Author: buildbot
Date: Wed Jun 28 13:47:32 2017
New Revision: 1014655
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Wed Jun 28 13:47:32
2017
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1497631622116 {padding: 0px;}
-div.rbtoc1497631622116 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1497631622116 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1498657619217 {padding: 0px;}
+div.rbtoc1498657619217 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1498657619217 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1497631622116">
+/*]]>*/</style></p><div class="toc-macro rbtoc1498657619217">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE
Policy </a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS
with Detached Content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded
Payload</a></li></ul>
@@ -850,7 +850,7 @@ JweDecryptionProvider jweIn = JweUtils.l
</div></div><p>The providers may be initialized from a single properties file
or each of them may have specific properties allocated to it.</p><p>Sometimes
it can be useful to load the properties only and check the signature or
encryption algorithm and load a JWS or JWE provider directly as shown in JWS
and JWE sections above.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>Loading JWS and JWE properties</b></div><div class="codeContent
panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">Properties jwsProps =
JweUtils.loadEncryptionProperties("jws.properties", true);
Properties jweProps = JweUtils.loadEncryptionProperties("jwe.properties",
true);</pre>
-</div></div><p>After loading the properties one can check various property
values (signature algorithm, etc) and use it to create a required
provider.</p><p>The above code needs to be executed in the context of the
current request (in server or client in/out interceptors or server service
code) as it expects the current CXF Message be available in order to deduce
where to load the configuration properties from. However <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java";
rel="nofollow">JwsUtils</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java";
rel="nofollow">JweUtils</a> provide a number of utility methods for loading
the providers without loading the properties first which can be used when
setting up the c
lient code or when no properties are available in the current request
context.</p><p> </p><p>When the code needs to load the configuration
properties it first looks for the property 'container' file which contains the
specific properties instructing which keys and algorithms need to be used.
Singature or encryption properties for in/out operations can be provided.
 </p><h2 id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration
Property Containers</h2><h3 id="JAX-RSJOSE-Signature">Signature</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for Compact or JSON signature creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspa
n="1" class="confluenceTd"><p>The signature properties file for Compact or
JSON signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
Compact or JSON signature
creation/verification.</td></tr></tbody></table></div><h3
id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption properties file for Compact
or JSON encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="conflue
nceTd"><p>The encryption properties file for Compact or JSON decryption. If
not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption properties file for
encryption/decryption.</td></tr></tbody></table></div><p>Note that these
property containers can be used for creating/processing JWS and JWE Compact and
JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more
than one signature or encryption be created then let the property value be a
commas separated list of locations, with each location pointing to a unique
signature or encryption operation property file.</p><p>Once the properties are
loaded the runtime proceeds with initializing JWS/JWE providers accordingly.
The following section lists the properties, some oif them being common and some
- unique to the signature/verification
and encryption/decryption processes.</p><p>Note that one can override some of
the properties, for example, 'rs.security.store' can be set as a dynamic
request property pointing to a preloaded Java KeyStore object.</p><h2
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h2><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyStore Object through
dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are
"jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan
="1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     -
jws.in</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1"
class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access
the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in
the header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that ap
plies to signature only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><
td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwo
rds to access keys for decryption. If this is not specified it falls back to
use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm
to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and
'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td colsp
an="1" rowspan="1" class="confluenceTd">Include the JWK public key
for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id
for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for encryption in the "x5t"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT
tokens as SecurityContext Principals. The default is
false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-Interoperability">Interoperability</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/"; rel="nofollow">JOSE</a>
is already widely supported in OAuth2 and OIDC applications. Besides that CXF
JOSE client or server will interoperate with a 3rd party client/server able to
produce or consume JWS/JWE sequences.  For example, see a <a shape="rect"
class="external-link" href="https://www.w3.org/TR/WebCryptoAPI/#jose";
rel="nofollow">WebCrypto API use case</a> and  <a shape="rect"
class="external-link" href="https://mobilepki.org/WCPPSignatureDemo/home";
rel="nofollow">the demo</a> which demonstrates how a JWS sequence produced by a
br
owser-hosted script can be validated by a server application capable of
processing JWS, with the demo browser client being tested against a CXF JWS
server too. </p><p> </p><h1
id="JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</h1><p><a
shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home";
rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link"
href="http://connect2id.com/products/nimbus-jose-jwt"; rel="nofollow">Nimbus
JOSE</a></p><p> </p></div>
+</div></div><p>After loading the properties one can check various property
values (signature algorithm, etc) and use it to create a required
provider.</p><p>The above code needs to be executed in the context of the
current request (in server or client in/out interceptors or server service
code) as it expects the current CXF Message be available in order to deduce
where to load the configuration properties from. However <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java";
rel="nofollow">JwsUtils</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java";
rel="nofollow">JweUtils</a> provide a number of utility methods for loading
the providers without loading the properties first which can be used when
setting up the c
lient code or when no properties are available in the current request
context.</p><p> </p><p>When the code needs to load the configuration
properties it first looks for the property 'container' file which contains the
specific properties instructing which keys and algorithms need to be used.
Singature or encryption properties for in/out operations can be provided.
 </p><h2 id="JAX-RSJOSE-ConfigurationPropertyContainers">Configuration
Property Containers</h2><h3 id="JAX-RSJOSE-Signature">Signature</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file
for Compact or JSON signature creation. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td
colspan="1" rowspa
n="1" class="confluenceTd"><p>The signature properties file for Compact or
JSON signature verification. If not specified then it falls back to
"rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature properties file for
Compact or JSON signature
creation/verification.</td></tr></tbody></table></div><h3
id="JAX-RSJOSE-Encryption">Encryption</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption properties file for Compact
or JSON encryption creation. If not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td
colspan="1" rowspan="1" class="conflue
nceTd"><p>The encryption properties file for Compact or JSON decryption. If
not specified then it falls back to
"rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption properties file for
encryption/decryption.</td></tr></tbody></table></div><p>Note that these
property containers can be used for creating/processing JWS and JWE Compact and
JSON sequences. If it is either JWS JSON or JWE JSON and you wish to have more
than one signature or encryption be created then let the property value be a
commas separated list of locations, with each location pointing to a unique
signature or encryption operation property file.</p><p>Once the properties are
loaded the runtime proceeds with initializing JWS/JWE providers accordingly.
The following section lists the properties, some oif them being common and some
- unique to the signature/verification
and encryption/decryption processes.</p><p>Note that one can override some of
the properties, for example, 'rs.security.store' can be set as a dynamic
request property pointing to a preloaded Java KeyStore object.</p><h2
id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h2><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1"
rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This
configuration tag is used if you want to pass the KeyStore Object through
dynamically.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are
"jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan
="1" class="confluenceTd">The password required to access the
keystore.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1"
class="confluenceTd"> The keystore alias corresponding to the key to use.
You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">     - jwe.out<br
clear="none">     - jwe.in<br
clear="none">     - jws.out<br
clear="none">     - jws.in</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td
colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one
of the following to this tag to get the alias for more specific operations:<br
clear="none">     - jws.out<br
clear="none">     -
jws.in</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1"
class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access
the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.key.password.provider</td><td colspan="1"
rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.accept.public.key</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in
the header for signature validation. The default is
"false".</p></td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that ap
plies to signature only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for signature. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use.
The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for
signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert</td><
td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1"
rowspan="1" class="confluenceTd">Include the JWK key id for signature in the
"kid" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-1 digest for signature in the "x5t" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.signature.include.cert.sha256</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-256 digest for signature in the "x5t#S256"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that
applies to encryption only</h2><div class="table-wrap"><table
class="confluenceTable"><t
body><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
for decryption. If this is not specified it falls back to use
"rs.security.key.password.provider".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.content.algorithm</td><td
colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm
to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The
default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key,
'ECDH-ES-A128KW'  if the key is an EC key and 'A128GCMKW' if it is an
octet sequence.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1"
rowspan="1" class="confluenceTd">The encryption zip algorithm to
use.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key
for encryption in the "jwk" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
for encryption in the "x5c" header.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id
for encryption in the "kid" header.</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Inclu
de the X.509 certificate SHA-1 digest for encryption in the "x5t"
header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.encryption.include.cert.sha256</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate
SHA-256 digest for encryption in the "x5t#S256"
header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that
applies to JWT tokens only</h2><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT
tokens as SecurityContext Principals. The default is
false.</p></td></tr></tbody></table></div><h1
id="JAX-RSJOSE-Interoperability">Interoperability</h1><p> </p><p><a
shape="rect" class="external-link"
href="https://datatracker.ietf.org/wg/jose/documents/"; rel="nofollow">J
OSE</a> is already widely supported in OAuth2 and OIDC applications. Besides
that CXF JOSE client or server will interoperate with a 3rd party client/server
able to produce or consume JWS/JWE sequences.  For example, see a <a
shape="rect" class="external-link"
href="https://www.w3.org/TR/WebCryptoAPI/#jose"; rel="nofollow">WebCrypto API
use case</a> and  <a shape="rect" class="external-link"
href="https://mobilepki.org/WCPPSignatureDemo/home"; rel="nofollow">the demo</a>
which demonstrates how a JWS sequence produced by a browser-hosted script can
be validated by a server application capable of processing JWS, with the demo
browser client being tested against a CXF JWS server
too. </p><p> </p><h1 id="JAX-RSJOSE-Third-PartyLibraries">Third-Party
Libraries</h1><p><a shape="rect" class="external-link"
href="https://bitbucket.org/b_c/jose4j/wiki/Home";
rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link"
href="http://connect2id.com/products/nimbus-jose-
jwt" rel="nofollow">Nimbus JOSE</a></p><p> </p></div>
</div>
<!-- Content -->
</td>
