p>All JOSE signature and encryption algorithms are grouped and
described in a <a shape="re
 ct" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40"
rel="nofollow">JSON Web Algorithms</a> (JWA) specification.</p><p>The
algorithms are split into 3 categories: signature algorithms (MAC, RSA, Elliptic Curve), algorithms
for supporting the encryption of content encryption keys (RSA-OAEP, Key Wrap, etc),</p><p>algorithms
for encrypting the actual content (AES GCM, etc).</p><p>All encryption algorithms
produce authentication tags which provides the protection against manipulating the already
encrypted content.</p><p>Refer to this specification to get all the information
needed (with the follow up links to the corresponding RFC when applicable) about a particular
signature or encryption</p><p>algorithm: the properties, recommended key sizes,
other security considerations related to all of or some specific algorithms.</p><p>CXF
offers the initial utility support for working with JWA algorithms in <a shape="rect" class="external-link"
href
 ="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD">this
package</a>.</p><h1 id="JAX-RSJOSE-JWKKeys">JWK Keys</h1><p>&#160;</p><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41"
rel="nofollow">Json Web Key</a> (JWK) is a JSON document describing the cryptographic
key properties. JWKs are very flexible and light-weight (in most cases) and one can expect
JWKs becoming one of the major</p><p>mechanisms for representing and storing cryptographic
keys. What is important is that one does not have to use a JWK in order to sign or encrypt
the document, working directly with Java JCA secret and asymmetric key</p><p>representations
is sufficient but JWK is a first class citizen in JOSE with all of JOSE examples using JWK
representations.</p><p>CXF offers a utility support for reading and writing JWK
keys and
  key sets and for working with the encrypted inlined and standalone JWK stores in <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD">this
package</a>.</p><p>Note that JWK keys can be set as JWS or JWE header properties,
example, in order to provide a recipient with the representation of a public key used to create
a signature.</p><h1 id="JAX-RSJOSE-JWSSignature">JWS Signature</h1><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41"
rel="nofollow">JSON Web Signature</a> (JWS) document describes how a document content
can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC key.</p><p
 >Here is one of the ways you can do it in CXF, where a Json Web Token (JWT, see one of
the next sections) is signed by a MAC key:<br clear="none">&#160;</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader
pdl" style="border-bottom-width: 1px;"><b>CXF JWS HMac</b></div><div
class="codeContent panelContent pdl">
 <script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[//
sign
 JoseHeaders headers = new JoseHeaders();
 headers.setAlgorithm(SignatureAlgorithm.HS256.getJwaName());
@@ -157,7 +159,24 @@ JwtToken token = jws.getJwtToken();
 JoseHeaders headers = token.getHeaders();
 assertEquals(SignatureAlgorithm.HS256.getJwaName(), headers.getAlgorithm());
 validateClaims(token.getClaims());]]></script>
-</div></div><p>&#160;</p><p>CXF ships JWS related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws;h=46610253c8a71916e1955019ea1b01215a7745e6;hb=HEAD">this
package</a>.</p><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD">JwsSignatureProvider</a>
supports signing the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD">JwsSignatureVerifier</a>
- validating the signatures. Providers and verifiers supporting RSA, HMac and Elliptic Curve
signature al
 gorithms are shipped.</p><p>JwsCompactConsumer and JwsCompactProducer offer a
utility support for creating and validating JWS compact serialization and accept keys in a
variety of formats</p><p>(as JWKs, JCA representations, created out of band and
wrapped in either JwsSignatureProvider or JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer
and JwsJwtCompactProducer are JwsCompactConsumer and JwsCompactProducer specializations that
offer a utility support for signing Json Web Tokens in a compact format.</p><p>JwsJsonConsumer
and JwsJsonProducer support JWS JSON (full) serialization.</p><p>JwsOutputStream
and&#160;JwsJsonOutputStream are specialized output streams that can be used in conjunction
with JWS JAX-RS filters (see one of the next sections)</p><p>to support the best
effort at streaming the content while signing it.&#160; These classes will use <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/ja
 va/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a>&#160;
optionally returned from JwsSignatureProvider</p><p>instead of working with the
consumer utility classes which deal with the signature process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h2 id="JAX-RSJOSE-JSONEncryption">JSON Encryption</h2><p>&#160;</p><h2
id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h2><p>&#160;</p><h1
id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><p>&#160;</p><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><p>&#160;</p><p>&#160;</p><h1
id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>&#160;</p><h1
id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p>Jose4J.
Etc.</p><p>&#160;</p></div>
+</div></div><p>&#160;</p><p>CXF ships JWS related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws;h=46610253c8a71916e1955019ea1b01215a7745e6;hb=HEAD">this
package</a> and offers a support for all of JWA signature algorithms.</p><p><a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD">JwsSignatureProvider</a>
supports signing the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD">JwsSignatureVerifier</a>
- validating the signatures. Providers and verif
 iers supporting RSA, HMac and Elliptic Curve signature algorithms are shipped.</p><p>JwsCompactConsumer
and JwsCompactProducer offer a utility support for creating and validating JWS compact serialization
and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created
out of band and wrapped in either JwsSignatureProvider or JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer
and JwsJwtCompactProducer are JwsCompactConsumer and JwsCompactProducer specializations that
offer a utility support for signing Json Web Tokens in a compact format.</p><p>JwsJsonConsumer
and JwsJsonProducer support JWS JSON (full) serialization.</p><p>JwsOutputStream
and&#160;JwsJsonOutputStream are specialized output streams that can be used in conjunction
with JWS JAX-RS filters (see one of the next sections)</p><p>to support the best
effort at streaming the content while signing it.&#160; These classes will use <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/rep
 os/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a>&#160;
optionally returned from JwsSignatureProvider</p><p>instead of working with the
consumer utility classes which deal with the signature process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONEncryption">JSON Encryption</h1><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40"
rel="nofollow">JSON Web Signature</a> (JWE) document describes how a document content,
and, when applicable, a content encryption key, can be encrypted. For example, <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be encrypted</p><p>with
a secret key using Aes Gcm with the actu
 al content encryption key encrypted/wrapped using RSA-OAEP.</p><p>Here is the
example for doing Aes Cbc HMac and Aes Key Wrap in CXF:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent
panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[final
String specPlainText = &quot;Live long and prosper.&quot;;
+        
+byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
+        
+AesWrapKeyEncryptionAlgorithm keyEncryption = new AesWrapKeyEncryptionAlgorithm(cekEncryptionKey,
KeyAlgorithm.A128KW);
+JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(ContentAlgorithm.A128CBC_HS256,
+                                                               CONTENT_ENCRYPTION_KEY_A3,

+                                                               INIT_VECTOR_A3,
+                                                               keyEncryption);
+String jweContent = encryption.encrypt(specPlainText.getBytes(&quot;UTF-8&quot;),
null);
+assertEquals(JWE_OUTPUT_A3, jweContent);
+        
+AesWrapKeyDecryptionAlgorithm keyDecryption = new AesWrapKeyDecryptionAlgorithm(cekEncryptionKey);
+JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
+String decryptedText = decryption.decrypt(jweContent).getContentText();
+assertEquals(specPlainText, decryptedText);]]></script>
+</div></div><p>&#160;</p><p>CXF ships JWE related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this
package</a> and offers a support for all of JWA encryption algorithms.</p><p><a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a>
- decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and
JweCompactProducer offer a utility support for creating and validating JWE compact serialization
and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created
out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that
offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer
and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream
is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see
one of the next sections)</p><p>to support the best effort at streaming the content
while encrypting it.&#160; These classes will use <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 /main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160;
optionally returned from JweEncryptionProvider</p><p>instead of working with the
consumer utility classes which deal with the encryption process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web
Tokens</h1><p>&#160;</p><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON
Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON
container for representing various properties or claims.</p><p>JWT can be signed
and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>&#160;</p><p>JWT
has been primarily used in OAuth2 applications to represent self-contained access tokens but
can also be used in other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this
package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking
JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><p>A variety of signature and
encryption key properties is supported. Add more...</p><h2 id="JAX-RSJOSE-EncryptingJWKstores">Encrypting
JWK stores</h2><p>JAX-RS filters can read the keys from encrypted JWK stores.
The stores are encrypted inline or in separate storages (files). By default the filters expect
that the stores has been encrypted using</p><p>a password based <a shape="rect"
cl
 ass="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8"
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD">password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens.
Authorization code JOSE requests can already be processed. Utility support for validating
JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC
and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE
module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCryp
 to, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a
shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a>
is a top project from Brian Campbell.&#160; CXF users are encouraged to experiment with
Jose4J (or indeed with other 3rd party implementations) if they prefer.</p><p>TODO:
describe how Jose4J can be integrated with CXF filters if preferred.</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message