cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r971583 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Date Fri, 06 Nov 2015 17:47:42 GMT
Author: buildbot
Date: Fri Nov  6 17:47:42 2015
New Revision: 971583

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri Nov  6 17:47:42 2015
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1445874425776 {padding: 0px;}
-div.rbtoc1445874425776 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1445874425776 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1446832020257 {padding: 0px;}
+div.rbtoc1446832020257 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1446832020257 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1445874425776">
+/*]]>*/</style></p><div class="toc-macro rbtoc1446832020257">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications
to JWS or JWE content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWE">JWE</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
@@ -176,7 +176,7 @@ AesWrapKeyDecryptionAlgorithm keyDecrypt
 JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
 String decryptedText = decryption.decrypt(jweContent).getContentText();
 assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p>&#160;</p><p>CXF ships JWE related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this
package</a> and offers a support for all of JWA encryption algorithms.</p><p><a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a>
- decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and
JweCompactProducer offer a utility support for creating and validating JWE compact serialization
and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created
out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that
offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer
and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream
is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see
one of the next sections)</p><p>to support the best effort at streaming the content
while encrypting it.&#160; These classes will use <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 /main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160;
optionally returned from JweEncryptionProvider</p><p>instead of working with the
consumer utility classes which deal with the encryption process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web
Tokens</h1><p>&#160;</p><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON
Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON
container for representing various properties or claims.</p><p>JWT can be signed
and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>&#160;</p><p>JWT
has been primarily used in OAuth2 applications to represent self-contained access tokens but
can also be used in other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this
package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking
JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values
are "jks" or "j
 wk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td
colspan="1" rowspan="1" class="confluenceTd">&#160;The keystore alias corresponding
to the key to use. You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br
clear="none">&#160;&#160;&#160;&#160; - jwe.in<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the
keys to use, when using the JSON serialization form. You can append one of the following to
this tag to get the al
 ias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the private
key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td
colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received
in the header for signature validation. The default 
 is "false".</p></td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that applies to signature
only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys for signature. If this is not specified
it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. The default
algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The signature properties file for com
 pact signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
compact signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for compact
signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.out.list.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The signature properties file for JSON Serialization
signature creation. If not specified then it falls back to "rs.security.signature.list.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="conflu
 enceTd">rs.security.signature.in.list.properties</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The signature properties file for JSON Serialization signature
verification. If not specified then it falls back to "rs.security.signature.list.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.list.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for JSON Serialization
signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk"
header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature
in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceT
 d">rs.security.signature.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include
the JWK key id for signature in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
for signature in the "x5t" header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to
encryption only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys for decryption. If this is not specified
it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td
colspan="1" rowspan="1" class="co
 nfluenceTd">rs.security.encryption.content.algorithm</td><td colspan="1" rowspan="1"
class="confluenceTd">The encryption content algorithm to use. The default algorithm if
not specified is 'A128GCM'.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The default
algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW' if it is
an octet sequence.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p
 ></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
decryption. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for encryption/decryption.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for&#160;encryption
in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for&#160;encryption
in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"
 >rs.security.encryption.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include
the JWK key id for&#160;encryption in the "kid" header.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
for&#160;encryption in the "x5t" header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT
tokens only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens
as SecurityContext Principals. The default is false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS filters
can read the keys from encrypte
 d JWK stores. The stores are encrypted inline or in separate storages (files). By default
the filters expect that the stores has been encrypted using</p><p>a password based
<a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8"
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD">password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens.
Authorization code JOSE requests can already be processed. Utility support for validating
JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC
and Jos
 e</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE module
to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCrypto, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home"
rel="nofollow">Jose4J</a> is a top project from Brian Campbell.&#160; CXF users
are encouraged to experiment with Jose4J (or indeed with other 3rd party implementations)
if they prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters
if preferred.</p><p>&#160;</p></div>
+</div></div><p>&#160;</p><p>CXF ships JWE related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this
package</a> and offers a support for all of JWA encryption algorithms.</p><p><a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a>
- decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and
JweCompactProducer offer a utility support for creating and validating JWE compact serialization
and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created
out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that
offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer
and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream
is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see
one of the next sections)</p><p>to support the best effort at streaming the content
while encrypting it.&#160; These classes will use <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 /main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160;
optionally returned from JweEncryptionProvider</p><p>instead of working with the
consumer utility classes which deal with the encryption process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web
Tokens</h1><p>&#160;</p><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON
Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON
container for representing various properties or claims.</p><p>JWT can be signed
and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>&#160;</p><p>JWT
has been primarily used in OAuth2 applications to represent self-contained access tokens but
can also be used in other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this
package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking
JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore</td><td
colspan="1" rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This configuration
tag is used i
 f you want to pass the KeyStore Object through dynamically.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values
are "jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan="1"
class="confluenceTd">The password required to access the keystore.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td
colspan="1" rowspan="1" class="confluenceTd">&#160;The keystore alias corresponding
to the key to use. You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br
clear="none">&#160;&#160;&#160;&#160; - jwe.in<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1
 " class="confluenceTd">rs.security.keystore.aliases</td><td colspan="1" rowspan="1"
class="confluenceTd">The keystore aliases corresponding to the keys to use, when using
the JSON serialization form. You can append one of the following to this tag to get the alias
for more specific operations:<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the private
key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td
colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve pas
 swords to access keys.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received
in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that applies to signature
only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys for signature. If this is not specified
it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature 
 algorithm to use. The default algorithm if not specified is 'RS256'.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
compact signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
compact signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for compact
signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.out.list.properties</td><t
 d colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for JSON Serialization signature creation. If not specified then it falls back to "rs.security.signature.list.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.list.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
JSON Serialization signature verification. If not specified then it falls back to "rs.security.signature.list.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.list.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for JSON Serialization
signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk"
header.</td></tr><tr>
 <td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature
in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
for signature in the "x5t" header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to
encryption only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="conf
 luenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve
passwords to access keys for decryption. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm to use. The
default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use.
The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW'
if it is an octet sequence.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td
colspan="1"
  rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
decryption. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for encryption/decryption.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for&#160;encryption
in the "jwk" header.</td></tr><tr><td colsp
 an="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for&#160;encryption
in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for&#160;encryption
in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
for&#160;encryption in the "x5t" header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT
tokens only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" cla
 ss="confluenceTd"><p>Whether to allow unsigned JWT tokens as SecurityContext Principals.
The default is false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS filters
can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate
storages (files). By default the filters expect that the stores has been encrypted using</p><p>a
password based <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8"
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD">password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends
  on its JOSE module. This will be used to support OAuth2 POP tokens. Authorization code JOSE
requests can already be processed. Utility support for validating JWT-based access tokens
is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC
and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE
module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCrypto, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home"
rel="nofollow">Jose4J</a> is a top project from Brian Campbell.&#160; CXF users
are encouraged to experiment with Jose4J (or indeed with other 3rd party implementations)
if they prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters
if preferred.</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message