You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2016/07/19 12:47:57 UTC
svn commit: r993130 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jax-rs-jose.html
Author: buildbot
Date: Tue Jul 19 12:47:56 2016
New Revision: 993130
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Tue Jul 19 12:47:56 2016
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1466610419696 {padding: 0px;}
-div.rbtoc1466610419696 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1466610419696 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1468932436528 {padding: 0px;}
+div.rbtoc1468932436528 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1468932436528 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1466610419696">
+/*]]>*/</style></p><div class="toc-macro rbtoc1468932436528">
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE Policy </a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and Implementation</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded Payload</a></li></ul>
@@ -329,29 +329,46 @@ JweEncryptionProvider jweEnc1 = new JweE
KeyEncryptionProvider keyEncryption2 = JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey2, KeyAlgorithm.A128KW);
JweEncryptionProvider jweEnc2 = new JweEncryption(keyEncryption2, contentEncryption);
-List<JweEncryptionProvider> jweList = new LinkedList<JweEncryptionProvider>();
-jweList.add(jweEnc1);
-jweList.add(jweEnc2);
+List<JweEncryptionProvider> jweProviders = new LinkedList<JweEncryptionProvider>();
+jweProviders.add(jweEnc1);
+jweProviders.add(jweEnc2);
+List<JweHeaders> perRecipientHeades = new LinkedList<JweHeaders>();
+perRecipientHeades.add(new JweHeaders("key1"));
+perRecipientHeades.add(new JweHeaders("key2"));
+
JweJsonProducer p = new JweJsonProducer(protectedHeaders,
sharedUnprotectedHeaders,
StringUtils.toBytesUTF8(text),
StringUtils.toBytesUTF8(EXTRA_AAD_SOURCE),
- false);
-String jweJsonOut = p.encryptWith(jweList);
+ false) {
+ protected JweEncryptionInput createEncryptionInput(JweHeaders jsonHeaders) {
+ JweEncryptionInput input = super.createEncryptionInput(jsonHeaders);
+ input.setCek(CEK_BYTES);
+ input.setIv(JweCompactReaderWriterTest.INIT_VECTOR_A1);
+ return input;
+ }
+ }
+String jweJsonOut = p.encryptWith(jweProviders, perRecipientHeades);
+
+JweJsonConsumer consumer = new JweJsonConsumer(jweJsonOut);
+KeyAlgorithm keyAlgo = consumer.getSharedUnprotectedHeader().getKeyEncryptionAlgorithm();
+ContentAlgorithm ctAlgo = consumer.getProtectedHeader().getContentEncryptionAlgorithm();
+
+// first recipient:
+JweDecryptionProvider jwe1 = JweUtils.createJweDecryptionProvider(wrapperKey1, keyAlgo, ctAlgo);
-// first consumer:
-JweDecryptionProvider jweDecrypt = JweUtils.createJweDecryptionProvider(wrapperKey1,
- KeyAlgorithm.A128KW,
- ContentAlgorithm.A128GCM);
-JweJsonConsumer c = new JweJsonConsumer(jweJsonOut);
// the consumer will iterate over JWE entries and will try to find the one which can be decrypted with this decryptor
-// which is always precise if only a single receipient entry is available
// or do consumer.getRecipientsMap() returning a list of entries and their metadata to do a more precise selection.
-String content = consumer.decryptWith(jweDecrypt).getContent();
+String content = consumer.decryptWith(jwe1, Collections.singletonMap("kid", "key1")).getContent();
-</pre>
+// second recipient:
+JweDecryptionProvider jwe2 = JweUtils.createJweDecryptionProvider(wrapperKey2, keyAlgo, ctAlgo);
+content = consumer.decryptWith(jwe2, Collections.singletonMap("kid", "key1")).getContent();
+
+
+ </pre>
</div></div><p>If the sequence contains a single recipient entry only then the JWE JSON 'recipients' array will contain a single entry, or the whole sequence can be <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#appendix-A.5" rel="nofollow">flattened</a> instead with the actual 'recipients' array dropped. JweJsonProducer  does not produce the flattened sequence when only a single encryption is done by default because 3rd party JWE JSON consumers may only be able to process the sequences with the 'recipients' array, so pass a 'canBeFlat' flag to JwEJsonProducer if needed</p><p>Does it make sense to use JWE JSON if you do not plan to do multiple encryptions ? Most likely you will prefer JWE Compact if only a single recipient is targeted.</p><h2 id="JAX-RSJOSE-JSONWebToken">JSON Web Token</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a> (JSON Web Token) is a collection of claims in JSON
format. It is simply a regular JSON document where each top elevel property is called a 'claim'.</p><p>JWT can be JWS signed and/or JWE encrypted like any other data structure.</p><p>JWT is mainly used in OAuth2 and OIDC applications to represent self-contained OAuth2 access tokens, OIDC IdToken, UserInfo, but can also be used in other contexts. For example, see the section below on linking JWT authentication tokens to JWS or JWE secured payloads.</p><p>CXF offers a JWT support in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt" rel="nofollow">this package</a>. Typically one would create a set of claims and submit them to JWS/JWE JWT processors, for example, see a JWS section above.</p><h2 id="JAX-RSJOSE-JWSandJWECombined">JWS and JWE Combined</h2><p>If you have a requirement to sign the data and then encrypt the signed payload then it can be easily achieved by sel
ecting a required JWS Producer and creating a JWS Compact sequence, and next submitting this sequence to a JWE producer, and processing it all in the reverse sequence</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><p> </p><p>While working directly with JWS and JWE providers may be needed in the application code, JAX-RS users writing the code like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Typical JAX-RS code</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">@Path("/bookstore")
public class BookStore {