cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1014655 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Date Wed, 28 Jun 2017 13:47:32 GMT
Author: buildbot
Date: Wed Jun 28 13:47:32 2017
New Revision: 1014655

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Wed Jun 28 13:47:32 2017
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1497631622116 {padding: 0px;}
-div.rbtoc1497631622116 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1497631622116 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1498657619217 {padding: 0px;}
+div.rbtoc1498657619217 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1498657619217 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1497631622116">
+/*]]>*/</style></p><div class="toc-macro rbtoc1498657619217">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE Policy&#160;</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and Implementation</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK
Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS
Signature</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature
and Verification Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS
with Detached Content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS
with Unencoded Payload</a></li></ul>
@@ -850,7 +850,7 @@ JweDecryptionProvider jweIn = JweUtils.l
 </div></div><p>The providers may be initialized from a single properties
file or each of them may have specific properties allocated to it.</p><p>Sometimes
it can be useful to load the properties only and check the signature or encryption algorithm
and load a JWS or JWE provider directly as shown in JWS and JWE sections above.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader
pdl" style="border-bottom-width: 1px;"><b>Loading JWS and JWE properties</b></div><div
class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">Properties
jwsProps = JweUtils.loadEncryptionProperties("jws.properties", true);
 Properties jweProps = JweUtils.loadEncryptionProperties("jwe.properties", true);</pre>
-</div></div><p>After loading the properties one can check various property
values (signature algorithm, etc) and use it to create a required provider.</p><p>The
above code needs to be executed in the context of the current request (in server or client
in/out interceptors or server service code) as it expects the current CXF Message be available
in order to deduce where to load the configuration properties from. However&#160;<a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java"
rel="nofollow">JwsUtils</a> and&#160;<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java"
rel="nofollow">JweUtils</a> provide a number of utility methods for loading the providers
without loading the properties first which can be used when setting up the c
 lient code or when no properties are available in the current request context.</p><p>&#160;</p><p>When
the code needs to load the configuration properties it first looks for the property 'container'
file which contains the specific properties instructing which keys and algorithms need to
be used. Singature or encryption properties for in/out operations can be provided. &#160;</p><h2
id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration Property Containers</h2><h3
id="JAX-RSJOSE-Signature">Signature</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
Compact or JSON signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspa
 n="1" class="confluenceTd"><p>The signature properties file for Compact or JSON
signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for Compact
or JSON signature creation/verification.</td></tr></tbody></table></div><h3
id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The encryption properties file for
Compact or JSON encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="conflue
 nceTd"><p>The encryption properties file for Compact or JSON decryption. If not
specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption properties file for encryption/decryption.</td></tr></tbody></table></div><p>Note
that these property containers can be used for creating/processing JWS and JWE Compact and
JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more than one signature
or encryption be created then let the property value be a commas separated list of locations,
with each location pointing to a unique signature or encryption operation property file.</p><p>Once
the properties are loaded the runtime proceeds with initializing JWS/JWE providers accordingly.
The following section lists the properties, some oif them being common and some - unique to
the signature/verification 
 and encryption/decryption processes.</p><p>Note that one can override some of
the properties, for example, 'rs.security.store' can be set as a dynamic request property
pointing to a preloaded Java KeyStore object.</p><h2 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore</td><td
colspan="1" rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This configuration
tag is used if you want to pass the KeyStore Object through dynamically.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values
are "jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan
 ="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td
colspan="1" rowspan="1" class="confluenceTd">&#160;The keystore alias corresponding
to the key to use. You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br
clear="none">&#160;&#160;&#160;&#160; - jwe.in<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the
keys to use, when using the JSON serialization form. You can append one of the following to
this tag to get the alias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - 
 jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the private
key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td
colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received
in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that ap
 plies to signature only</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys for signature. If this is not specified
it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. The default
algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk"
header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td><
 td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature
in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
for signature in the "x5t" header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to
encryption only</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwo
 rds to access keys for decryption. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm to use. The
default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use.
The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW'
if it is an octet sequence.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td
colsp
 an="1" rowspan="1" class="confluenceTd">Include the JWK public key for&#160;encryption
in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for&#160;encryption
in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for&#160;encryption
in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
for&#160;encryption in the "x5t" header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT
tokens only</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
  colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens
as SecurityContext Principals. The default is false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-Interoperability">Interoperability</h1><p>&#160;</p><p><a
shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/"
rel="nofollow">JOSE</a> is already widely supported in OAuth2 and OIDC applications.
Besides that CXF JOSE client or server will interoperate with a 3rd party client/server able
to produce or consume JWS/JWE sequences.&#160; For example, see a <a shape="rect" class="external-link"
href="https://www.w3.org/TR/WebCryptoAPI/#jose" rel="nofollow">WebCrypto API use case</a>
and&#160; <a shape="rect" class="external-link" href="https://mobilepki.org/WCPPSignatureDemo/home"
rel="nofollow">the demo</a> which demonstrates how a JWS sequence produced by a br
 owser-hosted script can be validated by a server application capable of processing JWS, with
the demo browser client being tested against a CXF JWS server too.&#160;</p><p>&#160;</p><h1
id="JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</h1><p><a shape="rect"
class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a></p><p><a
shape="rect" class="external-link" href="http://connect2id.com/products/nimbus-jose-jwt" rel="nofollow">Nimbus
JOSE</a></p><p>&#160;</p></div>
+</div></div><p>After loading the properties one can check various property
values (signature algorithm, etc) and use it to create a required provider.</p><p>The
above code needs to be executed in the context of the current request (in server or client
in/out interceptors or server service code) as it expects the current CXF Message be available
in order to deduce where to load the configuration properties from. However&#160;<a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java"
rel="nofollow">JwsUtils</a> and&#160;<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java"
rel="nofollow">JweUtils</a> provide a number of utility methods for loading the providers
without loading the properties first which can be used when setting up the c
 lient code or when no properties are available in the current request context.</p><p>&#160;</p><p>When
the code needs to load the configuration properties it first looks for the property 'container'
file which contains the specific properties instructing which keys and algorithms need to
be used. Singature or encryption properties for in/out operations can be provided. &#160;</p><h2
id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration Property Containers</h2><h3
id="JAX-RSJOSE-Signature">Signature</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for
Compact or JSON signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspa
 n="1" class="confluenceTd"><p>The signature properties file for Compact or JSON
signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for Compact
or JSON signature creation/verification.</td></tr></tbody></table></div><h3
id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The encryption properties file for
Compact or JSON encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="conflue
 nceTd"><p>The encryption properties file for Compact or JSON decryption. If not
specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption properties file for encryption/decryption.</td></tr></tbody></table></div><p>Note
that these property containers can be used for creating/processing JWS and JWE Compact and
JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more than one signature
or encryption be created then let the property value be a commas separated list of locations,
with each location pointing to a unique signature or encryption operation property file.</p><p>Once
the properties are loaded the runtime proceeds with initializing JWS/JWE providers accordingly.
The following section lists the properties, some oif them being common and some - unique to
the signature/verification 
 and encryption/decryption processes.</p><p>Note that one can override some of
the properties, for example, 'rs.security.store' can be set as a dynamic request property
pointing to a preloaded Java KeyStore object.</p><h2 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore</td><td
colspan="1" rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This configuration
tag is used if you want to pass the KeyStore Object through dynamically.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values
are "jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan
 ="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td
colspan="1" rowspan="1" class="confluenceTd">&#160;The keystore alias corresponding
to the key to use. You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br
clear="none">&#160;&#160;&#160;&#160; - jwe.in<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the
keys to use, when using the JSON serialization form. You can append one of the following to
this tag to get the alias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - 
 jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the private
key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td
colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received
in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that ap
 plies to signature only</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys for signature. If this is not specified
it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. The default
algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk"
header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td><
 td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature
in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
for signature in the "x5t" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha256</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-256 digest for signature
in the "x5t#S256" header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to
encryption only</h2><div class="table-wrap"><table class="confluenceTable"><t
 body><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys for decryption. If this is not specified
it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm to use. The
default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use.
The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, 'ECDH-ES-A128KW'&#160;
if the key is an EC key and 'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td

 colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for&#160;encryption
in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for&#160;encryption
in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for&#160;encryption
in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Inclu
 de the X.509 certificate SHA-1 digest for&#160;encryption in the "x5t" header.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha256</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-256 digest
for&#160;encryption in the "x5t#S256" header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT
tokens only</h2><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens
as SecurityContext Principals. The default is false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-Interoperability">Interoperability</h1><p>&#160;</p><p><a
shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/"
rel="nofollow">J
 OSE</a> is already widely supported in OAuth2 and OIDC applications. Besides that CXF
JOSE client or server will interoperate with a 3rd party client/server able to produce or
consume JWS/JWE sequences.&#160; For example, see a <a shape="rect" class="external-link"
href="https://www.w3.org/TR/WebCryptoAPI/#jose" rel="nofollow">WebCrypto API use case</a>
and&#160; <a shape="rect" class="external-link" href="https://mobilepki.org/WCPPSignatureDemo/home"
rel="nofollow">the demo</a> which demonstrates how a JWS sequence produced by a browser-hosted
script can be validated by a server application capable of processing JWS, with the demo browser
client being tested against a CXF JWS server too.&#160;</p><p>&#160;</p><h1
id="JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</h1><p><a shape="rect"
class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a></p><p><a
shape="rect" class="external-link" href="http://connect2id.com/products/nimbus-jose-
 jwt" rel="nofollow">Nimbus JOSE</a></p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message