You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2016/05/17 13:47:44 UTC
svn commit: r988458 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jax-rs-jose.html
Author: buildbot
Date: Tue May 17 13:47:44 2016
New Revision: 988458
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Tue May 17 13:47:44 2016
@@ -118,24 +118,33 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1456940821369 {padding: 0px;}
-div.rbtoc1456940821369 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1456940821369 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1463492823881 {padding: 0px;}
+div.rbtoc1463492823881 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463492823881 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1456940821369">
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li><li><a shape="rect" href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</a>
+/*]]>*/</style></p><div class="toc-macro rbtoc1463492823881">
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWEEncryption">JWE Encryption</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that applies to signature only</a></li><li><a shape="rect" href="#JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to encryption only</a></li><li><a shape="rect" href="#JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT tokens only</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</a></li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-FutureWork">Future Work</a></li><li><a shape="rect" href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</a></li></ul>
-</div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p>CXF 3.0.x implements <a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven Dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p><a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">JOSE</a> is a set of high quality specifications that specify how data payloads can be signed/validated and/or encrypted/decrypted with the cryptographic properties set in the JSON-formatted metadata (headers). The data to be secured can be in JSON or some other format (plain text, XML, binary data).</p><p><a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">JOSE</a> is a key piece of the advanced OAuth2-based applications such as OpenIdConnect but can also be successfully used for securing the regular HTTP web service communications.</p><p>CXF 3.1.x and 3.2.0 provides a complete implementation of <a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">M
aven Dependencies</h1><p> </p><p>Having the following dependency will let the developers write JOSE code: creating and securing JSON Web Tokens (JWT), and securing the arbitrary data (not only JSON)</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-jose</artifactId>
- <version>3.0.4</version>
+ <version>3.1.7</version>
</dependency>
</pre>
-</div></div><p> </p><h1 id="JAX-RSJOSE-JOSEOverview">JOSE Overview</h1><p>JOSE is a set of high quality specifications that specify how data payloads can be signed and/or encrypted with the cryptographic properties set in JSON-formatted metadata (headers).</p><p>Note that not only JSON documents but also documents in the arbitrary formats can be secured: text, binary data, even XML.</p><p> </p><p>JOSE is a key piece of the advanced OAuth2 applications but is also perfect at securing the regular HTTP web service communications.</p><p> </p><p>At the moment two signature and encryption output formats are supported: compact and JSON.</p><p> </p><p>Compact format is a concatenation of Base64URL-encoded JOSE headers (where the cryptographic signature or encryption properties are set),</p><p>Base64URL-encoded payload (in the original form if it is signed, otherwise - encrypted), plus Base64URL-encoded signature of the payload or some of encryption process input or outpu
t data</p><p>such as an initialization vector, authentication tag, etc.</p><p> </p><p>The JSON (full) format is where all the information describing a signature or encryption process is presented in a not-compact, regular JSON document, offering a non-optimized but easier to understand format.</p><p>The JSON format also supports multiple signatures when signing the content or multiple content key encryptions when encrypting the content which can be useful when multiple recipients are involved.</p><p>The signature process also supports the detached body mode where the body to be signed is not included in the actual output - assuming that both the consumer and producer know how to access the original payload in order to</p><p>validate the signature.</p><p> </p><p>The following subsections will have the examples with more details.</p><h1 id="JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</h1><p>All JOSE signature and encryption algorithms are grouped and described in a <a shape="re
ct" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40" rel="nofollow">JSON Web Algorithms</a> (JWA) specification.</p><p>The algorithms are split into 3 categories: signature algorithms (MAC, RSA, Elliptic Curve), algorithms for supporting the encryption of content encryption keys (RSA-OAEP, Key Wrap, etc),</p><p>algorithms for encrypting the actual content (AES GCM, etc).</p><p>All encryption algorithms produce authentication tags which provides the protection against manipulating the already encrypted content.</p><p>Refer to this specification to get all the information needed (with the follow up links to the corresponding RFC when applicable) about a particular signature or encryption</p><p>algorithm: the properties, recommended key sizes, other security considerations related to all of or some specific algorithms.</p><p>CXF offers the initial utility support for working with JWA algorithms in <a shape="rect" class="external-link" href
="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD">this package</a>.</p><h1 id="JAX-RSJOSE-JWKKeys">JWK Keys</h1><p> </p><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41" rel="nofollow">Json Web Key</a> (JWK) is a JSON document describing the cryptographic key properties. JWKs are very flexible and light-weight (in most cases) and one can expect JWKs becoming one of the major</p><p>mechanisms for representing and storing cryptographic keys. What is important is that one does not have to use a JWK in order to sign or encrypt the document, working directly with Java JCA secret and asymmetric key</p><p>representations is sufficient but JWK is a first class citizen in JOSE with all of JOSE examples using JWK representations.</p><p>CXF offers a utility support for reading and writing JWK keys and
key sets and for working with the encrypted inlined and standalone JWK stores in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD">this package</a>.</p><p>Note that JWK keys can be set as JWS or JWE header properties, example, in order to provide a recipient with the representation of a public key used to create a signature.</p><h1 id="JAX-RSJOSE-JWSSignature">JWS Signature</h1><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41" rel="nofollow">JSON Web Signature</a> (JWS) document describes how a document content can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC key.</p><p
>Here is one of the ways you can do it in CXF, where a Json Web Token (JWT, see one of the next sections) is signed by a MAC key:<br clear="none"> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent pdl">
+</div></div><p> </p><p>Having the following dependency will let the developers use JAX-RS JOSE filters which will transparently sign and/or encrypt the data streams, and decrypt or/and validate the incoming JOSE sequences and make the original data available for the processing.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-rs-security-jose-jaxrs</artifactId>
+ <version>3.1.7</version>
+</dependency>
+</pre>
+</div></div><pre> </pre><h1 id="JAX-RSJOSE-JOSEOverview">JOSE Overview</h1><p>JOSE consists of the following key parts:</p><ul><li><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JWA</a> - JSON Web Algorithms where all supported signature and encryption algorithms are listed</li><li><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7517" rel="nofollow">JWK</a> - JSON Web Keys - introduces a JSON format for describing the public and private keys used by JWA algorithms</li><li><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515" rel="nofollow">JWS</a> - JSON Web Signature - describes how the data can be signed or validated and introduces compact and JSON JWS formats for representing the signed data</li><li><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a> - JSON Web Encryption - describes how the data can be encrypted or decryp
ted and introduces compact and JSON JWE formats for representing the encrypted data  </li></ul><p>Additionally, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a> (JSON Web Token), while technically not part of JOSE, is often used as an input material to JWS and JWE processors, especially in OAuth2 flows (example: OAuth2 access tokens can be represented internally as JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a> describes how a set of claims in a JSON format can be either JWS-signed or JWE-enctypted. </p><h2 id="JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</h2><p>All JOSE signature and encryption algorithms are grouped and described in <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JSON Web Algorithms</a> (JWA) specification.</p><p>The algorithms are sp
lit into 3 categories: signature algorithms (MAC, RS, ES), algorithms for supporting the encryption of content encryption keys (RSA-OAEP, Aes Key Wrap, etc),</p><p>and algorithms for encrypting the actual content (AES GCM, etc).</p><p>All encryption algorithms produce authentication tags which provide the protection against manipulating the already encrypted content.</p><p>Please refer to this specification to get all the information needed (with the follow up links to the corresponding RFC when applicable) about a particular signature or encryption</p><p>algorithm: the properties, recommended key sizes, other security considerations related to all of or some specific algorithms.</p><p>CXF offers the utility support for working with JWA algorithms in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa;h=c2b9c5466de8f4b3ad1ea9270c1bc00f07fce862;hb=HEAD">this packag
e</a>.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK Keys</h2><p> </p><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7517" rel="nofollow">JSON Web Key</a> (JWK) is a JSON document describing the cryptographic key properties. JWKs are very flexible and light-weight (in most cases) and one can expect JWKs becoming one of the major mechanisms for representing and storing cryptographic keys. What is important is that one does not have to use a JWK in order to sign or encrypt the document, working directly with Java JCA secret and asymmetric key representations is sufficient but JWK is a first class citizen in JOSE with all of JOSE examples using JWK representations.</p><p>Here is</p><p>CXF offers a utility support for reading and writing JWK keys and key sets and for working with the encrypted inlined and standalone JWK stores in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/ja
va/org/apache/cxf/rs/security/jose/jwk;h=0d47d676fbb333db265f12f57f25c3d8240872ba;hb=HEAD">this package</a>. Support for the pluggable strategies for loading JWKs is on the map.</p><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515" rel="nofollow">JSON Web Signature</a> (JWS) document describes how a document content can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC key.</p><p>Here is one of the ways you can do it in CXF, where a Json Web Token (JWT, see one of the next sections) is signed by a MAC key:<br clear="none"> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">// sign
JoseHeaders headers = new JoseHeaders();
headers.setAlgorithm(SignatureAlgorithm.HS256.getJwaName());
@@ -159,7 +168,7 @@ JwtToken token = jws.getJwtToken();
JoseHeaders headers = token.getHeaders();
assertEquals(SignatureAlgorithm.HS256.getJwaName(), headers.getAlgorithm());
validateClaims(token.getClaims());</pre>
-</div></div><p> </p><p>CXF ships JWS related classes in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws;h=46610253c8a71916e1955019ea1b01215a7745e6;hb=HEAD">this package</a> and offers a support for all of JWA signature algorithms.</p><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD">JwsSignatureProvider</a> supports signing the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD">JwsSignatureVerifier</a> - validating the signatures. Providers and verif
iers supporting RSA, HMac and Elliptic Curve signature algorithms are shipped.</p><p>JwsCompactConsumer and JwsCompactProducer offer a utility support for creating and validating JWS compact serialization and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created out of band and wrapped in either JwsSignatureProvider or JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer and JwsJwtCompactProducer are JwsCompactConsumer and JwsCompactProducer specializations that offer a utility support for signing Json Web Tokens in a compact format.</p><p>JwsJsonConsumer and JwsJsonProducer support JWS JSON (full) serialization.</p><p>JwsOutputStream and JwsJsonOutputStream are specialized output streams that can be used in conjunction with JWS JAX-RS filters (see one of the next sections)</p><p>to support the best effort at streaming the content while signing it.  These classes will use <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/rep
os/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a>  optionally returned from JwsSignatureProvider</p><p>instead of working with the consumer utility classes which deal with the signature process completely in memory.</p><p> </p><p>Many more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONEncryption">JSON Encryption</h1><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40" rel="nofollow">JSON Web Signature</a> (JWE) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be encrypted</p><p>with a secret key using Aes Gcm with the actu
al content encryption key encrypted/wrapped using RSA-OAEP.</p><p>Here is the example for doing Aes Cbc HMac and Aes Key Wrap in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
+</div></div><p> </p><p>CXF ships JWS related classes in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws;h=46610253c8a71916e1955019ea1b01215a7745e6;hb=HEAD">this package</a> and offers a support for all of JWA signature algorithms.</p><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD">JwsSignatureProvider</a> supports signing the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD">JwsSignatureVerifier</a> - validating the signatures. Providers and verif
iers supporting RSA, HMac and Elliptic Curve signature algorithms are shipped.</p><p>JwsCompactConsumer and JwsCompactProducer offer a utility support for creating and validating JWS compact serialization and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created out of band and wrapped in either JwsSignatureProvider or JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer and JwsJwtCompactProducer are JwsCompactConsumer and JwsCompactProducer specializations that offer a utility support for signing Json Web Tokens in a compact format.</p><p>JwsJsonConsumer and JwsJsonProducer support JWS JSON (full) serialization.</p><p>JwsOutputStream and JwsJsonOutputStream are specialized output streams that can be used in conjunction with JWS JAX-RS filters (see one of the next sections)</p><p>to support the best effort at streaming the content while signing it.  These classes will use <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/rep
os/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a>  optionally returned from JwsSignatureProvider</p><p>instead of working with the consumer utility classes which deal with the signature process completely in memory.</p><p> </p><p>Many more examples will be added here.</p><h2 id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JSON Web Signature</a> (JWE) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be encrypted</p><p>with a secret key using Aes Gcm with the actual content encryption key encrypt
ed/wrapped using RSA-OAEP.</p><p>Here is the example for doing Aes Cbc HMac and Aes Key Wrap in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">final String specPlainText = "Live long and prosper.";
byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
@@ -176,7 +185,7 @@ AesWrapKeyDecryptionAlgorithm keyDecrypt
JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
String decryptedText = decryption.decrypt(jweContent).getContentText();
assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p> </p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this package</a> and offers a support for all of JWA encryption algorithms.</p><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a> supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a> - decrypting the content. Encryptors and
Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and JweCompactProducer offer a utility support for creating and validating JWE compact serialization and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see one of the next sections)</p><p>to support the best effort at streaming the content while encrypting it.  These classes will use <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>  optionally returned from JweEncryptionProvider</p><p>instead of working with the consumer utility classes which deal with the encryption process completely in memory.</p><p> </p><p>Many more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h1><p> </p><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON container for representing various properties or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p> </p><p>JWT has been primarily used in OAuth2 applications to represent self-contained access tokens but can also be used in other contex
ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1 id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1" rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This configuration tag is used i
f you want to pass the KeyStore Object through dynamically.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are "jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" class="confluenceTd"> The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jwe.out<br clear="none">     - jwe.in<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1
" class="confluenceTd">rs.security.keystore.aliases</td><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider instance used to retrieve pas
swords to access keys.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h4 id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that applies to signature only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for signature. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The signature
algorithm to use. The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for compact signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest for signature in the "x5t" header.</td></tr></tbody></table></div><h4 id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to encryption only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan
="1" class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for decryption. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.content.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorit
hm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for decryption. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td colspan="1" ro
wspan="1" class="confluenceTd">Include the JWK public key for encryption in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for encryption in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for encryption in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest for encryption in the "x5t" header.</td></tr></tbody></table></div><h4 id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT tokens only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan=
"1" rowspan="1" class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is false.</p></td></tr></tbody></table></div><h1 id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS filters can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate storages (files). By default the filters expect that the stores has been encrypted using</p><p>a password based <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8" rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5
c60;hb=HEAD">password provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens. Authorization code JOSE requests can already be processed. Utility support for validating JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future Work</h1><p>OAuth2, WebCrypto, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a> is a top project from Brian Campbell.  CXF users are encouraged to experiment with Jose4J (or indeed with other 3rd party implementations) if they prefer.</p><p>TODO: describe how Jose4J can be integrated with CX
F filters if preferred.</p><p> </p></div>
+</div></div><p> </p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this package</a> and offers a support for all of JWA encryption algorithms.</p><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a> supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a> - decrypting the content. Encryptors and
Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and JweCompactProducer offer a utility support for creating and validating JWE compact serialization and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see one of the next sections)</p><p>to support the best effort at streaming the content while encrypting it.  These classes will use <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>  optionally returned from JweEncryptionProvider</p><p>instead of working with the consumer utility classes which deal with the encryption process completely in memory.</p><p> </p><p>Many more examples will be added here.</p><h2 id="JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</h2><p> </p><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JSON Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON container for representing various properties or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p> </p><p>JWT has been primarily used in OAuth2 applications to represent self-contained access tokens but can also be used in other contexts.</p><p>CXF offers an ini
tial JWT support in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1 id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1" rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyS
tore Object through dynamically.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are "jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" class="confluenceTd"> The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jwe.out<br clear="none">     - jwe.in<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.s
ecurity.keystore.aliases</td><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys.</td>
</tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h4 id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that applies to signature only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for signature. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. The defau
lt algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for compact signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1" rowspan="1" cl
ass="confluenceTd">Include the JWK public key for signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest for signature in the "x5t" header.</td></tr></tbody></table></div><h4 id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to encryption only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><
p>rs.security.decryption.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for decryption. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.content.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1" rows
pan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for decryption. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td colspan="1" rowspan="1" class="confluence
Td">Include the JWK public key for encryption in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for encryption in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for encryption in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest for encryption in the "x5t" header.</td></tr></tbody></table></div><h4 id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT tokens only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="conf
luenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is false.</p></td></tr></tbody></table></div><h1 id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h1><p>JAX-RS filters can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate storages (files). By default the filters expect that the stores has been encrypted using</p><p>a password based <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8" rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD">password provi
der</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens. Authorization code JOSE requests can already be processed. Utility support for validating JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future Work</h1><p>OAuth2, WebCrypto, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a> is a top project from Brian Campbell.  CXF users are encouraged to experiment with Jose4J (or indeed with other 3rd party implementations) if they prefer.</p><p>TODO: describe how Jose4J can be integrated with CXF filters if preferred.</p>
<p> </p></div>
</div>
<!-- Content -->
</td>