Author: buildbot
Date: Mon Oct 26 15:47:38 2015
New Revision: 970284

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Mon Oct 26 15:47:38 
2015
@@ -118,15 +118,15 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style 
type="text/css">/*<![CDATA[*/
-div.rbtoc1445870818075 {padding: 0px;}
-div.rbtoc1445870818075 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1445870818075 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1445874425776 {padding: 0px;}
+div.rbtoc1445874425776 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1445874425776 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1445870818075">
+/*]]>*/</style></p><div class="toc-macro rbtoc1445874425776">
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a 
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a></li><li><a 
shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a 
shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT 
authentications to JWS or JWE content</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
-<ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
 that applies to both encryption and signature</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that 
applies to signature only</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
 that applies to both encryption and signature</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that 
applies to signature only</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that 
applies to encryption only</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that 
applies to JWT tokens only</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK 
stores</a></li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and 
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and 
Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-FutureWork">Future 
Work</a></li><li><a shape="rect" 
href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party 
Alternatives</a></li></ul>
 </div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p>CXF 3.0.x 
implements <a shape="rect" class="external-link" 
href="https://datatracker.ietf.org/wg/jose/documents/"; 
rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven 
Dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div 
class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" 
style="font-size:12px;">&lt;dependency&gt;
@@ -176,7 +176,7 @@ AesWrapKeyDecryptionAlgorithm keyDecrypt
 JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
 String decryptedText = decryption.decrypt(jweContent).getContentText();
 assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p>&#160;</p><p>CXF ships JWE related classes in <a shape="rect" 
class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD";>this
 package</a> and offers a support for all of JWA encryption 
algorithms.</p><p><a shape="rect" class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
 supports encrypting the content, <a shape="rect" class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
 - decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer 
and JweCompactProducer offer a utility support for creating and validating JWE 
compact serialization and accept keys in a variety of formats</p><p>(as JWKs, 
JCA representations, created out of band and wrapped in either 
JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer 
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer 
specializations that offer a utility support for encrypting Json Web Tokens in 
a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON 
(full) serialization.</p><p>JweOutputStream is a specialized output stream that 
can be used in conjunction with JWE JAX-RS filters (see one of the next 
sections)</p><p>to support the best effort at streaming the content while 
encrypting it.&#160; These classes will use <a shape="rect" 
class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 
/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160;
 optionally returned from JweEncryptionProvider</p><p>instead of working with 
the consumer utility classes which deal with the encryption process completely 
in memory.</p><p>&#160;</p><p>Many more examples will be added here.</p><h1 
id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h1><p>&#160;</p><p><a 
shape="rect" class="external-link" 
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32"; 
rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON 
format. It offers a standard JSON container for representing various properties 
or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE 
signature or encryption input like any other data 
structure.</p><p>&#160;</p><p>JWT has been primarily used in OAuth2 
applications to represent self-contained access tokens but can also be used in 
other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" 
class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD";>this
 package</a>.</p><h1 
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT 
authentications to JWS or JWE content</h1><p>Add more...</p><h1 
id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2 
id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1 
id="JAX-RSJOSE-Configuration">Configuration</h1><h4 
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
 that applies to both encryption and signature</h4><div 
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable 
values are "jks" or "j
 wk".</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" 
rowspan="1" class="confluenceTd">The password required to access the 
keystore.</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" 
class="confluenceTd">&#160;The keystore alias corresponding to the key to use. 
You can append one of the following to this tag to get the alias for more 
specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br 
clear="none">&#160;&#160;&#160;&#160; - jwe.in<br 
clear="none">&#160;&#160;&#160;&#160; - jws.out<br 
clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td 
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding 
to the keys to use, when using the JSON serialization form. You can append one 
of the following to this tag to get the al
 ias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160; - 
jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td 
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore 
file.</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" 
class="confluenceTd">The password required to access the private key (in the 
keystore).</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" 
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider 
instance used to retrieve passwords to access keys.</td></tr><tr><td 
colspan="1" rowspan="1" 
class="confluenceTd">rs.security.include.public.key</td><td colspan="1" 
rowspan="1" class="confluenceTd">Include the JWK public key (for signature or 
encryption) in the "jwk" header.</td></tr><tr><
 td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.include.cert</td><td colspan="1" rowspan="1" 
class="confluenceTd">Include the X.509 certificate (for signature or 
encryption) in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.include.key.id</td><td colspan="1" rowspan="1" 
class="confluenceTd">Include the JWK key id (for signature or encryption) in 
the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.include.cert.sha1</td><td colspan="1" 
rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest 
(for signature or encryption) in the "x5t" header.</td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK 
received in the header for signature validation. The default is 
"false".</p></td></tr></tbody></table></div><h4 
id="JAX-RSJOSE-Configurationthatappliestosigna
 tureonly">Configuration that applies to signature only</h4><div 
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" 
rowspan="1" 
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a 
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys 
for signature. If this is not specified it falls back to use 
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td 
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. 
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file 
for compact signature creation. If not specified then it falls back to 
"rs.security.signature.properties
 ".</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.signature.in.properties</td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>The signature properties file for compact 
signature verification. If not specified then it falls back to 
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td 
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for 
compact signature creation/verification.</td></tr><tr><td colspan="1" 
rowspan="1" 
class="confluenceTd">rs.security.signature.out.list.properties</td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file 
for JSON Serialization signature creation. If not specified then it falls back 
to "rs.security.signature.list.properties".</p></td></tr><tr><td colspan="1" 
rowspan="1" 
class="confluenceTd">rs.security.signature.in.list.properties</td><td 
colspan="1" rowspan="1" class="confluenc
 eTd"><p>The signature properties file for JSON Serialization signature 
verification. If not specified then it falls back to 
"rs.security.signature.list.properties".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.signature.list.properties</td><td 
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for 
JSON Serialization signature creation/verification.</td></tr><tr><td 
colspan="1" rowspan="1" 
class="confluenceTd">rs.security.signature.include.public.key</td><td 
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for 
signature in the "jwk" header. If not specified then it falls back to 
"rs.security.include.public.key".</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1" 
rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in 
the "x5c" header. If not specified then it falls back to 
"rs.security.include.cert".</td></tr><tr><td
  colspan="1" rowspan="1" 
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1" 
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the 
"kid" header. If not specified then it falls back to 
"rs.security.include.key.id".</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td 
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate 
SHA-1 digest for signature in the "x5t" header. If not specified then it falls 
back to "rs.security.include.cert.sha1"/</td></tr></tbody></table></div><h1 
id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS filters 
can read the keys from encrypted JWK stores. The stores are encrypted inline or 
in separate storages (files). By default the filters expect that the stores has 
been encrypted using</p><p>a password based <a shape="rect" 
class="external-link" 
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
 #section-4.8" rel="nofollow">PBES2 algorithm</a>. The filters will check a 
registered <a shape="rect" class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD";>password
 provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF 
OAuth2 module depends on its JOSE module. This will be used to support OAuth2 
POP tokens. Authorization code JOSE requests can already be processed. Utility 
support for validating JWT-based access tokens is provided.</p><p>Add 
more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily 
depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and 
IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future 
Work</h1><p>OAuth2, WebCrypto, OIDC, etc</p><h1 
id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p
 ><a shape="rect" class="external-link" 
 >href="https://bitbucket.org/b_c/jose4j/wiki/Home"; rel="nofollow">Jose4J</a> 
 >is a top project from Brian Campbell.&#160; CXF users are encouraged to 
 >experiment with Jose4J (or indeed with other 3rd party implementations) if 
 >they prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF 
 >filters if preferred.</p><p>&#160;</p></div>
+</div></div><p>&#160;</p><p>CXF ships JWE related classes in <a shape="rect" 
class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD";>this
 package</a> and offers a support for all of JWA encryption 
algorithms.</p><p><a shape="rect" class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
 supports encrypting the content, <a shape="rect" class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
 - decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer 
and JweCompactProducer offer a utility support for creating and validating JWE 
compact serialization and accept keys in a variety of formats</p><p>(as JWKs, 
JCA representations, created out of band and wrapped in either 
JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer 
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer 
specializations that offer a utility support for encrypting Json Web Tokens in 
a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON 
(full) serialization.</p><p>JweOutputStream is a specialized output stream that 
can be used in conjunction with JWE JAX-RS filters (see one of the next 
sections)</p><p>to support the best effort at streaming the content while 
encrypting it.&#160; These classes will use <a shape="rect" 
class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 
/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160;
 optionally returned from JweEncryptionProvider</p><p>instead of working with 
the consumer utility classes which deal with the encryption process completely 
in memory.</p><p>&#160;</p><p>Many more examples will be added here.</p><h1 
id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h1><p>&#160;</p><p><a 
shape="rect" class="external-link" 
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32"; 
rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON 
format. It offers a standard JSON container for representing various properties 
or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE 
signature or encryption input like any other data 
structure.</p><p>&#160;</p><p>JWT has been primarily used in OAuth2 
applications to represent self-contained access tokens but can also be used in 
other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" 
class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD";>this
 package</a>.</p><h1 
id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT 
authentications to JWS or JWE content</h1><p>Add more...</p><h1 
id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2 
id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1 
id="JAX-RSJOSE-Configuration">Configuration</h1><h4 
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
 that applies to both encryption and signature</h4><div 
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable 
values are "jks" or "j
 wk".</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" 
rowspan="1" class="confluenceTd">The password required to access the 
keystore.</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" 
class="confluenceTd">&#160;The keystore alias corresponding to the key to use. 
You can append one of the following to this tag to get the alias for more 
specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br 
clear="none">&#160;&#160;&#160;&#160; - jwe.in<br 
clear="none">&#160;&#160;&#160;&#160; - jws.out<br 
clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td 
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding 
to the keys to use, when using the JSON serialization form. You can append one 
of the following to this tag to get the al
 ias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160; - 
jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td 
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore 
file.</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" 
class="confluenceTd">The password required to access the private key (in the 
keystore).</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" 
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider 
instance used to retrieve passwords to access keys.</td></tr><tr><td 
colspan="1" rowspan="1" 
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in 
the header for signature validation. The default 
 is "false".</p></td></tr></tbody></table></div><h4 
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that 
applies to signature only</h4><div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a 
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys 
for signature. If this is not specified it falls back to use 
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td 
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. 
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file 
for com
 pact signature creation. If not specified then it falls back to 
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file 
for compact signature verification. If not specified then it falls back to 
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td 
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for 
compact signature creation/verification.</td></tr><tr><td colspan="1" 
rowspan="1" 
class="confluenceTd">rs.security.signature.out.list.properties</td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file 
for JSON Serialization signature creation. If not specified then it falls back 
to "rs.security.signature.list.properties".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="conflu
 enceTd">rs.security.signature.in.list.properties</td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>The signature properties file for JSON 
Serialization signature verification. If not specified then it falls back to 
"rs.security.signature.list.properties".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.signature.list.properties</td><td 
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for 
JSON Serialization signature creation/verification.</td></tr><tr><td 
colspan="1" rowspan="1" 
class="confluenceTd">rs.security.signature.include.public.key</td><td 
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for 
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1" 
rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in 
the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceT
 d">rs.security.signature.include.key.id</td><td colspan="1" rowspan="1" 
class="confluenceTd">Include the JWK key id for signature in the "kid" 
header.</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td 
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate 
SHA-1 digest for signature in the "x5t" 
header.</td></tr></tbody></table></div><h4 
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that 
applies to encryption only</h4><div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
 colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a 
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys 
for decryption. If this is not specified it falls back to use 
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="co
 nfluenceTd">rs.security.encryption.content.algorithm</td><td colspan="1" 
rowspan="1" class="confluenceTd">The encryption content algorithm to use. The 
default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to 
use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA 
key, and 'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td 
colspan="1" rowspan="1" 
class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1" 
rowspan="1" class="confluenceTd">The encryption zip algorithm to 
use.</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>The signature properties file for 
encryption creation. If not specified then it falls back to 
"rs.security.encryption.properties".</p
 ></td></tr><tr><td colspan="1" rowspan="1" 
 >class="confluenceTd">rs.security.encryption.in.properties</td><td colspan="1" 
 >rowspan="1" class="confluenceTd"><p>The signature properties file for 
 >decryption. If not specified then it falls back to 
 >"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" 
 >rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td 
 >colspan="1" rowspan="1" class="confluenceTd">The signature properties file 
 >for encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1" 
 >class="confluenceTd">rs.security.encryption.include.public.key</td><td 
 >colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key 
 >for&#160;encryption in the "jwk" header.</td></tr><tr><td colspan="1" 
 >rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td 
 >colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate 
 >for&#160;encryption in the "x5c" header.</td></tr><tr><td colspan="1" 
 >rowspan="1" class="confluenceTd"
 >rs.security.encryption.include.key.id</td><td colspan="1" rowspan="1" 
 >class="confluenceTd">Include the JWK key id for&#160;encryption in the "kid" 
 >header.</td></tr><tr><td colspan="1" rowspan="1" 
 >class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td 
 >colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate 
 >SHA-1 digest for&#160;encryption in the "x5t" 
 >header.</td></tr></tbody></table></div><h4 
 >id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that 
 >applies to JWT tokens only</h4><div class="table-wrap"><table 
 >class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" 
 >class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td 
 >colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT 
 >tokens as SecurityContext Principals. The default is 
 >false.</p></td></tr></tbody></table></div><h1 
 >id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS 
 >filters can read the keys from encrypte
 d JWK stores. The stores are encrypted inline or in separate storages (files). 
By default the filters expect that the stores has been encrypted using</p><p>a 
password based <a shape="rect" class="external-link" 
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8";
 rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a 
shape="rect" class="external-link" 
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD";>password
 provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF 
OAuth2 module depends on its JOSE module. This will be used to support OAuth2 
POP tokens. Authorization code JOSE requests can already be processed. Utility 
support for validating JWT-based access tokens is provided.</p><p>Add 
more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jos
 e</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE module 
to support OIDC RP and IDP code. Add more...</p><h1 
id="JAX-RSJOSE-FutureWork">Future Work</h1><p>OAuth2, WebCrypto, OIDC, 
etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party 
Alternatives</h1><p><a shape="rect" class="external-link" 
href="https://bitbucket.org/b_c/jose4j/wiki/Home"; rel="nofollow">Jose4J</a> is 
a top project from Brian Campbell.&#160; CXF users are encouraged to experiment 
with Jose4J (or indeed with other 3rd party implementations) if they 
prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters if 
preferred.</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>


Reply via email to