cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r988468 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Date Tue, 17 May 2016 16:47:31 GMT
Author: buildbot
Date: Tue May 17 16:47:31 2016
New Revision: 988468

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Tue May 17 16:47:31 2016
@@ -34,6 +34,7 @@
 <script src='/resources/highlighter/scripts/shCore.js'></script>
 <script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJScript.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
   SyntaxHighlighter.all();
@@ -117,12 +118,12 @@ Apache CXF -- JAX-RS JOSE
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1463492823881 {padding: 0px;}
-div.rbtoc1463492823881 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1463492823881 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1463503618227 {padding: 0px;}
+div.rbtoc1463503618227 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463503618227 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1463492823881">
+/*]]>*/</style></p><div class="toc-macro rbtoc1463503618227">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK
Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS
Signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWEEncryption">JWE
Encryption</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebTokens">JSON
Web Tokens</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking
JWT authentications to JWS or JWE content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</a>
@@ -144,7 +145,25 @@ div.rbtoc1463492823881 li {margin-left:
   &lt;version&gt;3.1.7&lt;/version&gt;
 &lt;/dependency&gt;
 </pre>
-</div></div><pre>&#160;</pre><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JWA</a>
- JSON Web Algorithms where all supported signature and encryption algorithms are listed</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7517" rel="nofollow">JWK</a>
- JSON Web Keys - introduces a JSON format for describing the public and private keys used
by JWA algorithms</li><li><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515"
rel="nofollow">JWS</a> - JSON Web Signature - describes how the data can be signed
or validated and introduces compact and JSON JWS formats for representing the signed data</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a>
- JSON Web Encryption - describes how the data can be encrypted or decryp
 ted and introduces compact and JSON JWE formats for representing the encrypted data&#160;&#160;</li></ul><p>Additionally,
<a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a>
(JSON Web Token), while technically not part of JOSE, is often used as an input material to
JWS and JWE processors, especially in OAuth2 flows (example: OAuth2 access tokens can be represented
internally as JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a>
describes how a set of claims in a JSON format can be either JWS-signed or JWE-enctypted.&#160;</p><h2
id="JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</h2><p>All JOSE signature and
encryption algorithms are grouped and described in <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JSON Web Algorithms</a>
(JWA) specification.</p><p>The algorithms are sp
 lit into 3 categories: signature algorithms (MAC, RS, ES), algorithms for supporting the
encryption of content encryption keys (RSA-OAEP, Aes Key Wrap, etc),</p><p>and
algorithms for encrypting the actual content (AES GCM, etc).</p><p>All encryption
algorithms produce authentication tags which provide the protection against manipulating the
already encrypted content.</p><p>Please refer to this specification to get all
the information needed (with the follow up links to the corresponding RFC when applicable)
about a particular signature or encryption</p><p>algorithm: the properties, recommended
key sizes, other security considerations related to all of or some specific algorithms.</p><p>CXF
offers the utility support for working with JWA algorithms in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD">this
packag
 e</a>.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK Keys</h2><p>&#160;</p><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7517" rel="nofollow">JSON
Web Key</a> (JWK) is a JSON document describing the cryptographic key properties. JWKs
are very flexible and light-weight (in most cases) and one can expect JWKs becoming one of
the major mechanisms for representing and storing cryptographic keys. What is important is
that one does not have to use a JWK in order to sign or encrypt the document, working directly
with Java JCA secret and asymmetric key representations is sufficient but JWK is a first class
citizen in JOSE with all of JOSE examples using JWK representations.</p><p>Here
is</p><p>CXF offers a utility support for reading and writing JWK keys and key
sets and for working with the encrypted inlined and standalone JWK stores in <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/ja
 va/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD">this
package</a>. Support for the pluggable strategies for loading JWKs is on the map.</p><h2
id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515" rel="nofollow">JSON Web Signature</a>
(JWS) document describes how a document content can be signed. For example, <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC key.</p><p>Here
is one of the ways you can do it in CXF, where a Json Web Token (JWT, see one of the next
sections) is signed by a MAC key:<br clear="none">&#160;</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent
pdl">
+</div></div><pre>&#160;</pre><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JWA</a>
- JSON Web Algorithms where all supported signature and encryption algorithms are listed</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7517" rel="nofollow">JWK</a>
- JSON Web Keys - introduces a JSON format for describing the public and private keys used
by JWA algorithms</li><li><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515"
rel="nofollow">JWS</a> - JSON Web Signature - describes how the data can be signed
or validated and introduces compact and JSON JWS formats for representing the signed data</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a>
- JSON Web Encryption - describes how the data can be encrypted or decryp
 ted and introduces compact and JSON JWE formats for representing the encrypted data&#160;&#160;</li></ul><p>Additionally,
<a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a>
(JSON Web Token), while technically being not part of JOSE, is often used as an input material
to JWS and JWE processors, especially in OAuth2 flows (example: OAuth2 access tokens can be
represented internally as JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). <a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a>
describes how a set of claims in a JSON format can be either JWS-signed or JWE-enctypted.&#160;</p><h2
id="JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</h2><p>All JOSE signature and
encryption algorithms are grouped and described in <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JSON Web Algorithms</a>
(JWA) specification.</p><p>The algorithms 
 are split into 3 categories: signature algorithms (HMAC, RSA, Elliptic Curve), algorithms
for supporting the encryption of content encryption keys (RSA-OAEP, AES Key Wrap, etc), and
algorithms for encrypting the actual content (AES GCM, etc).</p><p>All JWS and
JWE algorithms process the meta-data (the algorithm properties) and the actual data thus also
ensuring the algorithm properties are integrity-protected, additionally JWE algorithms produce
authentication tags which ensure the already encrypted content won't be manipulated.</p><p>Please
refer to <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518"
rel="nofollow">the specification</a> to get all the information needed (with the
follow up links to the corresponding RFC when applicable) about a particular signature or
encryption algorithm: the properties, recommended key sizes, other security considerations
related to all of or some specific algorithms. CXF JOSE code already enforces a number of
the rec
 ommended constraints.</p><p>CXF offers the utility support for working with JWA
algorithms in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD">this
package</a>. Typically one would supply an algorithm property in a type-safe way either
to JWS or JWE processor, for example,&#160; SignatureAlgorithm.HS256 (HMAC signature)
for JWS,&#160;KeyAlgorithm.A256KW (key encryption wrap) plus ContentAlgorithm.A256GCM
for JWE.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK Keys</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7517" rel="nofollow">JSON Web
Key</a> (JWK) is a JSON document describing the cryptographic key properties. JWKs are
very flexible and one can expect JWKs becoming one of the major mechanisms for representing
and storing cryptographic keys. While one does not have to use a JWK in o
 rder to sign or encrypt the document and rely on Java JCA secret and asymmetric key representations
instead, JWK is a preferred representation of JWS/JWE keys.</p><p>For example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader
pdl" style="border-bottom-width: 1px;"><b>Jwk Signature Key</b></div><div
class="codeContent panelContent pdl">
+<pre class="brush: js; gutter: false; theme: Default" style="font-size:12px;">{
+   "kty":"oct",
+   "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
+   "kid":"Secret HMAC key"
+}</pre>
+</div></div><p>or</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Public
Jwk Key</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: js; gutter: false; theme: Default" style="font-size:12px;">{
+  "kty":"RSA",
+  "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
+     4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
+     tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
+     QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
+     SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
+     w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+  "e":"AQAB",
+  "alg":"RS256",
+  "kid":"Public RSA Key"}</pre>
+</div></div><p>&#160;</p><p>A collection of JWK keys is
called a JWK Key Set.</p><p>CXF offers a utility support for reading and writing
JWK keys and key sets and for working with the encrypted inlined and standalone JWK stores
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD">this
package</a>. For example, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18"
rel="nofollow">here is how</a> an encrypted inlined JWK key is stored. Similarly,
<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18"
rel="nofollo
 w">here is how</a> a collection of keys is inlined. In other cases users can refer
to a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.private.properties"
rel="nofollow">file containing the set of keys</a>.</p><p>Support for
the pluggable strategies for loading JWKs is on the map.</p><h2 id="JAX-RSJOSE-JWSSignature">JWS
Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515"
rel="nofollow">JSON Web Signature</a> (JWS) document describes how a document content
can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC key.</p><p>Here
is one of the ways you can do it in CXF, where a Json Web Token (JWT, see one of the next
sections) is signed by a MAC ke
 y:<br clear="none">&#160;</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF
JWS HMac</b></div><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">//
sign
 JoseHeaders headers = new JoseHeaders();
 headers.setAlgorithm(SignatureAlgorithm.HS256.getJwaName());



Mime
View raw message