You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2016/05/20 14:47:36 UTC
svn commit: r988743 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jax-rs-jose.html
Author: buildbot
Date: Fri May 20 14:47:36 2016
New Revision: 988743
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Fri May 20 14:47:36 2016
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1463748418648 {padding: 0px;}
-div.rbtoc1463748418648 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1463748418648 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1463755621138 {padding: 0px;}
+div.rbtoc1463755621138 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463755621138 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1463748418648">
+/*]]>*/</style></p><div class="toc-macro rbtoc1463755621138">
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE Policy </a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and Implementation</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded Payload</a></li></ul>
@@ -134,7 +134,7 @@ div.rbtoc1463748418648 li {margin-left:
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWS">JWS</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWE">JWE</a></li><li><a shape="rect" href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that applies to signature only</a></li><li><a shape="rect" href="#JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to encryption only</a></li><li><a shape="rect" href="#JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT tokens only</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and Jose</a></li><li><a shape="rect" href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-Interoperability">Interoperability</a></li><li><a shape="rect" href="#JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</a></li></ul>
</div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p><a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">JOSE</a> is a set of high quality specifications that specify how data payloads can be signed/validated and/or encrypted/decrypted with the cryptographic properties set in the JSON-formatted metadata (headers). The data to be secured can be in JSON or other format (plain text, XML, binary data).</p><p><a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">JOSE</a> is a key piece of the advanced OAuth2-based applications such as OpenIdConnect but can also be successfully used for securing the regular HTTP web service communications.</p><p>CXF 3.1.x and 3.2.0 provides a complete implementation of <a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/" rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven
Dependencies</h1><p> </p><p>Having the following dependency will let the developers write JOSE code: creating and securing JSON Web Tokens (JWT), and securing the arbitrary data (not only JSON)</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><dependency>
<groupId>org.apache.cxf</groupId>
@@ -225,7 +225,7 @@ jws.verifySignatureWith(publicRsaKey);
// Get the data
String helloWorldString = jwsConsumer.getDecodedJwsPayload();
</pre>
-</div></div><p>In this latest example a plain text sequence is encoded with a private RSA key loaded from the JWK store and validated with a public RSA key loaded from the existing Java JKS store.</p><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><p>While JWS Compact is optimized and represents a concatenation of up to 3 Base64URL values, JWS JSON is an open JSON container, see <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6" rel="nofollow">Appendix 6</a>.</p><p>The most interesting feature of JWS JSON is that allows a content be signed for multiple recipients. For example,  the immediate consumer will validate a signature with one key, forward the payload to the next consumer which will also validate the content with another key, etc.  </p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java" rel=
"nofollow">JwsJsonProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java" rel="nofollow">JwsJsonConsumer</a> support producing and consuming JWS JSON sequences.</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS JSON</b></div><div class="codeContent panelContent pdl">
+</div></div><p>In this latest example a plain text sequence is encoded with a private RSA key loaded from the JWK store and validated with a public RSA key loaded from the existing Java JKS store.</p><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><p>While JWS Compact is optimized and represents a concatenation of 3 Base64URL values, JWS JSON is an open JSON container, see <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6" rel="nofollow">Appendix 6</a>.</p><p>The most interesting feature of JWS JSON is that allows a content be signed for multiple recipients. For example,  the immediate consumer will validate a signature with one key, forward the payload to the next consumer which will also validate the content with another key, etc.  </p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java" rel="nofol
low">JwsJsonProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java" rel="nofollow">JwsJsonConsumer</a> support producing and consuming JWS JSON sequences.</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS JSON</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JwsJsonProducer producer = new JwsJsonProducer(UNSIGNED_PLAIN_JSON_DOCUMENT);
JwsHeaders headerEntries = new JwsHeaders(SignatureAlgorithm.HS256);
@@ -258,18 +258,16 @@ String nextJwsJson = consumer.validateAn
// use WebClient to post nextJwsJson to the next consumer, with nextJwsJson being nearly identical to the original
// double-signed JWS JSON signature, minus the signature which was already validated, in this case nextJwsJson will
// only have a single signature </pre>
-</div></div><p>The above code produces a JWS JSON sequence containing two signatures, similarly to <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6.4" rel="nofollow">this example</a>. If the sequence contains a single signature only then the JWS JSON 'signatures' array will contain a single 'signature' element, or the whole sequence can be <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6.4" rel="nofollow">flattened</a> with the actual 'signatures' array dropped. JwsJsonProducer  does not produce the flattened sequence when only a single signature is used by default because 3rd party JWS JSON consumers may only be able to process the sequences with the 'signatures' array, so pass a 'supportFlattened' flag to JwsJsonProducer if needed. </p><p>Does it make sense to use JWS JSON if you do not plan to do multiple signatures ? Indeed, if it is only a single signature then using JWS Compa
ct is a good alternative, likely to be used most often.</p><p>However, even if you do a single signature, you may still want to try JWS JSON because is is easier to observe the individual JWS JSON structure parts when, example, checking the logs or TCP-tracing HTTP requests/responses. This is especially true when we start talking about an unencoded payload option, see below.</p><h3 id="JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-F" rel="nofollow">JWS with a Detached Content</a> provides a way to integrity-protect some data without actually having these data included in the resulting JWS sequence.</p><p>For example, if the producer and consumer can both access the same shared piece of data, then the producer can sign these data, post the JWS sequence (without the data) to the consumer. The consumer will validate this JWS sequence and assert the data have not been modified
by the time it has received and started validating the sequence. JWS Compact and JWS JSON Producer and Consumer provider constructors accept an optional 'detached' flag in cases were it is required.      </p><h3 id="JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded Payload</h3><p>By default, JWS Compact and JWS JSON sequences have the data first Base64Url encoded and then inlined in the resulting sequence. This is useful especially for JWS Compact which is used in OAuth2/OIDC  flows to represent the signed access or id tokens. </p><p>One concern around the data being inlined is that it takes an extra time to Base64Url encode them which may become noticeable with large payloads, and another one is that one can not see the data while looking at JWS sequences in the logs or trace screens.</p><p>Thus a <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7797" rel="nofollow">JWS with Unencoded Payload</a> option (JWS header 'b64' prope
rty set to false) has been introduced to let users configure JWS Signature providers not to encode the actual data payload. As it happens it appears to be most useful when JWS JSON sequences are produced, see <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7797#page-7" rel="nofollow">this example</a>.</p><p>Note that JWS Compact also supports 'b64' property but only with the detached payloads. It is easier to appreciate the value of disabling Base64Url encoding with JWS JSON as seen in the example.</p><p>In CXF you can apply this option to both JWS Compact and JWS JSON sequences, here is a JWS JSON code fragment:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>JWS JSON Unencoded</b></div><div class="codeContent panelContent pdl">
+</div></div><p>The above code produces a JWS JSON sequence containing two signatures, similarly to <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6.4" rel="nofollow">this example</a>. If the sequence contains a single signature only then the JWS JSON 'signatures' array will contain a single 'signature' element, or the whole sequence can be <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6.4" rel="nofollow">flattened</a> instead with the actual 'signatures' array dropped. JwsJsonProducer  does not produce the flattened sequence when only a single signature is used by default because 3rd party JWS JSON consumers may only be able to process the sequences with the 'signatures' array, so pass a 'supportFlattened' flag to JwsJsonProducer if needed. </p><p>Does it make sense to use JWS JSON if you do not plan to do multiple signatures ? Indeed, if it is only a single signature then using JWS Co
mpact is a good alternative, likely to be used most often.</p><p>However, even if you do a single signature, you may still want to try JWS JSON because is is easier to observe the individual JWS JSON structure parts when, example, checking the logs or TCP-tracing HTTP requests/responses. This is especially true when we start talking about an unencoded payload option, see below.</p><h3 id="JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-F" rel="nofollow">JWS with a Detached Content</a> provides a way to integrity-protect some data without actually having these data included in the resulting JWS sequence.</p><p>For example, if the producer and consumer can both access the same shared piece of data, then the producer can sign these data, post the JWS sequence (without the data) to the consumer. The consumer will validate this JWS sequence and assert the data have not been modifi
ed by the time it has received and started validating the sequence. JWS Compact and JWS JSON Producer and Consumer provider constructors accept an optional 'detached' flag in cases were it is required.      </p><h3 id="JAX-RSJOSE-JWSwithUnencodedPayload">JWS with Unencoded Payload</h3><p>By default, JWS Compact and JWS JSON sequences have the data first Base64Url encoded and then inlined in the resulting sequence. This is useful especially for JWS Compact which is used in OAuth2/OIDC  flows to represent the signed access or id tokens. </p><p>One concern around the data being inlined is that it takes an extra time to Base64Url encode them which may become noticeable with large payloads, and another one is that one can not see the data while looking at JWS sequences in the logs or trace screens.</p><p>Thus a <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7797" rel="nofollow">JWS with Unencoded Payload</a> option (JWS header 'b64' pr
operty set to false) has been introduced to let users configure JWS Signature providers not to encode the actual data payload. As it happens it appears to be most useful when JWS JSON sequences are produced, see <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7797#page-7" rel="nofollow">this example</a>.</p><p>Note that JWS Compact also supports 'b64' property but only with the detached payloads. It is easier to appreciate the value of disabling Base64Url encoding with JWS JSON as seen in the example.</p><p>In CXF you can apply this option to both JWS Compact and JWS JSON sequences, here is a JWS JSON code fragment:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>JWS JSON Unencoded</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JwsJsonProducer producer = new JwsJsonProducer(UNSIGNED_PLAIN_JSON_DOCUMENT, true);
JwsHeaders headers = new JwsHeaders(SignatureAlgorithm.HS256);
headers.setPayloadEncodingStatus(false);
producer.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY_1, SignatureAlgorithm.HS256),
headers);</pre>
-</div></div><p> </p><h2 id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be encrypted with a secret key using AesGcm with the actual content encryption key being encrypted using RSA-OAEP.</p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe" rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4" rel="nofollow">key encryption</a> a
nd <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5" rel="nofollow">content encryption</a> algorithms.</p><h3 id="JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption Providers</h3><p>JWE Encryption process typically involves a content-encryption key being generated with this key being subsequently encrypted/wrapped with a key known to the consumer. Thus CXF offers the providers for supporting the key-encryption algorithms and providers for supporting the content-encryption algorithms. Direct key encryption (where the content-encryption key is established out of band) is also supported.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionProvider.java" rel="nofollow">KeyEncryptionProvider</a> supports encrypting a content-encryption key, <a shape="rect" class="external-link" href="https://gi
thub.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionProvider.java" rel="nofollow">KeyDecryptionProvider</a> - decrypting it.</p><p>The following table shows the key encryption algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jwe</span> package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.2" rel="nofollow">RSAES-PKCS1-v1_5</a></td><td colspan="1" r
owspan="1" class="confluenceTd"><p class="newpage">RSA1_5</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyEncryptionAlgorithm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyDecryptionAlgorithm</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.3" rel="nofollow">RSAES OAEP</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">RSA-OAEP, RSA-OAEP-256</p></td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.4" rel="nofollow">AES Key Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128KW, A192KW, A256KW</p></td><td colspan="1" rowspan="1" cla
ss="confluenceTd">AesKeyWrapEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.5" rel="nofollow">Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd">dir</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES+A128KW (+A192KW, +256KW)</p></td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyDecryptionAlgorith
m</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES</p></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweEncryption</span></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweDecryption</span></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.7" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128GCMKW, A192GCMKW, A256GCMKW</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="co
nfluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8" rel="nofollow">PBES2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">PBES2-HS256+A128KW</p><p class="newpage">PBES2-HS384+A192KW</p><p class="newpage">PBES2-HS512+A256KW</p></td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyDecryptionAlgorithm</td></tr></tbody></table></div><p> </p><p>RSA-OAEP algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validation keys available.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionProvider.java" rel="nofollow">ContentEncryptionProvider</a> supports encryp
ting a generated content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionProvider.java" rel="nofollow">ContentDecryptionProvider</a> - decrypting it.</p><p>The following table shows the content encryption algorithms and the corresponding providers:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'enc'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2" rel="nofollow">A
ES_CBC_HMAC_SHA2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128CBC-HS256(-HS384, -HS512)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweEncryption,</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweDecryption</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.3" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128GCM, A92GCM, A256GCM</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentDecryptionAlgorithm</td></tr></tbody></table></div><p>All of the above providers can be initialized with the keys loaded from JWK or Java JKS stores or from the in-memory representations.</p><p>Once you have decided which key and content encryption algorithms need t
o be supported you can initialize <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java" rel="nofollow">JwsEncryptionProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java" rel="nofollow">JwsDecryptionProvider</a> which do the actual JWE encryption/decryption work by coordinating with the key and content encryption providers. CXF ships <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryption.java" rel="nofollow">JweEncryption</a> (JwsEncryptionProvider) and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent
/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryption.java" rel="nofollow">JweDecryption</a> (JweDecryptionProvider) helpers, simply pass them the preferred key and content encryption providers and have the content encrypted or decrypted.</p><p>Note that <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java" rel="nofollow">AesCbcHmacJweEncryption</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java" rel="nofollow">AesCbcHmacJweDecryption</a> providers supporting <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2" rel="nofollow">AES_CBC_HMAC_SHA2</a> contet encryption are extending JweEncryption and JweDecryption respectively. They implem
ent <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2.2" rel="nofollow">the content encryption</a> internally but do accept preferred key encryption/decryption providers.</p><p>Similarly, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java" rel="nofollow">DirectKeyJweEncryption</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java" rel="nofollow">DirectKeyJweDecryption</a> are simple JweEncryption and JweDecryption extensions making it straighforward to do the direct key content encryption/decryption.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/
cxf/rs/security/jose/jwe/JweUtils.java" rel="nofollow">JweUtils</a> utility class has a lot of helper methods to load key and and content encryption providers and get the data encrypted and decrypted.</p><h3 id="JAX-RSJOSE-JWECompact">JWE Compact</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#section-3.3" rel="nofollow">JWE Compact representation</a> is the most often used JWE sequence format. It is the concatenation of 5 parts: Base64URL-encoded sequence of JWE headers (algorithm and other properties),  Base64URL-encoded sequence of JWE encryption key (empty in case of the direct encryption), Base64URL-encoded sequence of JWE Initialization vector, Base64URL-encoded sequence of the produced ciphertext (encrypted data) and finally Base64URL-encoded sequence of the authentication tag (integrity protection for the headers and the ciphertext itself).</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/bl
ob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactProducer.java" rel="nofollow">JweCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java" rel="nofollow">JweCompactConsumer</a> offer a basic support for creating and consuming compact JWE sequences. In most cases you will likely prefer to use <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryption.java" rel="nofollow">JweEncryption</a> (uses JweCompactProducer internally) and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryption.java" rel="nofollow">JweDecryption</a> (uses Jw
eCompactConsumer internally).</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java" rel="nofollow">JweJwtCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java" rel="nofollow">JwsJwtCompactConsumer</a> help with directly encrypting typed JWT Tokens.</p><p>Here is the example of doing AES CBC HMAC and AES Key Wrap in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
+</div></div><p> </p><h2 id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be encrypted with a secret key using AesGcm with the actual content encryption key being encrypted using RSA-OAEP.</p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe" rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4" rel="nofollow">key encryption</a> a
nd <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5" rel="nofollow">content encryption</a> algorithms.</p><h3 id="JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption Providers</h3><p>JWE Encryption process typically involves a content-encryption key being generated with this key being subsequently encrypted/wrapped with a key known to the consumer. Thus CXF offers the providers for supporting the key-encryption algorithms and providers for supporting the content-encryption algorithms. Direct key encryption (where the content-encryption key is established out of band) is also supported.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionProvider.java" rel="nofollow">KeyEncryptionProvider</a> supports encrypting a content-encryption key, <a shape="rect" class="external-link" href="https://gi
thub.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionProvider.java" rel="nofollow">KeyDecryptionProvider</a> - decrypting it.</p><p>The following table shows the key encryption algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jwe</span> package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.2" rel="nofollow">RSAES-PKCS1-v1_5</a></td><td colspan="1" r
owspan="1" class="confluenceTd"><p class="newpage">RSA1_5</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyEncryptionAlgorithm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyDecryptionAlgorithm</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.3" rel="nofollow">RSAES OAEP</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">RSA-OAEP, RSA-OAEP-256</p></td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.4" rel="nofollow">AES Key Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128KW, A192KW, A256KW</p></td><td colspan="1" rowspan="1" cla
ss="confluenceTd">AesKeyWrapEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.5" rel="nofollow">Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd">dir</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES+A128KW (+A192KW, +256KW)</p></td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyDecryptionAlgorith
m</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES</p></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweEncryption</span></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweDecryption</span></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.7" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128GCMKW, A192GCMKW, A256GCMKW</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="co
nfluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8" rel="nofollow">PBES2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">PBES2-HS256+A128KW</p><p class="newpage">PBES2-HS384+A192KW</p><p class="newpage">PBES2-HS512+A256KW</p></td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyDecryptionAlgorithm</td></tr></tbody></table></div><p> </p><p>RSA-OAEP algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validation keys available.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionProvider.java" rel="nofollow">ContentEncryptionProvider</a> supports encryp
ting a generated content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionProvider.java" rel="nofollow">ContentDecryptionProvider</a> - decrypting it.</p><p>The following table shows the content encryption algorithms and the corresponding providers:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'enc'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2" rel="nofollow">A
ES_CBC_HMAC_SHA2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128CBC-HS256(-HS384, -HS512)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweEncryption,</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweDecryption</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.3" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128GCM, A92GCM, A256GCM</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentDecryptionAlgorithm</td></tr></tbody></table></div><p>All of the above providers can be initialized with the keys loaded from JWK or Java JKS stores or from the in-memory representations.</p><p>Once you have decided which key and content encryption algorithms need t
o be supported you can initialize <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java" rel="nofollow">JwsEncryptionProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java" rel="nofollow">JwsDecryptionProvider</a> which do the actual JWE encryption/decryption work by coordinating with the key and content encryption providers. CXF ships <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryption.java" rel="nofollow">JweEncryption</a> (JwsEncryptionProvider) and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent
/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryption.java" rel="nofollow">JweDecryption</a> (JweDecryptionProvider) helpers, simply pass them the preferred key and content encryption providers and have the content encrypted or decrypted.</p><p>JweEncryption and JweDecryption help with creating and processing JWE Compact sequences (see the next section).  JweEncryption can also help with streaming JWE JSON sequences (see JAX-RS JWE filters section).</p><p>Note that <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java" rel="nofollow">AesCbcHmacJweEncryption</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java" rel="nofollow">AesCbcHmacJweDecryption</a> providers supporting
<a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2" rel="nofollow">AES_CBC_HMAC_SHA2</a> contet encryption are extending JweEncryption and JweDecryption respectively. They implement <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2.2" rel="nofollow">the content encryption</a> internally but do accept preferred key encryption/decryption providers.</p><p>Similarly, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java" rel="nofollow">DirectKeyJweEncryption</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java" rel="nofollow">DirectKeyJweDecryption</a> are simple JweEncryption and JweDecryption extensions making
it straighforward to do the direct key content encryption/decryption.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java" rel="nofollow">JweUtils</a> utility class has a lot of helper methods to load key and and content encryption providers and get the data encrypted and decrypted.</p><h3 id="JAX-RSJOSE-JWECompact">JWE Compact</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#section-3.3" rel="nofollow">JWE Compact representation</a> is the most often used JWE sequence format. It is the concatenation of 5 parts: Base64URL-encoded sequence of JWE headers (algorithm and other properties),  Base64URL-encoded sequence of JWE encryption key (empty in case of the direct encryption), Base64URL-encoded sequence of JWE Initialization vector, Base64URL-encoded sequence of the produced ciphertext (encrypted data
) and finally Base64URL-encoded sequence of the authentication tag (integrity protection for the headers and the ciphertext itself).</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactProducer.java" rel="nofollow">JweCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java" rel="nofollow">JweCompactConsumer</a> offer a basic support for creating and consuming compact JWE sequences. In most cases you will likely prefer to use <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryption.java" rel="nofollow">JweEncryption</a> and <a shape="rect" class="external-link" href="ht
tps://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryption.java" rel="nofollow">JweDecryption</a> instead: <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryption.java" rel="nofollow">JweEncryption</a> uses JweCompactProducer internally when its <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java#L27" rel="nofollow">encrypt</a> method is called (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java#L32" rel="nofollow">getEncryptedOutput</a> will be discussed in the JAX-RS JWE filters section), and <a shap
e="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryption.java" rel="nofollow">JweDecryption</a> accepts only JWE Compact and uses JweCompactConsumer internally.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java" rel="nofollow">JweJwtCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java" rel="nofollow">JwsJwtCompactConsumer</a> help with directly encrypting typed JWT Tokens.</p><p>Here is the example of doing AES Key Wrap and AES CBC HMAC in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="bor
der-bottom-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">final String specPlainText = "Live long and prosper.";
-byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
-
-AesWrapKeyEncryptionAlgorithm keyEncryption = new AesWrapKeyEncryptionAlgorithm(cekEncryptionKey, KeyAlgorithm.A128KW);
+AesWrapKeyEncryptionAlgorithm keyEncryption = new AesWrapKeyEncryptionAlgorithm(KEY_ENCRYPTION_KEY_A3, KeyAlgorithm.A128KW);
JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(ContentAlgorithm.A128CBC_HS256,
keyEncryption);
String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null);
@@ -278,7 +276,70 @@ AesWrapKeyDecryptionAlgorithm keyDecrypt
JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
String decryptedText = decryption.decrypt(jweContent).getContentText();
assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p> </p><h3 id="JAX-RSJOSE-JWEJSON">JWE JSON</h3><h2 id="JAX-RSJOSE-JSONWebToken">JSON Web Token</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a> (JSON Web Token) is a collection of claims in JSON format. It offers a standard JSON container for representing various properties or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>JWT has been primarily used in OAuth2 applications to represent self-contained access tokens but can also be used in other contexts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt" rel="nofollow">this package</a>.</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWS">JWS</h2><h2 id="JAX-RSJOSE-JWE">J
WE</h2><h2 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</h2><p> </p><h1 id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that applies to both encryption and signature</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1" rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are "jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan="1" class="confluenceTd">Th
e password required to access the keystore.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" class="confluenceTd"> The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jwe.out<br clear="none">     - jwe.in<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td cols
pan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h4 id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that applies to signature only</h4>
<div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for signature. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="conf
luenceTd">rs.security.signature.in.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for compact signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.ke
y.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest for signature in the "x5t" header.</td></tr></tbody></table></div><h4 id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to encryption only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for decryption. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.
content.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rows
pan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for decryption. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for encryption in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for encryption in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.key
.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for encryption in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest for encryption in the "x5t" header.</td></tr></tbody></table></div><h4 id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT tokens only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is false.</p></td></tr></tbody></table></div><p> </p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF OAuth2 module depends on its JOSE module. This will be used to support OAuth
2 POP tokens. Authorization code JOSE requests can already be processed. Utility support for validating JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link" href="http://connect2id.com/products/nimbus-jose-jwt" rel="nofollow">Nimbus JOSE</a></p><p> </p><p> </p><p> </p></div>
+</div></div><p> </p><p>Here is another example using RSA-OAEP key encryption and AES-GCM content encryption:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Jwe RsaOaepAesGcm</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">final String content = "Live long and prosper.";
+// Load public RSA key from the JWK Key set stored on the disk
+InputStream is = JsonWebKeyTest.class.getResourceAsStream(fileName);
+JsonWebKeys keySet = JwkUtils.readJwkSet(is);
+JsonWebKey jwkPublicRsaKey = keySet.getKey("Public RSA Key");
+KeyEncryptionProvider keyEncryptionAlgo = JweUtils.getKeyEncryptionProvider(jwkPublicRsaKey);
+ContentEncryptionProvider contentEncryptionAlgo = JweUtils.getContentEncryptionProvider(ContentAlgorithm.A256GCM);
+JweEncryptionProvider encryptor = new JweEncryption(keyEncryptionAlgo, contentEncryptionAlgo);
+
+// or simply
+// JweEncryptionProvider encryptor = JweUtils.createJweEncryptionProvider(jwkPublicRsaKey, ContentAlgorithm.A256GCM);
+
+String jweOut = encryptor.encrypt(content.getBytes(StandardCharsets.UTF_8), null);
+
+// Load Private RSA Key from Java JKS Store
+PrivateKey privateRsaKey =
+ CryptoUtils.loadPrivateKey(keyStoreLocation, keyStorePassword, privateKeyPassword, keyAlias, KeyStore.getDefaultType());
+
+JweDecryptionProvider decryptor = JweUtils.createJweDecryptionProvider(jwkPrivateRsaKey, ContentAlgorithm.A256GCM);
+String decryptedText = decryption.decrypt(jweContent).getContentText();
+assertEquals(content, decryptedText);</pre>
+</div></div><h3 id="JAX-RSJOSE-JWEJSON">JWE JSON</h3><p>While JWE Compact is optimized and represents a concatenation of 5 Base64URL values, JWE JSON is an open JSON container, see <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#appendix-A.4" rel="nofollow">Appendix A4</a>.</p><p>The most interesting feature of JWE JSON is that allows a content be encrypted by multiple key encryption keys, with te resulting sequence targeted at multiple recipients. For example,  the immediate consumer will decrypt the content with its own key decryption key, forward the payload to the next consumer, etc.  </p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java" rel="nofollow">JweJsonProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/m
ain/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java" rel="nofollow">JweJsonConsumer</a> support producing and consuming JWS JSON sequences.</p><p>Here is the code example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JweJson</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">final String text = "The true sign of intelligence is not knowledge but imagination.";
+SecretKey wrapperKey1 = CryptoUtils.createSecretKeySpec(WRAPPER_BYTES1, "AES");
+SecretKey wrapperKey2 = CryptoUtils.createSecretKeySpec(WRAPPER_BYTES2, "AES");
+
+JweHeaders protectedHeaders = new JweHeaders(ContentAlgorithm.A128GCM);
+JweHeaders sharedUnprotectedHeaders = new JweHeaders();
+sharedUnprotectedHeaders.setJsonWebKeysUrl("https://server.example.com/keys.jwks");
+sharedUnprotectedHeaders.setKeyEncryptionAlgorithm(KeyAlgorithm.A128KW);
+
+ContentEncryptionProvider contentEncryption = JweUtils.getContentEncryptionProvider(ContentAlgorithm.A128GCM);
+
+KeyEncryptionProvider keyEncryption1 = JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey1, KeyAlgorithm.A128KW);
+JweEncryptionProvider jweEnc1 = new JweEncryption(keyEncryption1, contentEncryption);
+
+KeyEncryptionProvider keyEncryption2 = JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey2, KeyAlgorithm.A128KW);
+JweEncryptionProvider jweEnc2 = new JweEncryption(keyEncryption2, contentEncryption);
+
+List<JweEncryptionProvider> jweList = new LinkedList<JweEncryptionProvider>();
+jweList.add(jweEnc1);
+jweList.add(jweEnc2);
+
+JweJsonProducer p = new JweJsonProducer(protectedHeaders,
+ sharedUnprotectedHeaders,
+ StringUtils.toBytesUTF8(text),
+ StringUtils.toBytesUTF8(EXTRA_AAD_SOURCE),
+ false);
+String jweJsonOut = p.encryptWith(jweList);
+
+// first consumer:
+JweDecryptionProvider jweDecrypt = JweUtils.createJweDecryptionProvider(wrapperKey1,
+ KeyAlgorithm.A128KW,
+ ContentAlgorithm.A128GCM);
+JweJsonConsumer c = new JweJsonConsumer(jweJsonOut);
+// the consumer will iterate over JWE entries and will try to find the one which can be decrypted with this decryptor
+// which is always precise if only a single receipient entry is available
+// or do consumer.getRecipientsMap() returning a list of entries and their metadata to do a more precise selection.
+
+String content = consumer.decryptWith(jweDecrypt).getContent();
+
+</pre>
+</div></div><p>If the sequence contains a single recipient entry only then the JWE JSON 'recipients' array will contain a single entry, or the whole sequence can be <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#appendix-A.5" rel="nofollow">flattened</a> instead with the actual 'recipients' array dropped. JweJsonProducer  does not produce the flattened sequence when only a single encryption is done by default because 3rd party JWE JSON consumers may only be able to process the sequences with the 'recipients' array, so pass a 'canBeFlat' flag to JwEJsonProducer if needed</p><p>Does it make sense to use JWE JSON if you do not plan to do multiple encryptions ? Most likely you will prefer JWE Compact if only a single recipient is targeted.</p><h2 id="JAX-RSJOSE-JSONWebToken">JSON Web Token</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a> (JSON Web Token) is a collection of claims in JSON
format. It offers a standard JSON container for representing various properties or claims.</p><p>JWT can be signed and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>JWT has been primarily used in OAuth2 applications to represent self-contained access tokens but can also be used in other contexts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt" rel="nofollow">this package</a>.</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWS">JWS</h2><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications to JWS or JWE content</h2><p> </p><h1 id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore</td><td colspan="1" rowspan="1" class="confluenceTd">The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values are "jks" or "jwk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td colspan="1" rowspan="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td colspan="1" rowspan="1" class="confluenceTd"> The keystore alias corresponding to the key to use. You can append one of the follow
ing to this tag to get the alias for more specific operations:<br clear="none">     - jwe.out<br clear="none">     - jwe.in<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</td><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations:<br clear="none">     - jws.out<br clear="none">     - jws.in</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td colspan="1" rowspan="1" class=
"confluenceTd">The password required to access the private key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.accept.public.key</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow using a JWK received in the header for signature validation. The default is "false".</p></td></tr></tbody></table></div><h4 id="JAX-RSJOSE-Configurationthatappliestosignatureonly">Configuration that applies to signature only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.signature.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance u
sed to retrieve passwords to access keys for signature. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The signature algorithm to use. The default algorithm if not specified is 'RS256'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature creation. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.in.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for compact signature verification. If not specified then it falls back to "rs.security.signature.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.signature.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for compact signature creation/verification.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for signature in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for signature in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for signature in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.signature.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd">Inclu
de the X.509 certificate SHA-1 digest for signature in the "x5t" header.</td></tr></tbody></table></div><h4 id="JAX-RSJOSE-Configurationthatappliestoencryptiononly">Configuration that applies to encryption only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.decryption.key.password.provider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for decryption. If this is not specified it falls back to use "rs.security.key.password.provider".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.content.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption content algorithm to use. The default algorithm if not specified is 'A128GCM'.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.key.algorithm</td><td cols
pan="1" rowspan="1" class="confluenceTd"><p>The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW' if it is an octet sequence.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.zip.algorithm</td><td colspan="1" rowspan="1" class="confluenceTd">The encryption zip algorithm to use.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.out.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for encryption creation. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.in.properties</td><td colspan="1" rowspan="1" class="confluenceTd"><p>The signature properties file for decryption. If not specified then it falls back to "rs.security.encryption.properties".</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">rs.security.encryption.properties</td><td colspan="1" rowspan="1" class="confluenceTd">The signature properties file for encryption/decryption.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.public.key</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key for encryption in the "jwk" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert</td><td colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate for encryption in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.key.id</td><td colspan="1" rowspan="1" class="confluenceTd">Include the JWK key id for encryption in the "kid" header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.encryption.include.cert.sha1</td><td colspan="1" rowspan="1" class="confluenceTd"
>Include the X.509 certificate SHA-1 digest for encryption in the "x5t" header.</td></tr></tbody></table></div><h4 id="JAX-RSJOSE-ConfigurationthatappliestoJWTtokensonly">Configuration that applies to JWT tokens only</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.enable.unsigned-jwt.principal</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is false.</p></td></tr></tbody></table></div><p> </p><h1 id="JAX-RSJOSE-Interoperability">Interoperability</h1><h1 id="JAX-RSJOSE-Third-PartyLibraries">Third-Party Libraries</h1><p><a shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a></p><p><a shape="rect" class="external-link" href="http://connect2id.com/products/nimbus-jose-jwt" rel="nofollow">Nimbus JOSE</a></p><p> </p><p> </p><p> </p>
</div>
</div>
<!-- Content -->
</td>