You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2016/05/27 09:47:38 UTC
svn commit: r989314 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jax-rs-jose.html
Author: buildbot
Date: Fri May 27 09:47:38 2016
New Revision: 989314
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri May 27 09:47:38 2016
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1464259621584 {padding: 0px;}
-div.rbtoc1464259621584 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1464259621584 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464342422013 {padding: 0px;}
+div.rbtoc1464342422013 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464342422013 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1464259621584">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464342422013">
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE Policy </a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and Implementation</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded Payload</a></li></ul>
@@ -194,8 +194,8 @@ JsonWebKey key = keySet.getKey("Public R
String thumbprint = JwkUtils.getThumbprint(key);
assertEquals("NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs", thumbprint);
KeyType keyType = key.getKeyType();
-assertEquals(KeyType.RSA, thumbprint);</pre>
-</div></div><pre>JsonWebKeys also supports the retrieval of keys by their type (RSA, EC, Octet) and operation (ENCRYPT, SIGN, etc). <br clear="none">Once you have JWK loaded it is typically submitted to JWS or JWE providers.</pre><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515" rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document content can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws" rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.o
rg/html/rfc7518#section-3" rel="nofollow">signature algorithms</a>.</p><h3 id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java" rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java" rel="nofollow">JwsSignatureVerifier</a> - validating the signatures.</p><p>Note the signature and verification capabilities are represented by 2 different interfaces - it was done to keep the interfaces minimalistic and have the concerns separated which can be appreciated most in the cases where the code only signs or only validates.</p><p>The following table shows
the algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jws</span> package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2" rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1" class="confluenceTd">HS256, HS384, HS512</td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureProvider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureVerifier</p></td></tr><tr><td colspan="1" rowspan="1
" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3" rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd">RS256, RS384, RS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.4" rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1" class="confluenceTd">ES256, ES384, ES512</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.5" rel="nofollow">RSASSA-PSS</a></td><td
colspan="1" rowspan="1" class="confluenceTd">PS256, PS384, PS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6" rel="nofollow">None</a></td><td colspan="1" rowspan="1" class="confluenceTd">none</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either of these providers (except for None) can be initialized with the keys loaded from JWK or Java JKS stores or from the in-memory representations.</p><p>RS256/384/512 algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validati
on keys available. 'None' algorithm might be useful when a JWS sequence is subsequently JWE-encrypted or when a 2-way TLS (with client and server certificates) is used.</p><p>Once you have decided which algorithm needs to be supported you can initialize an appropriate pair of JwsSignatureProvider and JwsSignatureVerifier if both signing the data and the verification are needed. If only the signing is needed - select JwsSignatureProvider, only the verification - select JwsSignatureVerifier. The selected providers are submitted to JWS Compact or JWS JSON producers or consumers.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java" rel="nofollow">JwsUtils</a> utility class has a lot of helper methods to load JwsSignatureProvider or JwsSignatureVerifier and to get JWS sequences created and validated.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><
a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3" rel="nofollow">JWS Compact representation</a> is the most often used JWS sequence format. It is the concatenation of Base64URL-encoded sequence of JWS headers (algorithm and other properties),  Base64URL-encoded sequence of the actual data being protected and Base64URL-encoded sequence of the signature algorithm output bytes.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java" rel="nofollow">JwsCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java" rel="nofollow">JwsCompactConsumer</a> offer a support for producing and consuming compact JWS sequences, protecting the data in JSON or no
n-JSON formats.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java" rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java" rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which help with processing typed JWT Tokens.</p><p> For example, here is how an <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div class="codeContent panelContent pdl">
+assertEquals(KeyType.RSA, keyType);</pre>
+</div></div><p>JsonWebKeys also supports the retrieval of keys by their type (RSA, EC, Octet) and operation (ENCRYPT, SIGN, etc). <br clear="none">Once you have JWK loaded it is typically submitted to JWS or JWE providers.</p><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515" rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document content can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws" rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.org/h
tml/rfc7518#section-3" rel="nofollow">signature algorithms</a>.</p><h3 id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java" rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java" rel="nofollow">JwsSignatureVerifier</a> - validating the signatures.</p><p>Note the signature and verification capabilities are represented by 2 different interfaces - it was done to keep the interfaces minimalistic and have the concerns separated which can be appreciated most in the cases where the code only signs or only validates.</p><p>The following table shows the
algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jws</span> package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2" rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1" class="confluenceTd">HS256, HS384, HS512</td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureProvider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureVerifier</p></td></tr><tr><td colspan="1" rowspan="1" cl
ass="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3" rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd">RS256, RS384, RS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.4" rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1" class="confluenceTd">ES256, ES384, ES512</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.5" rel="nofollow">RSASSA-PSS</a></td><td cols
pan="1" rowspan="1" class="confluenceTd">PS256, PS384, PS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6" rel="nofollow">None</a></td><td colspan="1" rowspan="1" class="confluenceTd">none</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either of these providers (except for None) can be initialized with the keys loaded from JWK or Java JKS stores or from the in-memory representations.</p><p>RS256/384/512 algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validation k
eys available. 'None' algorithm might be useful when a JWS sequence is subsequently JWE-encrypted or when a 2-way TLS (with client and server certificates) is used.</p><p>Once you have decided which algorithm needs to be supported you can initialize an appropriate pair of JwsSignatureProvider and JwsSignatureVerifier if both signing the data and the verification are needed. If only the signing is needed - select JwsSignatureProvider, only the verification - select JwsSignatureVerifier. The selected providers are submitted to JWS Compact or JWS JSON producers or consumers.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java" rel="nofollow">JwsUtils</a> utility class has a lot of helper methods to load JwsSignatureProvider or JwsSignatureVerifier and to get JWS sequences created and validated.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a sh
ape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3" rel="nofollow">JWS Compact representation</a> is the most often used JWS sequence format. It is the concatenation of Base64URL-encoded sequence of JWS headers (algorithm and other properties),  Base64URL-encoded sequence of the actual data being protected and Base64URL-encoded sequence of the signature algorithm output bytes.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java" rel="nofollow">JwsCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java" rel="nofollow">JwsCompactConsumer</a> offer a support for producing and consuming compact JWS sequences, protecting the data in JSON or non-JS
ON formats.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java" rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java" rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which help with processing typed JWT Tokens.</p><p> For example, here is how an <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JwtClaims claims = new JwtClaims();
claims.setIssuer("joe");
claims.setExpiryTime(1300819380L);