cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r969998 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html docs/security-configuration.html
Date Fri, 23 Oct 2015 16:47:43 GMT
Author: buildbot
Date: Fri Oct 23 16:47:42 2015
New Revision: 969998

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html
    websites/production/cxf/content/docs/security-configuration.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Oct 23 16:47:42 2015
@@ -118,16 +118,16 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1445608018472 {padding: 0px;}
-div.rbtoc1445608018472 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1445608018472 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1445618817588 {padding: 0px;}
+div.rbtoc1445618817588 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1445618817588 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1445608018472">
+/*]]>*/</style></p><div class="toc-macro rbtoc1445618817588">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li><li><a shape="rect" href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
-<ul class="toc-indentation"><ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</a></li></ul><li><a shape="rect" href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-FutureWork">Future Work</a></li><li><a shape="rect" href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that applies to signature only</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</a></li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-FutureWork">Future Work</a></li><li><a shape="rect" href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</a></li></ul>
 </div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p>CXF 3.0.x implements <a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven Dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;dependency&gt;
   &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
@@ -176,7 +176,7 @@ AesWrapKeyDecryptionAlgorithm keyDecrypt
 JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
 String decryptedText = decryption.decrypt(jweContent).getContentText();
 assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p>&#160;</p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this package</a> and offers a support for all of JWA encryption algorithms.</p><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a> supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a> - decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and JweCompactProducer offer a utility support for creating and validating JWE compact serialization and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see one of the next sections)</p><p>to support the best effort at streaming the content while encrypting it.&#160; These classes will use <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 /main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160; optionally returned from JweEncryptionProvider</p><p>instead of working with the consumer utility classes which deal with the encryption process completely in memory.</p><p>&#160;</p><p>Many more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h1><p>&#160;</p><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON container for representing various properties or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>&#160;</p><p>JWT has been primarily used in OAuth2 applications to represent self-contained access tokens but can also be used in other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1 id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are "jks" or "j
 wk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" class="confluenceTd">&#160;The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br clear="none">&#160;&#160;&#160;&#160; - jwe.in<br clear="none">&#160;&#160;&#160;&#160; - jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the al
 ias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key (for signature or encryption) in the "jwk" header.</td></tr><tr><
 td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate (for signature or encryption) in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id (for signature or encryption) in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest (for signature or encryption) in the "x5t" header.</td></tr></tbody></table></div><h2 id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h2><p>JAX-RS filters can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate storages (files). By default the filters expect that the stores has been encrypted using</p><p>a password based <a shape="rect" 
 class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8" rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD">password provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens. Authorization code JOSE requests can already be processed. Utility support for validating JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future Work</h1><p>OAuth2, WebCr
 ypto, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a> is a top project from Brian Campbell.&#160; CXF users are encouraged to experiment with Jose4J (or indeed with other 3rd party implementations) if they prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters if preferred.</p><p>&#160;</p></div>
+</div></div><p>&#160;</p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this package</a> and offers a support for all of JWA encryption algorithms.</p><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a> supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a> - decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and JweCompactProducer offer a utility support for creating and validating JWE compact serialization and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see one of the next sections)</p><p>to support the best effort at streaming the content while encrypting it.&#160; These classes will use <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 /main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160; optionally returned from JweEncryptionProvider</p><p>instead of working with the consumer utility classes which deal with the encryption process completely in memory.</p><p>&#160;</p><p>Many more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h1><p>&#160;</p><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON container for representing various properties or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>&#160;</p><p>JWT has been primarily used in OAuth2 applications to represent self-contained access tokens but can also be used in other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1 id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are "jks" or "j
 wk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" class="confluenceTd">&#160;The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br clear="none">&#160;&#160;&#160;&#160; - jwe.in<br clear="none">&#160;&#160;&#160;&#160; - jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the al
 ias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key (for signature or encryption) in the "jwk" header.</td></tr><tr><
 td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate (for signature or encryption) in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id (for signature or encryption) in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest (for signature or encryption) in the "x5t" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h4 id="JAX-RSJOSE-Configurationthatappliestosigna
 tureonly">Configuration that applies to signature only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for signature. If this is not specified it falls back to use the RSSEC_KEY_PSWD_PROVIDER.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature creation. If not specified then it falls back to RSSEC_SIGNATURE_PROPS.</p></td></tr><tr><
 td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature verification. If not specified then it falls back to RSSEC_SIGNATURE_PROPS.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for compact signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.list.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for JSON Serialization signature creation. If not specified then it falls back to RSSEC_SIGNATURE_LIST_PROPS.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.list.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for JSON 
 Serialization signature verification. If not specified then it falls back to RSSEC_SIGNATURE_LIST_PROPS.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.list.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for JSON Serialization signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the "kid" header.</td></
 tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest for signature in the "x5t" header.</td></tr></tbody></table></div><h1 id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS filters can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate storages (files). By default the filters expect that the stores has been encrypted using</p><p>a password based <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8" rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HE
 AD">password provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens. Authorization code JOSE requests can already be processed. Utility support for validating JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future Work</h1><p>OAuth2, WebCrypto, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a> is a top project from Brian Campbell.&#160; CXF users are encouraged to experiment with Jose4J (or indeed with other 3rd party implementations) if they prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters
  if preferred.</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>

Modified: websites/production/cxf/content/docs/security-configuration.html
==============================================================================
--- websites/production/cxf/content/docs/security-configuration.html (original)
+++ websites/production/cxf/content/docs/security-configuration.html Fri Oct 23 16:47:42 2015
@@ -107,7 +107,7 @@ Apache CXF -- Security Configuration
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><h2 id="SecurityConfiguration-Backgroundtocommonsecurityconfiguration">Background to common security configuration</h2><p>From Apache CXF 3.1.0, the <a shape="rect" href="ws-securitypolicy.html">WS-SecurityPolicy</a> and the <a shape="rect" href="jax-rs-xml-security.html">XML Security</a> (JAX-RS) components in CXF share a common set of configuration tags. Previously, the configuration tags were all defined in the SecurityConstants class in the cxf-rt-ws-security module. The JAX-RS XML Security component then referenced these configuration tags directly, which meant that the XML Security component had to have a dependency on a SOAP module, which was not ideal.</p><h2 id="SecurityConfiguration-NewconfigurationtagsinApacheCXF3.1.0">New configuration tags in Apache CXF 3.1.0</h2><p>From Apache CXF 3.1.0, the cxf-rt-security module is now shared between both the WS-Security and JAX-RS XML Security modules, and contains a SecurityConstants class that defines s
 ecurity constants used by both stacks. These configuration tags are exactly the same as a set of previous configuration tags found in the WS-Security SecurityConstants class in previous releases, except that the prefix is now "security" (was "ws-security"). Here are the new set of configuration tags:</p><h4 id="SecurityConfiguration-Userproperties">User properties</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.username</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The user's name. It is used differently by each of the Security functions, see <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.password</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The user's password when "security.callback-handler" i
 s not defined. It is currently only used for the case of adding a password to a UsernameToken.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.signature.username</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The user's name for signature. It is used as the alias name in the keystore to get the user's cert and private key for signature. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.username</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The user's name for encryption. It is used as the alias name in the keystore to get the user's public key for encryption. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME">here</a> for more information.</p></td><
 /tr></tbody></table></div><h4 id="SecurityConfiguration-CallbackClassandCryptoproperties">Callback Class and Crypto properties</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.callback-handler</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The CallbackHandler <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER">implementation</a> class used to obtain passwords.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.saml-callback-handler</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The SAML CallbackHandler <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER">implementation</a> class used to construct SAML Assertions.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.signature
 .properties</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_PROPERTIES">configuration</a> to use for signature, if "security.signature.crypto" is not set instead.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.properties</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES">configuration</a> to use for encryption, if "security.encryption.crypto" is not set instead.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.signature.crypto</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/cryp
 to/Crypto.html">object</a> to be used for signature. If this is not defined then "security.signature.properties" is used instead.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.crypto</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">object</a> to be used for encryption. If this is not defined then "security.encryption.properties" is used instead.</p></td></tr></tbody></table></div><p><strong>Note:</strong> for Symmetric bindings that specify a protection token, the security-encryption properties are used.</p><h4 id="SecurityConfiguration-BooleanSecurityconfigurationtags,e.g.thevalueshouldbe&quot;true&quot;or&quot;false&quot;.">Boolean Security configuration tags, e.g. the value should be "true" or "false".</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" 
 rowspan="1" class="confluenceTd"><p>constant</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>default</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>definition</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.enableRevocation</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>false</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.enable.unsigned-saml-assertion.principal</td><td colspan="1" rowspan="1" class="confluenceTd">false</td><td colspan="1" rowspan="1" class="confluenceTd">Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.validate.saml.subject.conf</td><td colspan="1" rowspan="1" class="confluenceTd">true</td><t
 d colspan="1" rowspan="1" class="confluenceTd">Whether to validate the SubjectConfirmation requirements of a received SAML Token.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.sc.jaas-subject</td><td colspan="1" rowspan="1" class="confluenceTd">true</td><td colspan="1" rowspan="1" class="confluenceTd">Set this to "false" if security context must not be created from JAAS Subject.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.validate.audience-restriction</td><td colspan="1" rowspan="1" class="confluenceTd">(varies)</td><td colspan="1" rowspan="1" class="confluenceTd"><p>If this is set to "true", then IF the SAML Token contains Audience Restriction URIs, one of them must match either the request URL or the Service QName. The default is "true" for CXF 3.0.x, and "false" for 2.7.x.</p></td></tr></tbody></table></div><h4 id="SecurityConfiguration-Non-booleanSecurityConfigurationparameters">Non-boolean Security Configuration parameters</h4
 ><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.saml-role-attributename</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The attribute URI of the SAML AttributeStatement where the role information is stored. The default is "<a shape="rect" class="external-link" href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a>".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.subject.cert.constraints</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust).</p></td></tr></tb
 ody></table></div><h4 id="SecurityConfiguration-STSClientConfigurationtags">STS Client Configuration tags</h4><p><strong>Note: </strong>From CXF 3.1.3 onwards. Prior to CXF 3.1.3 these tags had a "ws-" prefix. The older tags will still work for backwards compatibility reasons.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.client</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to the STSClient class used to communicate with the STS.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.applies-to</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.usecert</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>If true, writes out an X509Certific
 ate structure in UseKey/KeyInfo. If false (the default), writes out a KeyValue structure instead.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.do.cancel</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to cancel a token when using SecureConversation after successful invocation. The default is "false".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.issue.after.failed.renew</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to fall back to calling "issue" after failing to renew an expired token. The default is "true".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.cache.issued.token.in.endpoint</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default valu
 e is "true".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.disable-wsmex-call-using-epr-address</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.crypto</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto object to be used for the STS. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.properties</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property configuration to use for the STS. See <a shape="rect" href="http://cxf.apache.org/j
 avadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.username</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.act-as</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in an "ActAs" field. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.on-behalf-of</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in an "OnBehalfOf" field. See <a shape="rect" hre
 f="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.issue.after.failed.renew</td><td colspan="1" rowspan="1" class="confluenceTd">Whether to call "Issue" if a token "Renew" fails. Some STSs do not support the renew binding. Defaults to "true".</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.sts.token.imminent-expiry-value</td><td colspan="1" rowspan="1" class="confluenceTd">The value in seconds within which a token is considered to be expired by the client, i.e. it is considered to be expired if it will expire in a time less than the value specified by this tag. The default value is "10" for CXF 3.0.2+, and "0" for CXF 2.7.13+.</td></tr></tbody></table></div><h2 id="SecurityConfiguration-Backwardscompatibility">Backwards compatibility</h2><p>Users of Apache CXF prior to 3.1.0 do not need to make
  any adjustment to their code or spring files. The older "ws-" prefix associated with the configuration tags above will continue to be accepted.</p></div>
+<div id="ConfluenceContent"><h2 id="SecurityConfiguration-Backgroundtocommonsecurityconfiguration">Background to common security configuration</h2><p>From Apache CXF 3.1.0, the <a shape="rect" href="ws-securitypolicy.html">WS-SecurityPolicy</a> and the <a shape="rect" href="jax-rs-xml-security.html">XML Security</a> (JAX-RS) components in CXF share a common set of configuration tags. Previously, the configuration tags were all defined in the SecurityConstants class in the cxf-rt-ws-security module. The JAX-RS XML Security component then referenced these configuration tags directly, which meant that the XML Security component had to have a dependency on a SOAP module, which was not ideal.</p><h2 id="SecurityConfiguration-NewconfigurationtagsinApacheCXF3.1.0">New configuration tags in Apache CXF 3.1.0</h2><p>From Apache CXF 3.1.0, the cxf-rt-security module is now shared between both the WS-Security and JAX-RS XML Security modules, and contains a SecurityConstants class that defines s
 ecurity constants used by both stacks. These configuration tags are exactly the same as a set of previous configuration tags found in the WS-Security SecurityConstants class in previous releases, except that the prefix is now "security" (was "ws-security"). Here are the new set of configuration tags:</p><h4 id="SecurityConfiguration-Userproperties">User properties</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.username</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The user's name. It is used differently by each of the Security functions, see <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.password</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The user's password when "security.callback-handler" i
 s not defined. It is currently only used for the case of adding a password to a UsernameToken.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.signature.username</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The user's name for signature. It is used as the alias name in the keystore to get the user's cert and private key for signature. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.username</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The user's name for encryption. It is used as the alias name in the keystore to get the user's public key for encryption. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME">here</a> for more information.</p></td><
 /tr></tbody></table></div><h4 id="SecurityConfiguration-CallbackClassandCryptoproperties">Callback Class and Crypto properties</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.callback-handler</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The CallbackHandler <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER">implementation</a> class used to obtain passwords.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.saml-callback-handler</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The SAML CallbackHandler <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER">implementation</a> class used to construct SAML Assertions.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.signature
 .properties</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_PROPERTIES">configuration</a> to use for signature, if "security.signature.crypto" is not set instead.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.properties</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES">configuration</a> to use for encryption, if "security.encryption.crypto" is not set instead.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.signature.crypto</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/cryp
 to/Crypto.html">object</a> to be used for signature. If this is not defined then "security.signature.properties" is used instead.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.crypto</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">object</a> to be used for encryption. If this is not defined then "security.encryption.properties" is used instead.</p></td></tr></tbody></table></div><p><strong>Note:</strong> for Symmetric bindings that specify a protection token, the security-encryption properties are used.</p><h4 id="SecurityConfiguration-BooleanSecurityconfigurationtags,e.g.thevalueshouldbe&quot;true&quot;or&quot;false&quot;.">Boolean Security configuration tags, e.g. the value should be "true" or "false".</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" 
 rowspan="1" class="confluenceTd"><p>constant</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>default</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>definition</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.enableRevocation</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>false</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.enable.unsigned-saml-assertion.principal</td><td colspan="1" rowspan="1" class="confluenceTd">false</td><td colspan="1" rowspan="1" class="confluenceTd">Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false.<p>Note that "unsigned" refers to an internal signature. Even if the token is signed by an external signature (as per the "sender-vouches" requirement), this boole
 an must still be configured if you want to use the token to set up the security context.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.validate.saml.subject.conf</td><td colspan="1" rowspan="1" class="confluenceTd">true</td><td colspan="1" rowspan="1" class="confluenceTd">Whether to validate the SubjectConfirmation requirements of a received SAML Token.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.sc.jaas-subject</td><td colspan="1" rowspan="1" class="confluenceTd">true</td><td colspan="1" rowspan="1" class="confluenceTd">Set this to "false" if security context must not be created from JAAS Subject.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.validate.audience-restriction</td><td colspan="1" rowspan="1" class="confluenceTd">(varies)</td><td colspan="1" rowspan="1" class="confluenceTd"><p>If this is set to "true", then IF the SAML Token contains Audience Restriction URIs, one of them must match either t
 he request URL or the Service QName. The default is "true" for CXF 3.0.x, and "false" for 2.7.x.</p></td></tr></tbody></table></div><h4 id="SecurityConfiguration-Non-booleanSecurityConfigurationparameters">Non-boolean Security Configuration parameters</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.saml-role-attributename</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The attribute URI of the SAML AttributeStatement where the role information is stored. The default is "<a shape="rect" class="external-link" href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a>".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.subject.cert.constraints</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A comma separated String of regular expressions which will be applied to the sub
 ject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust).</p></td></tr></tbody></table></div><h4 id="SecurityConfiguration-STSClientConfigurationtags">STS Client Configuration tags</h4><p><strong>Note: </strong>From CXF 3.1.3 onwards. Prior to CXF 3.1.3 these tags had a "ws-" prefix. The older tags will still work for backwards compatibility reasons.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.client</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to the STSClient class used to communicate with the STS.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.applies-to</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The "AppliesTo" address to send to the ST
 S. The default is the endpoint address of the service provider.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.usecert</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>If true, writes out an X509Certificate structure in UseKey/KeyInfo. If false (the default), writes out a KeyValue structure instead.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.do.cancel</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to cancel a token when using SecureConversation after successful invocation. The default is "false".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.issue.after.failed.renew</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to fall back to calling "issue" after failing to renew an expired token. The default is "true".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.cache.issued.token.in.endpoint</p></td>
 <td colspan="1" rowspan="1" class="confluenceTd"><p>Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.disable-wsmex-call-using-epr-address</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.crypto</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto object to be used for the STS. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO">here</a> for more information.</p></td
 ></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.properties</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property configuration to use for the STS. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.username</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.act-as</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in an "ActAs" field. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS">here</a> for more 
 information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.on-behalf-of</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in an "OnBehalfOf" field. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF">here</a> for more information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.issue.after.failed.renew</td><td colspan="1" rowspan="1" class="confluenceTd">Whether to call "Issue" if a token "Renew" fails. Some STSs do not support the renew binding. Defaults to "true".</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.sts.token.imminent-expiry-value</td><td colspan="1" rowspan="1" class="confluenceTd">The value in seconds within which a token is considered to be expired by the client, i.e. it is considered to be expired if it will expire in a time less than the value speci
 fied by this tag. The default value is "10" for CXF 3.0.2+, and "0" for CXF 2.7.13+.</td></tr></tbody></table></div><h2 id="SecurityConfiguration-Backwardscompatibility">Backwards compatibility</h2><p>Users of Apache CXF prior to 3.1.0 do not need to make any adjustment to their code or spring files. The older "ws-" prefix associated with the configuration tags above will continue to be accepted.</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message