cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r969980 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Date Fri, 23 Oct 2015 13:47:37 GMT
Author: buildbot
Date: Fri Oct 23 13:47:37 2015
New Revision: 969980

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Oct 23 13:47:37 2015
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1445525232766 {padding: 0px;}
-div.rbtoc1445525232766 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1445525232766 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1445608018472 {padding: 0px;}
+div.rbtoc1445608018472 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1445608018472 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1445525232766">
+/*]]>*/</style></p><div class="toc-macro rbtoc1445608018472">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications
to JWS or JWE content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWE">JWE</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
@@ -176,7 +176,7 @@ AesWrapKeyDecryptionAlgorithm keyDecrypt
 JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
 String decryptedText = decryption.decrypt(jweContent).getContentText();
 assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p>&#160;</p><p>CXF ships JWE related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this
package</a> and offers a support for all of JWA encryption algorithms.</p><p><a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a>
- decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and
JweCompactProducer offer a utility support for creating and validating JWE compact serialization
and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created
out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that
offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer
and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream
is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see
one of the next sections)</p><p>to support the best effort at streaming the content
while encrypting it.&#160; These classes will use <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 /main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160;
optionally returned from JweEncryptionProvider</p><p>instead of working with the
consumer utility classes which deal with the encryption process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web
Tokens</h1><p>&#160;</p><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON
Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON
container for representing various properties or claims.</p><p>JWT can be signed
and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>&#160;</p><p>JWT
has been primarily used in OAuth2 applications to represent self-contained access tokens but
can also be used in other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this
package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking
JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values
are "jks" or "j
 wk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the private
key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td
colspan="1" rowspan="1" class="confluenceTd">&#160;The keystore alias corresponding
to the key to use. You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br
clear="none">&#160;&#160;&#160;&#160; - jwe.in<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</t
 d><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one of the following
to this tag to get the alias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td
colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key (for signature
or encryption) in the "jwk" header.</td></tr><tr><
 td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate (for signature
or encryption) in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.include.key.id</td><td colspan="1" rowspan="1"
class="confluenceTd">Include the JWK key id (for signature or encryption) in the "kid"
header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
(for signature or encryption) in the "x5t" header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h2><p>JAX-RS filters
can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate
storages (files). By default the filters expect that the stores has been encrypted using</p><p>a
password based <a shape="rect" 
 class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8"
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD">password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens.
Authorization code JOSE requests can already be processed. Utility support for validating
JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC
and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE
module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCr
 ypto, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a
shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a>
is a top project from Brian Campbell.&#160; CXF users are encouraged to experiment with
Jose4J (or indeed with other 3rd party implementations) if they prefer.</p><p>TODO:
describe how Jose4J can be integrated with CXF filters if preferred.</p><p>&#160;</p></div>
+</div></div><p>&#160;</p><p>CXF ships JWE related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this
package</a> and offers a support for all of JWA encryption algorithms.</p><p><a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a>
- decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and
JweCompactProducer offer a utility support for creating and validating JWE compact serialization
and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created
out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that
offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer
and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream
is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see
one of the next sections)</p><p>to support the best effort at streaming the content
while encrypting it.&#160; These classes will use <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 /main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160;
optionally returned from JweEncryptionProvider</p><p>instead of working with the
consumer utility classes which deal with the encryption process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web
Tokens</h1><p>&#160;</p><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON
Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON
container for representing various properties or claims.</p><p>JWT can be signed
and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>&#160;</p><p>JWT
has been primarily used in OAuth2 applications to represent self-contained access tokens but
can also be used in other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this
package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking
JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values
are "jks" or "j
 wk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td
colspan="1" rowspan="1" class="confluenceTd">&#160;The keystore alias corresponding
to the key to use. You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br
clear="none">&#160;&#160;&#160;&#160; - jwe.in<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the
keys to use, when using the JSON serialization form. You can append one of the following to
this tag to get the al
 ias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the private
key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td
colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key (for signature
or encryption) in the "jwk" header.</td></tr><tr><
 td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate (for signature
or encryption) in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.include.key.id</td><td colspan="1" rowspan="1"
class="confluenceTd">Include the JWK key id (for signature or encryption) in the "kid"
header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
(for signature or encryption) in the "x5t" header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h2><p>JAX-RS filters
can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate
storages (files). By default the filters expect that the stores has been encrypted using</p><p>a
password based <a shape="rect" 
 class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8"
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD">password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens.
Authorization code JOSE requests can already be processed. Utility support for validating
JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC
and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE
module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCr
 ypto, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a
shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a>
is a top project from Brian Campbell.&#160; CXF users are encouraged to experiment with
Jose4J (or indeed with other 3rd party implementations) if they prefer.</p><p>TODO:
describe how Jose4J can be integrated with CXF filters if preferred.</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message