cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r989314 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Date Fri, 27 May 2016 09:47:38 GMT
Author: buildbot
Date: Fri May 27 09:47:38 2016
New Revision: 989314

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri May 27 09:47:38 2016
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1464259621584 {padding: 0px;}
-div.rbtoc1464259621584 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1464259621584 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464342422013 {padding: 0px;}
+div.rbtoc1464342422013 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464342422013 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1464259621584">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464342422013">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE Policy&#160;</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and Implementation</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK
Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS
Signature</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature
and Verification Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS
with Detached Content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS
with Unencoded Payload</a></li></ul>
@@ -194,8 +194,8 @@ JsonWebKey key = keySet.getKey("Public R
 String thumbprint = JwkUtils.getThumbprint(key);
 assertEquals("NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs", thumbprint);
 KeyType keyType = key.getKeyType();
-assertEquals(KeyType.RSA, thumbprint);</pre>
-</div></div><pre>JsonWebKeys also supports the retrieval of keys by their
type (RSA, EC, Octet) and operation (ENCRYPT, SIGN, etc). <br clear="none">Once you
have JWK loaded it is typically submitted to JWS or JWE providers.</pre><h2 id="JAX-RSJOSE-JWSSignature">JWS
Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515"
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document content
can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be signed with an HMAC key</p><p>CXF
ships JWS related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws"
rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect"
class="external-link" href="https://tools.ietf.o
 rg/html/rfc7518#section-3" rel="nofollow">signature algorithms</a>.</p><h3
id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</h3><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java"
rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a shape="rect"
class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java"
rel="nofollow">JwsSignatureVerifier</a> - validating the signatures.</p><p>Note
the signature and verification capabilities are represented by 2 different interfaces - it
was done to keep the interfaces minimalistic and have the concerns separated which can be
appreciated most in the cases where the code only signs or only validates.</p><p>The
following table shows 
 the algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jws</span>
package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td
colspan="1" rowspan="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td
colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td
colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2"
rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1" class="confluenceTd">HS256,
HS384, HS512</td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureProvider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureVerifier</p></td></tr><tr><td
colspan="1" rowspan="1
 " class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3"
rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd">RS256,
RS384, RS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.4"
rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1" class="confluenceTd">ES256,
ES384, ES512</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.5"
rel="nofollow">RSASSA-PSS</a></td><td 
 colspan="1" rowspan="1" class="confluenceTd">PS256, PS384, PS512</td><td colspan="1"
rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6"
rel="nofollow">None</a></td><td colspan="1" rowspan="1" class="confluenceTd">none</td><td
colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers (except for None) can be initialized with the keys loaded from JWK or Java
JKS stores or from the in-memory representations.</p><p>RS256/384/512 algorithms
are likely to be used most often at the moment due to existing JKS stores being available
everywhere and a relatively easy way of making the public validati
 on keys available. 'None' algorithm might be useful when a JWS sequence is subsequently JWE-encrypted
or when a 2-way TLS (with client and server certificates) is used.</p><p>Once
you have decided which algorithm needs to be supported you can initialize an appropriate pair
of JwsSignatureProvider and JwsSignatureVerifier if both signing the data and the verification
are needed. If only the signing is needed - select JwsSignatureProvider, only the verification
- select JwsSignatureVerifier. The selected providers are submitted to JWS Compact or JWS
JSON producers or consumers.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java"
rel="nofollow">JwsUtils</a> utility class has a lot of helper methods to load JwsSignatureProvider
or JwsSignatureVerifier and to get JWS sequences created and validated.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS
Compact</h3><p><
 a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3"
rel="nofollow">JWS Compact representation</a> is the most often used JWS sequence
format. It is the concatenation of Base64URL-encoded sequence of JWS headers (algorithm and
other properties),&#160; Base64URL-encoded sequence of the actual data being protected
and Base64URL-encoded sequence of the signature algorithm output bytes.</p><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java"
rel="nofollow">JwsCompactProducer</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java"
rel="nofollow">JwsCompactConsumer</a> offer a support for producing and consuming
compact JWS sequences, protecting the data in JSON or no
 n-JSON formats.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java"
rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java"
rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which help with
processing typed JWT Tokens.</p><p>&#160;For example, here is how an <a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1"
rel="nofollow">Appendix A1</a> example can be done in CXF:</p><p>&#160;</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader
pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div
class="codeContent panelContent pdl">
+assertEquals(KeyType.RSA, keyType);</pre>
+</div></div><p>JsonWebKeys also supports the retrieval of keys by their
type (RSA, EC, Octet) and operation (ENCRYPT, SIGN, etc). <br clear="none">Once you
have JWK loaded it is typically submitted to JWS or JWE providers.</p><h2 id="JAX-RSJOSE-JWSSignature">JWS
Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515"
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document content
can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be signed with an HMAC key</p><p>CXF
ships JWS related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws"
rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect"
class="external-link" href="https://tools.ietf.org/h
 tml/rfc7518#section-3" rel="nofollow">signature algorithms</a>.</p><h3
id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</h3><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java"
rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a shape="rect"
class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java"
rel="nofollow">JwsSignatureVerifier</a> - validating the signatures.</p><p>Note
the signature and verification capabilities are represented by 2 different interfaces - it
was done to keep the interfaces minimalistic and have the concerns separated which can be
appreciated most in the cases where the code only signs or only validates.</p><p>The
following table shows the 
 algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jws</span>
package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td
colspan="1" rowspan="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td
colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td
colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2"
rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1" class="confluenceTd">HS256,
HS384, HS512</td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureProvider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureVerifier</p></td></tr><tr><td
colspan="1" rowspan="1" cl
 ass="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3"
rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd">RS256,
RS384, RS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.4"
rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1" class="confluenceTd">ES256,
ES384, ES512</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.5"
rel="nofollow">RSASSA-PSS</a></td><td cols
 pan="1" rowspan="1" class="confluenceTd">PS256, PS384, PS512</td><td colspan="1"
rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6"
rel="nofollow">None</a></td><td colspan="1" rowspan="1" class="confluenceTd">none</td><td
colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers (except for None) can be initialized with the keys loaded from JWK or Java
JKS stores or from the in-memory representations.</p><p>RS256/384/512 algorithms
are likely to be used most often at the moment due to existing JKS stores being available
everywhere and a relatively easy way of making the public validation k
 eys available. 'None' algorithm might be useful when a JWS sequence is subsequently JWE-encrypted
or when a 2-way TLS (with client and server certificates) is used.</p><p>Once
you have decided which algorithm needs to be supported you can initialize an appropriate pair
of JwsSignatureProvider and JwsSignatureVerifier if both signing the data and the verification
are needed. If only the signing is needed - select JwsSignatureProvider, only the verification
- select JwsSignatureVerifier. The selected providers are submitted to JWS Compact or JWS
JSON producers or consumers.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java"
rel="nofollow">JwsUtils</a> utility class has a lot of helper methods to load JwsSignatureProvider
or JwsSignatureVerifier and to get JWS sequences created and validated.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS
Compact</h3><p><a sh
 ape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3" rel="nofollow">JWS
Compact representation</a> is the most often used JWS sequence format. It is the concatenation
of Base64URL-encoded sequence of JWS headers (algorithm and other properties),&#160; Base64URL-encoded
sequence of the actual data being protected and Base64URL-encoded sequence of the signature
algorithm output bytes.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java"
rel="nofollow">JwsCompactProducer</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java"
rel="nofollow">JwsCompactConsumer</a> offer a support for producing and consuming
compact JWS sequences, protecting the data in JSON or non-JS
 ON formats.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java"
rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java"
rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which help with
processing typed JWT Tokens.</p><p>&#160;For example, here is how an <a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1"
rel="nofollow">Appendix A1</a> example can be done in CXF:</p><p>&#160;</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader
pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div
class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JwtClaims
claims = new JwtClaims();
 claims.setIssuer("joe");
 claims.setExpiryTime(1300819380L);



Mime
View raw message