cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [10/20] cxf git commit: Splitting current jose module into jose-core + jose-jaxrs
Date Tue, 13 Oct 2015 10:42:10 GMT
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/pom.xml
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/pom.xml b/rt/rs/security/jose/jose-jaxrs/pom.xml
new file mode 100644
index 0000000..b935370
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/pom.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>cxf-rt-rs-security-jose-jaxrs</artifactId>
+    <packaging>bundle</packaging>
+    <name>Apache CXF Runtime JOSE JAX-RS</name>
+    <description>Apache CXF Runtime JOSE JAX-RS</description>
+    <url>http://cxf.apache.org</url>
+    <parent>
+        <groupId>org.apache.cxf</groupId>
+        <artifactId>cxf-parent</artifactId>
+        <version>3.1.4-SNAPSHOT</version>
+        <relativePath>../../../../../parent/pom.xml</relativePath>
+    </parent>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-core</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-security</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-frontend-jaxrs</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-security-jose-core</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <!--test dependencies-->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
new file mode 100644
index 0000000..0d7d915
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.rs.security.jose.jwe.JweCompactConsumer;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+
+public class AbstractJweDecryptingFilter {
+    private JweDecryptionProvider decryption;
+    private String defaultMediaType;
+    protected JweDecryptionOutput decrypt(InputStream is) throws IOException {
+        JweCompactConsumer jwe = new JweCompactConsumer(new String(IOUtils.readBytesFromStream(is), "UTF-8"));
+        JweDecryptionProvider theDecryptor = getInitializedDecryptionProvider(jwe.getJweHeaders());
+        JweDecryptionOutput out = new JweDecryptionOutput(jwe.getJweHeaders(), jwe.getDecryptedContent(theDecryptor));
+        validateHeaders(out.getHeaders());
+        return out;
+    }
+
+    protected void validateHeaders(JweHeaders headers) {
+        // complete
+    }
+    public void setDecryptionProvider(JweDecryptionProvider decryptor) {
+        this.decryption = decryptor;
+    }
+    protected JweDecryptionProvider getInitializedDecryptionProvider(JweHeaders headers) {
+        if (decryption != null) {
+            return decryption;    
+        } 
+        return JweUtils.loadDecryptionProvider(headers, true);
+    }
+    public String getDefaultMediaType() {
+        return defaultMediaType;
+    }
+
+    public void setDefaultMediaType(String defaultMediaType) {
+        this.defaultMediaType = defaultMediaType;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
new file mode 100644
index 0000000..094991e
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
@@ -0,0 +1,91 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+
+public class AbstractJwsJsonReaderProvider {
+    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwsJsonReaderProvider.class);
+    private static final String RSSEC_SIGNATURE_IN_LIST_PROPS = "rs.security.signature.in.list.properties";
+    private static final String RSSEC_SIGNATURE_LIST_PROPS = "rs.security.signature.list.properties";
+    
+    private List<JwsSignatureVerifier> sigVerifiers;
+    private String defaultMediaType;
+    private boolean strictVerification;
+    
+    public void setSignatureVerifier(JwsSignatureVerifier signatureVerifier) {
+        setSignatureVerifiers(Collections.singletonList(signatureVerifier));
+    }
+    public void setSignatureVerifiers(List<JwsSignatureVerifier> signatureVerifiers) {
+        this.sigVerifiers = signatureVerifiers;
+    }
+
+    protected List<JwsSignatureVerifier> getInitializedSigVerifiers() {
+        if (sigVerifiers != null) {
+            return sigVerifiers;    
+        }
+        Message m = JAXRSUtils.getCurrentMessage();
+        Object propLocsProp = 
+            MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_IN_LIST_PROPS, RSSEC_SIGNATURE_LIST_PROPS);
+        if (propLocsProp == null) {
+            LOG.warning("JWS JSON init properties resource is not identified");
+            throw new JwsException(JwsException.Error.NO_INIT_PROPERTIES);
+        }
+        List<String> propLocs = null;
+        if (propLocsProp instanceof String) { 
+            String[] props = ((String)propLocsProp).split(",");
+            propLocs = Arrays.asList(props);
+        } else {
+            propLocs = CastUtils.cast((List<?>)propLocsProp);
+        }
+        List<JwsSignatureVerifier> theSigVerifiers = new LinkedList<JwsSignatureVerifier>();
+        for (String propLoc : propLocs) {
+            theSigVerifiers.addAll(JwsUtils.loadSignatureVerifiers(propLoc, m));
+        }
+        return theSigVerifiers;
+    }
+
+    public String getDefaultMediaType() {
+        return defaultMediaType;
+    }
+
+    public void setDefaultMediaType(String defaultMediaType) {
+        this.defaultMediaType = defaultMediaType;
+    }
+    public boolean isStrictVerification() {
+        return strictVerification;
+    }
+    public void setStrictVerification(boolean strictVerification) {
+        this.strictVerification = strictVerification;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
new file mode 100644
index 0000000..d5068e2
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
+import org.apache.cxf.rs.security.jose.jws.JwsJsonProducer;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+
+public class AbstractJwsJsonWriterProvider {
+    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwsJsonWriterProvider.class);
+    private static final String RSSEC_SIGNATURE_OUT_LIST_PROPS = "rs.security.signature.out.list.properties";
+    private static final String RSSEC_SIGNATURE_LIST_PROPS = "rs.security.signature.list.properties";
+    
+    private List<JwsSignatureProvider> sigProviders;
+    
+    public void setSignatureProvider(JwsSignatureProvider signatureProvider) {
+        setSignatureProviders(Collections.singletonList(signatureProvider));
+    }
+    public void setSignatureProviders(List<JwsSignatureProvider> signatureProviders) {
+        this.sigProviders = signatureProviders;
+    }
+    
+    protected List<JwsSignatureProvider> getInitializedSigProviders() {
+        if (sigProviders != null) {
+            return sigProviders;    
+        } 
+        Message m = JAXRSUtils.getCurrentMessage();
+        Object propLocsProp = 
+            MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_OUT_LIST_PROPS, RSSEC_SIGNATURE_LIST_PROPS);
+        if (propLocsProp == null) {
+            LOG.warning("JWS JSON init properties resource is not identified");
+            throw new JwsException(JwsException.Error.NO_INIT_PROPERTIES);
+        }
+        List<String> propLocs = null;
+        if (propLocsProp instanceof String) {
+            String[] props = ((String)propLocsProp).split(",");
+            propLocs = Arrays.asList(props);
+        } else {
+            propLocs = CastUtils.cast((List<?>)propLocsProp);
+        }
+        List<JwsSignatureProvider> theSigProviders = new LinkedList<JwsSignatureProvider>();
+        for (String propLoc : propLocs) {
+            theSigProviders.addAll(JwsUtils.loadSignatureProviders(propLoc, m));
+        }
+        return theSigProviders;
+    }
+    protected void writeJws(JwsJsonProducer p, OutputStream os) 
+        throws IOException {
+        byte[] bytes = StringUtils.toBytesUTF8(p.getJwsJsonSignedDocument());
+        IOUtils.copy(new ByteArrayInputStream(bytes), os);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
new file mode 100644
index 0000000..0e8b0d0
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+
+public class AbstractJwsReaderProvider {
+    private JwsSignatureVerifier sigVerifier;
+    private String defaultMediaType;
+    
+    public void setSignatureVerifier(JwsSignatureVerifier signatureVerifier) {
+        this.sigVerifier = signatureVerifier;
+    }
+
+    protected JwsSignatureVerifier getInitializedSigVerifier(JwsHeaders headers) {
+        if (sigVerifier != null) {
+            return sigVerifier;    
+        } 
+        return JwsUtils.loadSignatureVerifier(headers, true);
+    }
+
+    public String getDefaultMediaType() {
+        return defaultMediaType;
+    }
+
+    public void setDefaultMediaType(String defaultMediaType) {
+        this.defaultMediaType = defaultMediaType;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
new file mode 100644
index 0000000..33ec0b0
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.rs.security.jose.JoseHeaders;
+import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer;
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+
+public class AbstractJwsWriterProvider {
+    private JwsSignatureProvider sigProvider;
+    
+    public void setSignatureProvider(JwsSignatureProvider signatureProvider) {
+        this.sigProvider = signatureProvider;
+    }
+    
+    protected JwsSignatureProvider getInitializedSigProvider(JwsHeaders headers) {
+        setRequestContextProperty(headers);
+        if (sigProvider != null) {
+            return sigProvider;    
+        } 
+        return JwsUtils.loadSignatureProvider(headers, true); 
+    }
+    protected void setRequestContextProperty(JoseHeaders headers) {    
+        JoseUtils.setJoseContextProperty(headers);
+    }
+    protected void writeJws(JwsCompactProducer p, JwsSignatureProvider theSigProvider, OutputStream os) 
+        throws IOException {
+        p.signWith(theSigProvider);
+        byte[] bytes = StringUtils.toBytesUTF8(p.getSignedEncodedJws());
+        IOUtils.copy(new ByteArrayInputStream(bytes), os);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JsonWebKeysProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JsonWebKeysProvider.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JsonWebKeysProvider.java
new file mode 100644
index 0000000..a877925
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JsonWebKeysProvider.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.ext.MessageBodyReader;
+
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
+import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
+
+public class JsonWebKeysProvider implements MessageBodyReader<JsonWebKeys> {
+    
+    @Override
+    public boolean isReadable(Class<?> cls, Type type, Annotation[] anns, MediaType mt) {
+        return cls == JsonWebKeys.class;
+    }
+
+    @Override
+    public JsonWebKeys readFrom(Class<JsonWebKeys> cls, Type t, Annotation[] anns, MediaType mt,
+                             MultivaluedMap<String, String> headers, InputStream is) throws IOException,
+        WebApplicationException {
+        return JwkUtils.readJwkSet(is);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
new file mode 100644
index 0000000..d04d4c2
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+import javax.annotation.Priority;
+import javax.ws.rs.client.ClientRequestContext;
+import javax.ws.rs.client.ClientResponseContext;
+import javax.ws.rs.client.ClientResponseFilter;
+
+import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
+
+@Priority(Priorities.JWE_CLIENT_READ_PRIORITY)
+public class JweClientResponseFilter extends AbstractJweDecryptingFilter implements ClientResponseFilter {
+    @Override
+    public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException {
+        JweDecryptionOutput out = decrypt(res.getEntityStream());
+        byte[] bytes = out.getContent();
+        res.setEntityStream(new ByteArrayInputStream(bytes));
+        res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
+        String ct = JoseUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType());
+        if (ct != null) {
+            res.getHeaders().putSingle("Content-Type", ct);
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
new file mode 100644
index 0000000..a362f76
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+import javax.annotation.Priority;
+import javax.ws.rs.HttpMethod;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.PreMatching;
+
+import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
+
+@PreMatching
+@Priority(Priorities.JWE_SERVER_READ_PRIORITY)
+public class JweContainerRequestFilter extends AbstractJweDecryptingFilter implements ContainerRequestFilter {
+    @Override
+    public void filter(ContainerRequestContext context) throws IOException {
+        if (HttpMethod.GET.equals(context.getMethod())) {
+            return;
+        }
+        JweDecryptionOutput out = decrypt(context.getEntityStream());
+        byte[] bytes = out.getContent();
+        context.setEntityStream(new ByteArrayInputStream(bytes));
+        context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
+        String ct = JoseUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType());
+        if (ct != null) {
+            context.getHeaders().putSingle("Content-Type", ct);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
new file mode 100644
index 0000000..108a15f
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -0,0 +1,133 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.logging.Logger;
+import java.util.zip.DeflaterOutputStream;
+
+import javax.annotation.Priority;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.ext.WriterInterceptor;
+import javax.ws.rs.ext.WriterInterceptorContext;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.io.CachedOutputStream;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseConstants;
+import org.apache.cxf.rs.security.jose.jwe.JweCompactProducer;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionInput;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionOutput;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweException;
+import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
+import org.apache.cxf.rs.security.jose.jwe.JweOutputStream;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+
+@Priority(Priorities.JWE_WRITE_PRIORITY)
+public class JweWriterInterceptor implements WriterInterceptor {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JweWriterInterceptor.class);
+    private JweEncryptionProvider encryptionProvider;
+    private boolean contentTypeRequired = true;
+    private boolean useJweOutputStream;
+    @Override
+    public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException {
+        if (ctx.getEntity() == null) {
+            ctx.proceed();
+            return;
+        }
+        OutputStream actualOs = ctx.getOutputStream();
+        JweHeaders jweHeaders = new JweHeaders();
+        JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider(jweHeaders);
+        
+        String ctString = null;
+        MediaType contentMediaType = ctx.getMediaType();
+        if (contentTypeRequired && contentMediaType != null) {
+            if ("application".equals(contentMediaType.getType())) {
+                ctString = contentMediaType.getSubtype();
+            } else {
+                ctString = JAXRSUtils.mediaTypeToString(contentMediaType);
+            }
+        }
+        if (ctString != null) {
+            jweHeaders.setContentType(ctString);
+        }
+        
+        if (useJweOutputStream) {
+            JweEncryptionOutput encryption = 
+                theEncryptionProvider.getEncryptionOutput(new JweEncryptionInput(jweHeaders));
+            try {
+                JweCompactProducer.startJweContent(actualOs,
+                                                   encryption.getHeaders(), 
+                                                   encryption.getContentEncryptionKey(), 
+                                                   encryption.getIv());
+            } catch (IOException ex) {
+                LOG.warning("JWE encryption error");
+                throw new JweException(JweException.Error.CONTENT_ENCRYPTION_FAILURE, ex);
+            }
+            OutputStream wrappedStream = null;
+            JweOutputStream jweOutputStream = new JweOutputStream(actualOs, encryption.getCipher(), 
+                                                         encryption.getAuthTagProducer());
+            wrappedStream = jweOutputStream;
+            if (encryption.isCompressionSupported()) {
+                wrappedStream = new DeflaterOutputStream(jweOutputStream);
+            }
+            
+            ctx.setOutputStream(wrappedStream);
+            ctx.proceed();
+            setJoseMediaType(ctx);
+            jweOutputStream.finalFlush();
+        } else {
+            CachedOutputStream cos = new CachedOutputStream(); 
+            ctx.setOutputStream(cos);
+            ctx.proceed();
+            String jweContent = theEncryptionProvider.encrypt(cos.getBytes(), jweHeaders);
+            setJoseMediaType(ctx);
+            IOUtils.copy(new ByteArrayInputStream(StringUtils.toBytesUTF8(jweContent)), 
+                         actualOs);
+            actualOs.flush();
+        }
+    }
+    
+    private void setJoseMediaType(WriterInterceptorContext ctx) {
+        MediaType joseMediaType = JAXRSUtils.toMediaType(JoseConstants.MEDIA_TYPE_JOSE);
+        ctx.setMediaType(joseMediaType);
+    }
+    
+    protected JweEncryptionProvider getInitializedEncryptionProvider(JweHeaders headers) {
+        if (encryptionProvider != null) {
+            return encryptionProvider;    
+        } 
+        return JweUtils.loadEncryptionProvider(headers, true);
+    }
+    
+    public void setUseJweOutputStream(boolean useJweOutputStream) {
+        this.useJweOutputStream = useJweOutputStream;
+    }
+
+    public void setEncryptionProvider(JweEncryptionProvider encryptionProvider) {
+        this.encryptionProvider = encryptionProvider;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
new file mode 100644
index 0000000..8b811ec
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+import javax.annotation.Priority;
+import javax.ws.rs.client.ClientRequestContext;
+import javax.ws.rs.client.ClientResponseContext;
+import javax.ws.rs.client.ClientResponseFilter;
+
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+
+@Priority(Priorities.JWS_CLIENT_READ_PRIORITY)
+public class JwsClientResponseFilter extends AbstractJwsReaderProvider implements ClientResponseFilter {
+    @Override
+    public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException {
+        JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
+        JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(p.getJwsHeaders());
+        if (!p.verifySignatureWith(theSigVerifier)) {
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
+        }
+        byte[] bytes = p.getDecodedJwsPayloadBytes();
+        res.setEntityStream(new ByteArrayInputStream(bytes));
+        res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
+        String ct = JoseUtils.checkContentType(p.getJwsHeaders().getContentType(), getDefaultMediaType());
+        if (ct != null) {
+            res.getHeaders().putSingle("Content-Type", ct);
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
new file mode 100644
index 0000000..8a3a069
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+import javax.annotation.Priority;
+import javax.ws.rs.HttpMethod;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.PreMatching;
+
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+
+@PreMatching
+@Priority(Priorities.JWS_SERVER_READ_PRIORITY)
+public class JwsContainerRequestFilter extends AbstractJwsReaderProvider implements ContainerRequestFilter {
+    @Override
+    public void filter(ContainerRequestContext context) throws IOException {
+        if (HttpMethod.GET.equals(context.getMethod())) {
+            return;
+        }
+        JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
+        JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(p.getJwsHeaders());
+        if (!p.verifySignatureWith(theSigVerifier)) {
+            context.abortWith(JAXRSUtils.toResponse(400));
+            return;
+        }
+        JoseUtils.validateRequestContextProperty(p.getJwsHeaders());
+        byte[] bytes = p.getDecodedJwsPayloadBytes();
+        context.setEntityStream(new ByteArrayInputStream(bytes));
+        context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
+        
+        String ct = JoseUtils.checkContentType(p.getJwsHeaders().getContentType(), getDefaultMediaType());
+        if (ct != null) {
+            context.getHeaders().putSingle("Content-Type", ct);
+        }
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
new file mode 100644
index 0000000..728c19d
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.List;
+
+import javax.annotation.Priority;
+import javax.ws.rs.client.ClientRequestContext;
+import javax.ws.rs.client.ClientResponseContext;
+import javax.ws.rs.client.ClientResponseFilter;
+
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
+import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+
+@Priority(Priorities.JWS_CLIENT_READ_PRIORITY)
+public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider implements ClientResponseFilter {
+    @Override
+    public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException {
+        List<JwsSignatureVerifier> theSigVerifiers = getInitializedSigVerifiers();
+        JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
+        if (isStrictVerification() && p.getSignatureEntries().size() != theSigVerifiers.size()
+            || !p.verifySignatureWith(theSigVerifiers)) {
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
+        }
+        byte[] bytes = p.getDecodedJwsPayloadBytes();
+        res.setEntityStream(new ByteArrayInputStream(bytes));
+        res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
+        
+        // the list is guaranteed to be non-empty
+        JwsJsonSignatureEntry sigEntry = p.getSignatureEntries().get(0);
+        String ct = JoseUtils.checkContentType(sigEntry.getUnionHeader().getContentType(), getDefaultMediaType());
+        if (ct != null) {
+            res.getHeaders().putSingle("Content-Type", ct);
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
new file mode 100644
index 0000000..7512536
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.List;
+
+import javax.annotation.Priority;
+import javax.ws.rs.HttpMethod;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.PreMatching;
+
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+
+@PreMatching
+@Priority(Priorities.JWS_SERVER_READ_PRIORITY)
+public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider implements ContainerRequestFilter {
+    @Override
+    public void filter(ContainerRequestContext context) throws IOException {
+        if (HttpMethod.GET.equals(context.getMethod())) {
+            return;
+        }
+        List<JwsSignatureVerifier> theSigVerifiers = getInitializedSigVerifiers();
+        JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
+        
+        if (isStrictVerification() && p.getSignatureEntries().size() != theSigVerifiers.size() 
+            || !p.verifySignatureWith(theSigVerifiers)) {
+            context.abortWith(JAXRSUtils.toResponse(400));
+            return;
+        }
+        byte[] bytes = p.getDecodedJwsPayloadBytes();
+        context.setEntityStream(new ByteArrayInputStream(bytes));
+        context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
+        
+        // the list is guaranteed to be non-empty
+        JwsJsonSignatureEntry sigEntry = p.getSignatureEntries().get(0);
+        String ct = JoseUtils.checkContentType(sigEntry.getUnionHeader().getContentType(), getDefaultMediaType());
+        if (ct != null) {
+            context.getHeaders().putSingle("Content-Type", ct);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
new file mode 100644
index 0000000..89b611d
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
@@ -0,0 +1,138 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.annotation.Priority;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.ext.WriterInterceptor;
+import javax.ws.rs.ext.WriterInterceptorContext;
+
+import org.apache.cxf.common.util.Base64UrlOutputStream;
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.io.CachedOutputStream;
+import org.apache.cxf.jaxrs.provider.json.JsonMapObjectReaderWriter;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseConstants;
+import org.apache.cxf.rs.security.jose.JoseHeaders;
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
+import org.apache.cxf.rs.security.jose.jws.JwsJsonOutputStream;
+import org.apache.cxf.rs.security.jose.jws.JwsJsonProducer;
+import org.apache.cxf.rs.security.jose.jws.JwsSignature;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+
+@Priority(Priorities.JWS_WRITE_PRIORITY)
+public class JwsJsonWriterInterceptor extends AbstractJwsJsonWriterProvider implements WriterInterceptor {
+    private JsonMapObjectReaderWriter writer = new JsonMapObjectReaderWriter();
+    private boolean contentTypeRequired = true;
+    private boolean useJwsOutputStream;
+    private boolean encodePayload = true;
+    @Override
+    public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException {
+        if (ctx.getEntity() == null) {
+            ctx.proceed();
+            return;
+        }
+        List<JwsSignatureProvider> sigProviders = getInitializedSigProviders();
+        OutputStream actualOs = ctx.getOutputStream();
+        if (useJwsOutputStream) {
+            List<String> protectedHeaders = new ArrayList<String>(sigProviders.size());
+            List<JwsSignature> signatures = new ArrayList<JwsSignature>(sigProviders.size());
+            for (JwsSignatureProvider signer : sigProviders) {
+                JwsHeaders protectedHeader = prepareProtectedHeader(ctx, signer);
+                String encoded = Base64UrlUtility.encode(writer.toJson(protectedHeader));
+                protectedHeaders.add(encoded);
+                JwsSignature signature = signer.createJwsSignature(protectedHeader);
+                byte[] start = StringUtils.toBytesUTF8(encoded + ".");
+                signature.update(start, 0, start.length);
+                signatures.add(signature);
+            }    
+            ctx.setMediaType(JAXRSUtils.toMediaType(JoseConstants.MEDIA_TYPE_JOSE_JSON));
+            actualOs.write(StringUtils.toBytesUTF8("{\"payload\":\""));
+            JwsJsonOutputStream jwsStream = new JwsJsonOutputStream(actualOs, protectedHeaders, signatures);
+            
+            Base64UrlOutputStream base64Stream = null;
+            if (encodePayload) {
+                base64Stream = new Base64UrlOutputStream(jwsStream);
+                ctx.setOutputStream(base64Stream);
+            } else {
+                ctx.setOutputStream(jwsStream);
+            }
+            ctx.proceed();
+            if (encodePayload) {
+                base64Stream.flush();
+            }
+            jwsStream.flush();
+        } else {
+            CachedOutputStream cos = new CachedOutputStream(); 
+            ctx.setOutputStream(cos);
+            ctx.proceed();
+            JwsJsonProducer p = new JwsJsonProducer(new String(cos.getBytes(), "UTF-8"));
+            for (JwsSignatureProvider signer : sigProviders) {
+                JwsHeaders protectedHeader = prepareProtectedHeader(ctx, signer);
+                p.signWith(signer, protectedHeader, null);    
+            }
+            ctx.setMediaType(JAXRSUtils.toMediaType(JoseConstants.MEDIA_TYPE_JOSE_JSON));
+            writeJws(p, actualOs);
+        }
+        
+    }
+    
+    private JwsHeaders prepareProtectedHeader(WriterInterceptorContext ctx, 
+                                              JwsSignatureProvider signer) {
+        JwsHeaders headers = new JwsHeaders();
+        headers.setSignatureAlgorithm(signer.getAlgorithm());
+        setContentTypeIfNeeded(headers, ctx);
+        if (!encodePayload) {
+            headers.setPayloadEncodingStatus(false);
+        }
+        return headers;
+    }
+    
+    public void setContentTypeRequired(boolean contentTypeRequired) {
+        this.contentTypeRequired = contentTypeRequired;
+    }
+    public void setUseJwsJsonOutputStream(boolean useJwsJsonOutputStream) {
+        this.useJwsOutputStream = useJwsJsonOutputStream;
+    }
+    private void setContentTypeIfNeeded(JoseHeaders headers, WriterInterceptorContext ctx) {    
+        if (contentTypeRequired) {
+            MediaType mt = ctx.getMediaType();
+            if (mt != null 
+                && !JAXRSUtils.mediaTypeToString(mt).equals(JoseConstants.MEDIA_TYPE_JOSE_JSON)) {
+                if ("application".equals(mt.getType())) {
+                    headers.setContentType(mt.getSubtype());
+                } else {
+                    headers.setContentType(JAXRSUtils.mediaTypeToString(mt));
+                }
+            }
+        }
+    }
+
+    public void setEncodePayload(boolean encodePayload) {
+        this.encodePayload = encodePayload;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
new file mode 100644
index 0000000..5deaceb
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
@@ -0,0 +1,107 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+import javax.annotation.Priority;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.ext.WriterInterceptor;
+import javax.ws.rs.ext.WriterInterceptorContext;
+
+import org.apache.cxf.common.util.Base64UrlOutputStream;
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.io.CachedOutputStream;
+import org.apache.cxf.jaxrs.provider.json.JsonMapObjectReaderWriter;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseConstants;
+import org.apache.cxf.rs.security.jose.JoseHeaders;
+import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer;
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
+import org.apache.cxf.rs.security.jose.jws.JwsOutputStream;
+import org.apache.cxf.rs.security.jose.jws.JwsSignature;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+
+@Priority(Priorities.JWS_WRITE_PRIORITY)
+public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements WriterInterceptor {
+    private boolean contentTypeRequired = true;
+    private boolean useJwsOutputStream;
+    private JsonMapObjectReaderWriter writer = new JsonMapObjectReaderWriter();
+    @Override
+    public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException {
+        if (ctx.getEntity() == null) {
+            ctx.proceed();
+            return;
+        }
+        JwsHeaders headers = new JwsHeaders();
+        JwsSignatureProvider sigProvider = getInitializedSigProvider(headers);
+        setContentTypeIfNeeded(headers, ctx);
+        OutputStream actualOs = ctx.getOutputStream();
+        if (useJwsOutputStream) {
+            JwsSignature jwsSignature = sigProvider.createJwsSignature(headers);
+            JwsOutputStream jwsStream = new JwsOutputStream(actualOs, jwsSignature);
+            byte[] headerBytes = StringUtils.toBytesUTF8(writer.toJson(headers));
+            Base64UrlUtility.encodeAndStream(headerBytes, 0, headerBytes.length, jwsStream);
+            jwsStream.write(new byte[]{'.'});
+                        
+            Base64UrlOutputStream base64Stream = new Base64UrlOutputStream(jwsStream);
+            ctx.setOutputStream(base64Stream);
+            ctx.proceed();
+            setJoseMediaType(ctx);
+            base64Stream.flush();
+            jwsStream.flush();
+        } else {
+            CachedOutputStream cos = new CachedOutputStream(); 
+            ctx.setOutputStream(cos);
+            ctx.proceed();
+            JwsCompactProducer p = new JwsCompactProducer(headers, new String(cos.getBytes(), "UTF-8"));
+            setJoseMediaType(ctx);
+            writeJws(p, sigProvider, actualOs);
+        }
+    }
+    
+    public void setContentTypeRequired(boolean contentTypeRequired) {
+        this.contentTypeRequired = contentTypeRequired;
+    }
+    
+    public void setUseJwsOutputStream(boolean useJwsOutputStream) {
+        this.useJwsOutputStream = useJwsOutputStream;
+    }
+    private void setContentTypeIfNeeded(JoseHeaders headers, WriterInterceptorContext ctx) {    
+        if (contentTypeRequired) {
+            MediaType mt = ctx.getMediaType();
+            if (mt != null 
+                && !JAXRSUtils.mediaTypeToString(mt).equals(JoseConstants.MEDIA_TYPE_JOSE)) {
+                if ("application".equals(mt.getType())) {
+                    headers.setContentType(mt.getSubtype());
+                } else {
+                    headers.setContentType(JAXRSUtils.mediaTypeToString(mt));
+                }
+            }
+        }
+    }
+    
+    private void setJoseMediaType(WriterInterceptorContext ctx) {
+        MediaType joseMediaType = JAXRSUtils.toMediaType(JoseConstants.MEDIA_TYPE_JOSE);
+        ctx.setMediaType(joseMediaType);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
new file mode 100644
index 0000000..8f87119
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.IOException;
+
+import javax.annotation.Priority;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.client.ClientRequestContext;
+import javax.ws.rs.client.ClientRequestFilter;
+import javax.ws.rs.core.HttpHeaders;
+
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.endpoint.Endpoint;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
+import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
+import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
+import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
+
+@Priority(Priorities.AUTHENTICATION)
+public class JwtAuthenticationClientFilter extends AbstractJoseJwtProducer 
+    implements ClientRequestFilter {
+
+    private static final String DEFAULT_AUTH_SCHEME = "JWT";
+    private String authScheme = DEFAULT_AUTH_SCHEME;
+    @Override
+    public void filter(ClientRequestContext requestContext) throws IOException {
+        JwtToken jwt = getJwtToken(requestContext);
+        if (jwt == null && super.isJweRequired()) {
+            AuthorizationPolicy ap = JAXRSUtils.getCurrentMessage().getExchange()
+                .get(Endpoint.class).getEndpointInfo().getExtensor(AuthorizationPolicy.class);
+            if (ap != null && ap.getUserName() != null) {
+                JwtClaims claims = new JwtClaims();
+                claims.setSubject(ap.getUserName());
+                claims.setClaim("password", ap.getPassword());
+                claims.setIssuedAt(System.currentTimeMillis() / 1000);
+                jwt = new JwtToken(new JweHeaders(), claims);
+            }
+        }
+        if (jwt == null) {
+            throw new JoseException("JWT token is not available");
+        }
+        JoseUtils.setJoseMessageContextProperty(jwt.getHeaders(),
+                                                getContextPropertyValue());
+        String data = super.processJwt(jwt);
+        requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, 
+                                              authScheme + " " + data);
+    }
+    protected JwtToken getJwtToken(ClientRequestContext requestContext) {
+        return (JwtToken)requestContext.getProperty(JwtConstants.JWT_TOKEN);
+    }
+    protected String getContextPropertyValue() {
+        return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16));
+    }
+    
+    public void setAuthScheme(String authScheme) {
+        this.authScheme = authScheme;
+    }
+    
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
new file mode 100644
index 0000000..1cc56c46
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -0,0 +1,113 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.IOException;
+import java.util.logging.Logger;
+
+import javax.annotation.Priority;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.PreMatching;
+import javax.ws.rs.core.HttpHeaders;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
+import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
+import org.apache.cxf.security.SecurityContext;
+
+@PreMatching
+@Priority(Priorities.AUTHENTICATION)
+public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements ContainerRequestFilter {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JwtAuthenticationFilter.class);
+    
+    private static final String DEFAULT_AUTH_SCHEME = "JWT";
+    private String expectedAuthScheme = DEFAULT_AUTH_SCHEME;
+    private int clockOffset;
+    private int ttl;
+    private String roleClaim;
+    
+    @Override
+    public void filter(ContainerRequestContext requestContext) throws IOException {
+        String auth = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
+        String[] parts = auth == null ? null : auth.split(" ");
+        if (parts == null || !expectedAuthScheme.equals(parts[0]) || parts.length != 2) {
+            throw new JoseException(expectedAuthScheme + " scheme is expected");
+        }
+        JwtToken token = super.getJwtToken(parts[1]);
+        JoseUtils.setMessageContextProperty(token.getHeaders());
+        
+        SecurityContext securityContext = configureSecurityContext(token);
+        if (securityContext != null) {
+            JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
+        }
+
+    }
+    
+    protected SecurityContext configureSecurityContext(JwtToken jwt) {
+        return new JwtTokenSecurityContext(jwt, roleClaim);
+    }
+
+    
+    public void setExpectedAuthScheme(String expectedAuthScheme) {
+        this.expectedAuthScheme = expectedAuthScheme;
+    }
+    
+    @Override
+    protected void validateToken(JwtToken jwt) {
+        // If we have no issued time then we need to have an expiry
+        boolean expiredRequired = jwt.getClaims().getIssuedAt() == null;
+        JwtUtils.validateJwtExpiry(jwt.getClaims(), clockOffset, expiredRequired);
+        
+        JwtUtils.validateJwtNotBefore(jwt.getClaims(), clockOffset, false);
+        
+        // If we have no expiry then we must have an issued at
+        boolean issuedAtRequired = jwt.getClaims().getExpiryTime() == null;
+        JwtUtils.validateJwtIssuedAt(jwt.getClaims(), ttl, clockOffset, issuedAtRequired);
+    }
+
+    public int getClockOffset() {
+        return clockOffset;
+    }
+
+    public void setClockOffset(int clockOffset) {
+        this.clockOffset = clockOffset;
+    }
+
+    public int getTtl() {
+        return ttl;
+    }
+
+    public void setTtl(int ttl) {
+        this.ttl = ttl;
+    }
+    
+    public String getRoleClaim() {
+        return roleClaim;
+    }
+
+    public void setRoleClaim(String roleClaim) {
+        this.roleClaim = roleClaim;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java
new file mode 100644
index 0000000..427ad73
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.apache.cxf.common.security.SimpleGroup;
+import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.security.LoginSecurityContext;
+
+public class JwtTokenSecurityContext implements LoginSecurityContext {
+    private final JwtToken token;
+    private final Principal principal;
+    private final Set<Principal> roles;
+    
+    public JwtTokenSecurityContext(JwtToken jwt, String roleClaim) {
+        principal = new SimplePrincipal(jwt.getClaims().getSubject());
+        this.token = jwt;
+        if (roleClaim != null && jwt.getClaims().containsProperty(roleClaim)) {
+            roles = new HashSet<Principal>();
+            String role = jwt.getClaims().getStringProperty(roleClaim).trim();
+            for (String r : role.split(",")) {
+                roles.add(new SimpleGroup(r));
+            }
+        } else {
+            roles = Collections.emptySet();
+        }
+    }
+    
+    public JwtToken getToken() {
+        return token;
+    }
+
+    @Override
+    public Subject getSubject() {
+        return null;
+    }
+
+    @Override
+    public Set<Principal> getUserRoles() {
+        return Collections.unmodifiableSet(roles);
+    }
+
+    @Override
+    public Principal getUserPrincipal() {
+        return principal;
+    }
+
+    @Override
+    public boolean isUserInRole(String role) {
+        for (Principal principalRole : roles) {
+            if (principalRole != principal && principalRole.getName().equals(role)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java
new file mode 100644
index 0000000..877ff0c
--- /dev/null
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+public final class Priorities {
+    public static final int JWE_SERVER_READ_PRIORITY = 1001;
+    public static final int JWS_SERVER_READ_PRIORITY = 1002;
+    
+    public static final int JWE_WRITE_PRIORITY = 1001;
+    public static final int JWS_WRITE_PRIORITY = 1002;
+    
+    public static final int JWE_CLIENT_READ_PRIORITY = 1002;
+    public static final int JWS_CLIENT_READ_PRIORITY = 1001;
+    
+    private Priorities() {
+        
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/pom.xml
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/pom.xml b/rt/rs/security/jose/pom.xml
index 63e23c4..c94129c 100644
--- a/rt/rs/security/jose/pom.xml
+++ b/rt/rs/security/jose/pom.xml
@@ -7,9 +7,9 @@
   to you under the Apache License, Version 2.0 (the
   "License"); you may not use this file except in compliance
   with the License. You may obtain a copy of the License at
-
+ 
   http://www.apache.org/licenses/LICENSE-2.0
-
+ 
   Unless required by applicable law or agreed to in writing,
   software distributed under the License is distributed on an
   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@@ -20,49 +20,23 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <artifactId>cxf-rt-rs-security-jose</artifactId>
-    <packaging>bundle</packaging>
-    <name>Apache CXF Runtime JOSE</name>
-    <description>Apache CXF Runtime JOSE</description>
+    <packaging>pom</packaging>
+    <name>Apache CXF JOSE Security</name>
+    <description>Apache CXF JOSE Security</description>
     <url>http://cxf.apache.org</url>
     <parent>
         <groupId>org.apache.cxf</groupId>
+<<<<<<< HEAD
         <artifactId>cxf-parent</artifactId>
         <version>3.0.7-SNAPSHOT</version>
         <relativePath>../../../../parent/pom.xml</relativePath>
+=======
+        <artifactId>cxf-rt-rs-security</artifactId>
+        <version>3.1.4-SNAPSHOT</version>
+>>>>>>> 66a8177... Splitting current jose module into jose-core + jose-jaxrs
     </parent>
-    <dependencies>
-        <dependency>
-            <groupId>org.apache.cxf</groupId>
-            <artifactId>cxf-core</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.cxf</groupId>
-            <artifactId>cxf-rt-security</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.cxf</groupId>
-            <artifactId>cxf-rt-frontend-jaxrs</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.cxf</groupId>
-            <artifactId>cxf-rt-rs-extension-providers</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-ext-jdk15on</artifactId>
-            <version>${cxf.bcprov.version}</version>
-            <scope>provided</scope>
-            <optional>true</optional> 
-        </dependency>
-        <!--test dependencies-->
-        <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
+    <modules>
+        <module>jose-core</module>
+        <module>jose-jaxrs</module>
+    </modules>
 </project>

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
deleted file mode 100644
index 98886ce..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose;
-
-import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweUtils;
-import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-
-public abstract class AbstractJoseConsumer {
-    private JweDecryptionProvider jweDecryptor;
-    private JwsSignatureVerifier jwsVerifier;
-    
-    public void setJweDecryptor(JweDecryptionProvider jweDecryptor) {
-        this.jweDecryptor = jweDecryptor;
-    }
-
-    public void setJwsVerifier(JwsSignatureVerifier theJwsVerifier) {
-        this.jwsVerifier = theJwsVerifier;
-    }
-
-    protected JweDecryptionProvider getInitializedDecryptionProvider() {
-        if (jweDecryptor != null) {
-            return jweDecryptor;    
-        } 
-        return JweUtils.loadDecryptionProvider(false);
-    }
-    protected JwsSignatureVerifier getInitializedSignatureVerifier() {
-        if (jwsVerifier != null) {
-            return jwsVerifier;    
-        } 
-        return JwsUtils.loadSignatureVerifier(false);
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
deleted file mode 100644
index f506943..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose;
-
-import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweUtils;
-import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-
-public abstract class AbstractJoseProducer {
-    private JwsSignatureProvider sigProvider;
-    private JweEncryptionProvider encryptionProvider;
-    
-    protected JwsSignatureProvider getInitializedSignatureProvider() {
-        if (sigProvider != null) {
-            return sigProvider;    
-        } 
-        
-        return JwsUtils.loadSignatureProvider(false);
-    }
-    protected JweEncryptionProvider getInitializedEncryptionProvider() {
-        if (encryptionProvider != null) {
-            return encryptionProvider;    
-        }
-        return JweUtils.loadEncryptionProvider(false);
-    }
-
-    public void setEncryptionProvider(JweEncryptionProvider encryptionProvider) {
-        this.encryptionProvider = encryptionProvider;
-    }
-
-    public void setSignatureProvider(JwsSignatureProvider signatureProvider) {
-        this.sigProvider = signatureProvider;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseConstants.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseConstants.java
deleted file mode 100644
index 0c04791..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseConstants.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rs.security.jose;
-
-public final class JoseConstants {
-    public static final String HEADER_TYPE = "typ";
-    public static final String HEADER_ALGORITHM = "alg";
-    public static final String HEADER_CONTENT_TYPE = "cty";
-    public static final String HEADER_CRITICAL = "crit";
-    
-    public static final String HEADER_KEY_ID = "kid";
-    public static final String HEADER_X509_URL = "x5u";
-    public static final String HEADER_X509_CHAIN = "x5c";
-    public static final String HEADER_X509_THUMBPRINT = "x5t";
-    public static final String HEADER_X509_THUMBPRINT_SHA256 = "x5t#S256";
-    public static final String HEADER_JSON_WEB_KEY = "jwk";
-    public static final String HEADER_JSON_WEB_KEY_SET = "jku";
-    
-    public static final String JWE_HEADER_KEY_ENC_ALGORITHM = HEADER_ALGORITHM;
-    public static final String JWE_HEADER_CONTENT_ENC_ALGORITHM = "enc";
-    public static final String JWE_HEADER_ZIP_ALGORITHM = "zip";
-    public static final String JWE_DEFLATE_ZIP_ALGORITHM = "DEF";
-    
-    public static final String JWS_HEADER_B64_STATUS_HEADER = "b64";
-    
-    public static final String TYPE_JWT = "JWT";
-    public static final String TYPE_JOSE = "JOSE";
-    public static final String TYPE_JOSE_JSON = "JOSE+JSON";
-    public static final String MEDIA_TYPE_JOSE = "application/jose";
-    public static final String MEDIA_TYPE_JOSE_JSON = "application/jose+json";
-    
-    public static final String JOSE_CONTEXT_PROPERTY = "org.apache.cxf.jose.context";
-    
-    private JoseConstants() {
-        
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
deleted file mode 100644
index a71a098..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose;
-
-public class JoseException extends RuntimeException {
-
-    private static final long serialVersionUID = 4118589816228511524L;
-    public JoseException() {
-
-    }
-    public JoseException(String error) {
-        super(error);
-    }
-    public JoseException(Throwable cause) {
-        super(cause);
-    }
-}


Mime
View raw message