Author: buildbot
Date: Mon Oct 26 15:47:38 2015
New Revision: 970284
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Mon Oct 26 15:47:38
2015
@@ -118,15 +118,15 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1445870818075 {padding: 0px;}
-div.rbtoc1445870818075 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1445870818075 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1445874425776 {padding: 0px;}
+div.rbtoc1445874425776 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1445874425776 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1445870818075">
+/*]]>*/</style></p><div class="toc-macro rbtoc1445874425776">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</a></li><li><a shape="rect"
href="#JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK
stores</a></li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-FutureWork">Future
Work</a></li><li><a shape="rect"
href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</a></li></ul>
</div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p>CXF 3.0.x
implements <a shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/";
rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven
Dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><dependency>
@@ -176,7 +176,7 @@ AesWrapKeyDecryptionAlgorithm keyDecrypt
JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
String decryptedText = decryption.decrypt(jweContent).getContentText();
assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p> </p><p>CXF ships JWE related classes in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD";>this
package</a> and offers a support for all of JWA encryption
algorithms.</p><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
- decrypting the content. Encryptors and
Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer
and JweCompactProducer offer a utility support for creating and validating JWE
compact serialization and accept keys in a variety of formats</p><p>(as JWKs,
JCA representations, created out of band and wrapped in either
JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer
specializations that offer a utility support for encrypting Json Web Tokens in
a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON
(full) serialization.</p><p>JweOutputStream is a specialized output stream that
can be used in conjunction with JWE JAX-RS filters (see one of the next
sections)</p><p>to support the best effort at streaming the content while
encrypting it.  These classes will use <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a> 
optionally returned from JweEncryptionProvider</p><p>instead of working with
the consumer utility classes which deal with the encryption process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h1
id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32";
rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON
format. It offers a standard JSON container for representing various properties
or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE
signature or encryption input like any other data
structure.</p><p> </p><p>JWT has been primarily used in OAuth2
applications to represent self-contained access tokens but can also be used in
other contex
ts.</p><p>CXF offers an initial JWT support in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD";>this
package</a>.</p><h1
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</h1><p>Add more...</p><h1
id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2
id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable
values are "jks" or "j
wk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1"
rowspan="1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the al
ias for more specific operations:<br clear="none">     -
jws.out<br clear="none">     - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore
file.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1"
class="confluenceTd">The password required to access the private key (in the
keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.include.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK public key (for signature or
encryption) in the "jwk" header.</td></tr><tr><
td colspan="1" rowspan="1"
class="confluenceTd">rs.security.include.cert</td><td colspan="1" rowspan="1"
class="confluenceTd">Include the X.509 certificate (for signature or
encryption) in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.include.key.id</td><td colspan="1" rowspan="1"
class="confluenceTd">Include the JWK key id (for signature or encryption) in
the "kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.include.cert.sha1</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
(for signature or encryption) in the "x5t" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK
received in the header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestosigna
tureonly">Configuration that applies to signature only</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for compact signature creation. If not specified then it falls back to
"rs.security.signature.properties
".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.in.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The signature properties file for compact
signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
compact signature creation/verification.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.out.list.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for JSON Serialization signature creation. If not specified then it falls back
to "rs.security.signature.list.properties".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.in.list.properties</td><td
colspan="1" rowspan="1" class="confluenc
eTd"><p>The signature properties file for JSON Serialization signature
verification. If not specified then it falls back to
"rs.security.signature.list.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.list.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
JSON Serialization signature creation/verification.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header. If not specified then it falls back to
"rs.security.include.public.key".</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in
the "x5c" header. If not specified then it falls back to
"rs.security.include.cert".</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header. If not specified then it falls back to
"rs.security.include.key.id".</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t" header. If not specified then it falls
back to "rs.security.include.cert.sha1"/</td></tr></tbody></table></div><h1
id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS filters
can read the keys from encrypted JWK stores. The stores are encrypted inline or
in separate storages (files). By default the filters expect that the stores has
been encrypted using</p><p>a password based <a shape="rect"
class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
#section-4.8" rel="nofollow">PBES2 algorithm</a>. The filters will check a
registered <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD";>password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2
POP tokens. Authorization code JOSE requests can already be processed. Utility
support for validating JWT-based access tokens is provided.</p><p>Add
more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily
depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and
IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCrypto, OIDC, etc</p><h1
id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p
><a shape="rect" class="external-link"
>href="https://bitbucket.org/b_c/jose4j/wiki/Home"; rel="nofollow">Jose4J</a>
>is a top project from Brian Campbell.  CXF users are encouraged to
>experiment with Jose4J (or indeed with other 3rd party implementations) if
>they prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF
>filters if preferred.</p><p> </p></div>
+</div></div><p> </p><p>CXF ships JWE related classes in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD";>this
package</a> and offers a support for all of JWA encryption
algorithms.</p><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
- decrypting the content. Encryptors and
Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer
and JweCompactProducer offer a utility support for creating and validating JWE
compact serialization and accept keys in a variety of formats</p><p>(as JWKs,
JCA representations, created out of band and wrapped in either
JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer
specializations that offer a utility support for encrypting Json Web Tokens in
a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON
(full) serialization.</p><p>JweOutputStream is a specialized output stream that
can be used in conjunction with JWE JAX-RS filters (see one of the next
sections)</p><p>to support the best effort at streaming the content while
encrypting it.  These classes will use <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a> 
optionally returned from JweEncryptionProvider</p><p>instead of working with
the consumer utility classes which deal with the encryption process completely
in memory.</p><p> </p><p>Many more examples will be added here.</p><h1
id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32";
rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON
format. It offers a standard JSON container for representing various properties
or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE
signature or encryption input like any other data
structure.</p><p> </p><p>JWT has been primarily used in OAuth2
applications to represent self-contained access tokens but can also be used in
other contex
ts.</p><p>CXF offers an initial JWT support in <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD";>this
package</a>.</p><h1
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT
authentications to JWS or JWE content</h1><p>Add more...</p><h1
id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2
id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable
values are "jks" or "j
wk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1"
rowspan="1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the al
ias for more specific operations:<br clear="none">     -
jws.out<br clear="none">     - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore
file.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1"
class="confluenceTd">The password required to access the private key (in the
keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in
the header for signature validation. The default
is "false".</p></td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that
applies to signature only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for com
pact signature creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for compact signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
compact signature creation/verification.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.out.list.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for JSON Serialization signature creation. If not specified then it falls back
to "rs.security.signature.list.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="conflu
enceTd">rs.security.signature.in.list.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The signature properties file for JSON
Serialization signature verification. If not specified then it falls back to
"rs.security.signature.list.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.list.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
JSON Serialization signature creation/verification.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in
the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceT
d">rs.security.signature.include.key.id</td><td colspan="1" rowspan="1"
class="confluenceTd">Include the JWK key id for signature in the "kid"
header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h4
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for decryption. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="co
nfluenceTd">rs.security.encryption.content.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd">The encryption content algorithm to use. The
default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to
use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA
key, and 'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The signature properties file for
encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p
></td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd">rs.security.encryption.in.properties</td><td colspan="1"
>rowspan="1" class="confluenceTd"><p>The signature properties file for
>decryption. If not specified then it falls back to
>"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
>rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
>colspan="1" rowspan="1" class="confluenceTd">The signature properties file
>for encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd">rs.security.encryption.include.public.key</td><td
>colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key
>for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
>rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
>colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
>for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
>rowspan="1" class="confluenceTd"
>rs.security.encryption.include.key.id</td><td colspan="1" rowspan="1"
>class="confluenceTd">Include the JWK key id for encryption in the "kid"
>header.</td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
>colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
>SHA-1 digest for encryption in the "x5t"
>header.</td></tr></tbody></table></div><h4
>id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
>applies to JWT tokens only</h4><div class="table-wrap"><table
>class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
>class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
>colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT
>tokens as SecurityContext Principals. The default is
>false.</p></td></tr></tbody></table></div><h1
>id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS
>filters can read the keys from encrypte
d JWK stores. The stores are encrypted inline or in separate storages (files).
By default the filters expect that the stores has been encrypted using</p><p>a
password based <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8";
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD";>password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2
POP tokens. Authorization code JOSE requests can already be processed. Utility
support for validating JWT-based access tokens is provided.</p><p>Add
more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jos
e</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE module
to support OIDC RP and IDP code. Add more...</p><h1
id="JAX-RSJOSE-FutureWork">Future Work</h1><p>OAuth2, WebCrypto, OIDC,
etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party
Alternatives</h1><p><a shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home"; rel="nofollow">Jose4J</a> is
a top project from Brian Campbell.  CXF users are encouraged to experiment
with Jose4J (or indeed with other 3rd party implementations) if they
prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters if
preferred.</p><p> </p></div>
</div>
<!-- Content -->
</td>
