You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2016/05/19 13:47:31 UTC
svn commit: r988616 - in /websites/production/cxf/content:
cache/docs.pageCache cache/main.pageCache docs/jax-rs-jose.html
setting-up-eclipse.html
Author: buildbot
Date: Thu May 19 13:47:31 2016
New Revision: 988616
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
websites/production/cxf/content/setting-up-eclipse.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Thu May 19 13:47:31 2016
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1463662021181 {padding: 0px;}
-div.rbtoc1463662021181 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1463662021181 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1463665618032 {padding: 0px;}
+div.rbtoc1463665618032 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463665618032 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1463662021181">
+/*]]>*/</style></p><div class="toc-macro rbtoc1463665618032">
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE Policy </a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and Implementation</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</a></li></ul>
@@ -183,54 +183,49 @@ assertEquals("NzbLsXh8uDCcd-6MNwXF4W_7no
KeyType keyType = key.getKeyType();
assertEquals(KeyType.RSA, thumbprint);</pre>
</div></div><pre>JsonWebKeys also supports the retrieval of keys by their type (RSA, EC, Octet) and operation (ENCRYPT, SIGN, etc). <br clear="none">Once you have JWK loaded it is typically submitted to JWS or JWE providers.</pre><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515" rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document content can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws" rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.o
rg/html/rfc7518#section-3" rel="nofollow">signature algorithms</a>.</p><h3 id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java" rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java" rel="nofollow">JwsSignatureVerifier</a> - validating the signatures.</p><p>Note the signature and verification capabilities are represented by 2 different interfaces - it was done to keep the interfaces minimalistic and have the concerns separated which can be appreciated most in the cases where the code only signs or only validates.</p><p>The following table shows
the algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jws</span> package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2" rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1" class="confluenceTd">HS256, HS384, HS512</td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureProvider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureVerifier</p></td></tr><tr><td colspan="1" rowspan="1
" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3" rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd">RS256, RS384, RS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.4" rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1" class="confluenceTd">ES256, ES384, ES512</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.5" rel="nofollow">RSASSA-PSS</a></td><td
colspan="1" rowspan="1" class="confluenceTd">PS256, PS384, PS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6" rel="nofollow">None</a></td><td colspan="1" rowspan="1" class="confluenceTd">none</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either of these providers (except for None) can be initialized with the keys loaded from JWK or Java JKS stores or from the in-memory representations.</p><p>RS256/384/512 algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validati
on keys available. 'None' algorithm might be useful when a JWS sequence is subsequently JWE-encrypted or when a 2-way TLS (with client and server certificates) is used.</p><p>Once you have decided which algorithm needs to be supported you can initialize an appropriate pair of JwsSignatureProvider and JwsSignatureVerifier if both signing the data and the verification are needed. If only the signing is needed - select JwsSignatureProvider, only the verification - select JwsSignatureVerifier. The selected providers are submitted directly or indirectly to JWS Compact or JWS JSON producers or consumers.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3" rel="nofollow">JWS Compact representation</a> is the most often used JOSE sequence. It is the concatenation of Base64URL-encoded sequence if JWS headers (algorithm and other properties),  Base64URL-encoded sequence of the actual data being
protected and Base64URL-encoded sequence of the signature algorithm output bytes.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java" rel="nofollow">JwsCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java" rel="nofollow">JwsCompactConsumer</a> offer a support for producing and consuming compact JWS sequences, protecting the data in JSON or non-JSON formats.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java" rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/m
aster/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java" rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which help with processing typed JWT Tokens.</p><p> For example, here is how an <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">// Sign
-// Algorithm properties are set in the headers. In this case JwsHeaders do not have to be directly created
-// (see the next example), JwsCompactProducer will initialize them if needed and set an alorithm by checking
-// JwsSignatureProvider. JwsHeaders need to be initialized directly if not only algorithm but other properties
-// set too
-
-JwsHeaders headers = new JwsHeaders(SignatureAlgorithm.HS256);
-
-// This is the actual data content, JWT in this case, but can be an arbitrary JSON or non-JSON data
-JwtClaims claims = new JwtClaims();
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JwtClaims claims = new JwtClaims();
claims.setIssuer("joe");
claims.setExpiryTime(1300819380L);
claims.setClaim("http://example.com/is_root", Boolean.TRUE);
JwsCompactProducer jwsProducer = new JwsJwtCompactProducer(claims);
+// Sign
// Load HmacJwsSignatureProvider directly, see the next example for the alternative approach
String jwsSequence = jwsProducer.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, SignatureAlgorithm.HS256));
-// validate
-JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(jwsSequence);
+// Validate
+JwsJwtCompactConsumer jwsConsumer = new JwsJwtCompactConsumer(jwsSequence);
// Load HmacJwsSignatureVerifier directly, see the next example for the alternative approach
-assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
- SignatureAlgorithm.HS256)));
+jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY, SignatureAlgorithm.HS256)));
+
// Get the data
JwtClaims protectedClaims = jws.getJwtClaims();
</pre>
-</div></div><p>In the above example, the data (JwtToken) is submitted to an instance of JwsCompactProducer (JwsJwtCompactProducer) and signed with an HMac key.</p><p>Here is another example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">// Sign
-// Algorithm properties are set in the headers
-JwsHeaders headers = new JwsHeaders(SignatureAlgorithm.HS256);
+</div></div><p>In the above example, the data (JwtToken) is submitted to an instance of JwsCompactProducer (JwsJwtCompactProducer) and signed with an HMac key.</p><p>Here is another example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact RSA</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JwsCompactProducer jwsProducer = new JwsCompactProducer("Hello World");
-JwsCompactProducer jwsProducer = new JwsJwtCompactProducer(token);
+// Load private RSA key from the JWK Key set stored on the disk
+InputStream is = JsonWebKeyTest.class.getResourceAsStream(fileName);
+JsonWebKeys keySet = JwkUtils.readJwkSet(is);
+JsonWebKey jwkPrivateRsaKey = keySet.getKey("Private RSA Key");
-// Load HmacJwsSignatureProvider directly, see the next example for the alternative approach
-String jwsSequence = jwsProducer.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, SignatureAlgorithm.HS256));
+// Sign
+String jwsSequence = jwsProducer.signWith(jwkPrivateRsaKey);
-// validate
-JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(jwsSequence);
+// Validate
+JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(jwsSequence);
+
+// Load Public RSA Key from Java JKS Store
+PublicKey publicRsaKey = CryptoUtils.loadPublicKey(keyStoreLocation, keyStorePassword, keyAlias, KeyStore.getDefaultType());
+
+jws.verifySignatureWith(publicRsaKey);
-// Load HmacJwsSignatureVerifier directly, see the next example for the alternative approach
-assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
- SignatureAlgorithm.HS256)));
// Get the data
-JwtToken token = jws.getJwtToken();
+String helloWorldString = jwsConsumer.getDecodedJwsPayload();
</pre>
-</div></div><p>In the above example, the data (JwtToken) is submitted to an instance of JwsCompactProducer (JwsJwtCompactProducer) and signed with an HMac key.</p><p> </p><p> </p><p> </p><p> </p><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><p>While JWS Compact is optimized and represents a concatenation of up to 3 Base64URL values, JWS JSON is an open JSON container, see <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6" rel="nofollow">Appendix 6</a>.</p><p>The most interesting feature of JWS JSON is that allows a content be signed for multiple recipients. For example,  the immediate consumer will validate a signature with one key, forward the payload to the next consumer which will also validate the content with another key, etc.  </p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProd
ucer.java" rel="nofollow">JwsJsonProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java" rel="nofollow">JwsJsonConsumer</a> support producing and consuming JWS JSON sequences.</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS JSON</b></div><div class="codeContent panelContent pdl">
+</div></div><p>In this latest example a plain text sequence is encoded with a private RSA key loaded from the JWK store and validated with a public RSA key loaded from the existing Java JKS store.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java" rel="nofollow">JwsUtils</a> utility class has a lot of helper methods to get JWS sequences created and validated.</p><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><p>While JWS Compact is optimized and represents a concatenation of up to 3 Base64URL values, JWS JSON is an open JSON container, see <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6" rel="nofollow">Appendix 6</a>.</p><p>The most interesting feature of JWS JSON is that allows a content be signed for multiple recipients. For example,  the immediate consumer will validate a signature with one key, forwa
rd the payload to the next consumer which will also validate the content with another key, etc.  </p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java" rel="nofollow">JwsJsonProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java" rel="nofollow">JwsJsonConsumer</a> support producing and consuming JWS JSON sequences.</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS JSON</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JwsJsonProducer producer = new JwsJsonProducer(UNSIGNED_PLAIN_JSON_DOCUMENT);
JwsHeaders headerEntries = new JwsHeaders(SignatureAlgorithm.HS256);
@@ -241,7 +236,9 @@ producer.signWith(new HmacJwsSignaturePr
assertEquals(DUAL_SIGNED_JWS_JSON_DOCUMENT, producer.getJwsJsonSignedDocument());
JwsJsonConsumer consumer = new JwsJsonConsumer(DUAL_SIGNED_DOCUMENT);
-JsonWebKeys jwks = readKeySet("jwkPublicJsonConsumerSet.txt");
+
+// Validate both signatures, see below how to validate and produce
+JsonWebKeys jwks = readKeySet("jwkSet.txt");
List<JwsJsonSignatureEntry> sigEntries = consumer.getSignatureEntries();
assertEquals(2, sigEntries.size());
@@ -253,8 +250,15 @@ assertTrue(sigEntries.get(0).verifySigna
// 2nd signature
String secondKid = (String)sigEntries.get(1).getKeyId();
JsonWebKey secondKey = jwks.getKey(secondKid);
-assertTrue(sigEntries.get(1).verifySignatureWith(secondKey));</pre>
-</div></div><p>   </p><h3 id="JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</h3><h3 id="JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</h3><h2 id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be encrypted with a secret key using AesGcm with the actual content encryption key being encrypted using RSA-OAEP.</p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe" rel="nofollow">this package</a> and offers
a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4" rel="nofollow">key encryption</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5" rel="nofollow">content encryption</a> algorithms.</p><h3 id="JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption Providers</h3><p>JWE Encryption process typically involves a content-encryption key being generated with this key being subsequently encrypted/wrapped with a key known to the consumer. Thus CXF offers the providers for supporting the key-encryption algorithms and providers for supporting the content-encryption algorithms. Direct key encryption (where the content-encryption key is established out of band) is also supported.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionProv
ider.java" rel="nofollow">KeyEncryptionProvider</a> supports encrypting a content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionProvider.java" rel="nofollow">KeyDecryptionProvider</a> - decrypting it.</p><p>The following table shows the key encryption algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jwe</span> package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd
"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.2" rel="nofollow">RSAES-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">RSA1_5</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyEncryptionAlgorithm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyDecryptionAlgorithm</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.3" rel="nofollow">RSAES OAEP</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">RSA-OAEP, RSA-OAEP-256</p></td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.4" rel="nofollow"
>AES Key Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128KW, A192KW, A256KW</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.5" rel="nofollow">Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd">dir</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES+A128KW (+A192KW, +256KW)</p></td><td colspan="1"
rowspan="1" class="confluenceTd">EcdhAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES</p></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweEncryption</span></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweDecryption</span></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.7" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128GCMKW, A192GCMKW, A256GCMKW</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyEncr
yptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8" rel="nofollow">PBES2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">PBES2-HS256+A128KW</p><p class="newpage">PBES2-HS384+A192KW</p><p class="newpage">PBES2-HS512+A256KW</p></td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyDecryptionAlgorithm</td></tr></tbody></table></div><p> </p><p>RSA-OAEP algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validation keys available.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-pa
rent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionProvider.java" rel="nofollow">ContentEncryptionProvider</a> supports encrypting a generated content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionProvider.java" rel="nofollow">ContentDecryptionProvider</a> - decrypting it.</p><p>The following table shows the content encryption algorithms and the corresponding providers:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'enc'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentDecryptionProvider</strong></td></tr><tr><td co
lspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2" rel="nofollow">AES_CBC_HMAC_SHA2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128CBC-HS256(-HS384, -HS512)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweEncryption,</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweDecryption</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.3" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128GCM, A92GCM, A256GCM</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentDecryptionAlgorithm</td></tr></tbody></table></div><p>All of the above providers can be initialized with the keys
loaded from JWK or Java JKS stores or from the in-memory representations.</p><h3 id="JAX-RSJOSE-JWECompact">JWE Compact</h3><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a> supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a> - decrypting the content. Encryptors and Decryptors for all of JWE algorithms are shipped.</p><p>Here is the example of doing AES CBC HMAC and AES Key Wrap in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-botto
m-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
+assertTrue(sigEntries.get(1).verifySignatureWith(secondKey));
+
+// or if you wish to validate (ex with the firstKey loaded above) and forward it to the next consumer, do:
+JwsSignatureProvider provider = JwsUtils.getSignatureProvider(firstKey);
+String nextJwsJson = consumer.validateAndProduce(Collections.singletonList(provider));
+// use WebClient to post nextJwsJson to the next consumer, with nextJwsJson being nearly identical to the original
+// double-signed JWS JSON signature, minus the signature which was already validated, in this case nextJwsJson will
+// only have a single signature </pre>
+</div></div><p>   </p><p>Does it make sense to use JWS JSON if you do not plan to do multiple signatures ? Indeed, if it is only a single signature then using JWS Compact is a good alternative, likely to be used most often.</p><p>However, even if you do a single signature, you may still want to try JWS JSON because is is easier to observe the individual JWS JSON structure parts when, example, checking the logs or TCP-tracing HTTP requests/responses. This is especially true when we start talking about a clear payload option, see below.</p><h3 id="JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-F" rel="nofollow">JWS with a Detached Content</a> provides a way to integrity-protect some data without actually having these data included in the resulting JWS sequence.</p><p>For example, if the producer and consumer can both access the same shared piece of data, then th
e producer can sign these data, post the JWS sequence (without the data) to the consumer. The consumer will validate this JWS sequence and assert the data have not been modified by the time it has received and started validating the sequence. You fill find JWS Compact and JWS JSON Producer and Consumer providers accepting an optional 'detached' flag in cases were it is required.      </p><h3 id="JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</h3><h2 id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be encrypted with a secret key using AesGcm with the actual content e
ncryption key being encrypted using RSA-OAEP.</p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe" rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4" rel="nofollow">key encryption</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5" rel="nofollow">content encryption</a> algorithms.</p><h3 id="JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption Providers</h3><p>JWE Encryption process typically involves a content-encryption key being generated with this key being subsequently encrypted/wrapped with a key known to the consumer. Thus CXF offers the providers for supporting the key-encryption algorithms and providers for supporting the content-encryption algorithms
. Direct key encryption (where the content-encryption key is established out of band) is also supported.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionProvider.java" rel="nofollow">KeyEncryptionProvider</a> supports encrypting a content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionProvider.java" rel="nofollow">KeyDecryptionProvider</a> - decrypting it.</p><p>The following table shows the key encryption algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jwe</span> package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" cla
ss="confluenceTd"><strong>JWE Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.2" rel="nofollow">RSAES-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">RSA1_5</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyEncryptionAlgorithm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyDecryptionAlgorithm</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.3" rel="nofollow">RSAES OAEP</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">RSA-OAEP, RSA-OAEP-256</p></td><td colspan="1" rowspan="1"
class="confluenceTd">RSAKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.4" rel="nofollow">AES Key Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128KW, A192KW, A256KW</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.5" rel="nofollow">Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd">dir</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyDecryptionAlgorithm</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES+A128KW (+A192KW, +256KW)</p></td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES</p></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweEncryption</span></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweDecryption</span></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.7" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128GCMKW, A192GCMKW, A256GCMKW</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8" rel="nofollow">PBES2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">PBES2-HS256+A128KW</p><p class="newpage">PBES2-HS384+A192KW</p><p class="newpage">PBES2-HS512+A256KW</p></td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyDecryptionAlgorithm</td></tr></tbody></table></div><p> </p><p>RSA-OAEP algo
rithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validation keys available.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionProvider.java" rel="nofollow">ContentEncryptionProvider</a> supports encrypting a generated content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionProvider.java" rel="nofollow">ContentDecryptionProvider</a> - decrypting it.</p><p>The following table shows the content encryption algorithms and the corresponding providers:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></t
d><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'enc'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2" rel="nofollow">AES_CBC_HMAC_SHA2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128CBC-HS256(-HS384, -HS512)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweEncryption,</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweDecryption</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.3" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage"
>A128GCM, A92GCM, A256GCM</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentDecryptionAlgorithm</td></tr></tbody></table></div><p>All of the above providers can be initialized with the keys loaded from JWK or Java JKS stores or from the in-memory representations.</p><h3 id="JAX-RSJOSE-JWECompact">JWE Compact</h3><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a> supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecrypti
onProvider</a> - decrypting the content. Encryptors and Decryptors for all of JWE algorithms are shipped.</p><p>Here is the example of doing AES CBC HMAC and AES Key Wrap in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">final String specPlainText = "Live long and prosper.";
byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
Modified: websites/production/cxf/content/setting-up-eclipse.html
==============================================================================
--- websites/production/cxf/content/setting-up-eclipse.html (original)
+++ websites/production/cxf/content/setting-up-eclipse.html Thu May 19 13:47:31 2016
@@ -108,7 +108,7 @@ Apache CXF -- Setting up Eclipse
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><p>Setting up an <a shape="rect" class="external-link" href="http://www.eclipse.org/downloads/" rel="nofollow">Eclipse</a> project to build CXF is pretty easy. There are three parts to it:</p><h3 id="SettingupEclipse-Requiredplugins">Required plugins</h3><p>We use several Eclipse plugins to make building CXF a bit easier</p><ul><li>Checkstyle - we use checkstyle to make sure we have consistent code style as well as to find various types of bugs and other issues. <a shape="rect" class="external-link" href="http://eclipse-cs.sourceforge.net/update" rel="nofollow">http://eclipse-cs.sourceforge.net/update</a></li><li>PMD - like Checkstyle, we use PMD to find potential programming problems in the code. Point the Eclipse auto-install thing at <a shape="rect" class="external-link" href="http://sourceforge.net/projects/pmd/files/pmd-eclipse/update-site/" rel="nofollow">http://sourceforge.net/projects/pmd/files/pmd-eclipse/update-site/</a></li><li>Subversion plugi
ns - there are a couple of these to enable Subversion checkins/checkouts from within eclipse: <a shape="rect" class="external-link" href="http://subclipse.tigris.org/update_1.4.x" rel="nofollow">http://subclipse.tigris.org/update_1.4.x</a></li></ul><p> </p><div class="panel" style="border-width: 1px;"><div class="panelContent">
+<div id="ConfluenceContent"><p>Setting up an <a shape="rect" class="external-link" href="http://www.eclipse.org/downloads/" rel="nofollow">Eclipse</a> project to build CXF is pretty easy. There are three parts to it:</p><h3 id="SettingupEclipse-Requiredplugins">Required plugins</h3><p>We use several Eclipse plugins to make building CXF a bit easier</p><ul><li>Checkstyle - we use checkstyle to make sure we have consistent code style as well as to find various types of bugs and other issues. <a shape="rect" class="external-link" href="http://eclipse-cs.sourceforge.net/update" rel="nofollow">http://eclipse-cs.sourceforge.net/update</a></li><li>PMD - like Checkstyle, we use PMD to find potential programming problems in the code. Point the Eclipse auto-install thing at <a shape="rect" class="external-link" href="http://sourceforge.net/projects/pmd/files/pmd-eclipse/update-site/" rel="nofollow">http://sourceforge.net/projects/pmd/files/pmd-eclipse/update-site/</a><br clear="none"><br clea
r="none"></li></ul><div class="panel" style="border-width: 1px;"><div class="panelContent">
<p><img class="emoticon emoticon-information" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/information.png" data-emoticon-name="information" alt="(info)"> While there exist Maven plug-ins for Eclipse, team developer experience has found using them with CXF <a shape="rect" class="external-link" href="http://cxf.547215.n5.nabble.com/Using-the-Eclipse-Maven-plugin-for-CXF-tp575175p575176.html" rel="nofollow">problematic</a> at best. We recommend importing the CXF source code as Eclipse projects as shown below and/or using Maven externally (i.e., from a command-line window) as discussed on the <a shape="rect" href="building.html">CXF build</a> page.</p>
</div></div><h4 id="SettingupEclipse-Toinstalltheplugins:">To install the plugins:</h4><ul><li><p>Go to</p><div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>Help -> Install New Software -> Install