...
rs.security.keystore.type | The keystore type. Suitable values are "jks" or "jwk". |
rs.security.keystore.password | The password required to access the keystore. |
rs.security.keystore.alias | The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations: - jwe.out - jwe.in - jws.out - jws.in |
rs.security.keystore.aliases | The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations: - jws.out - jws.in |
rs.security.keystore.file | The path to the keystore file. |
rs.security.key.password | The password required to access the private key (in the keystore). |
rs.security.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys. |
rs.security.includeaccept.public.key | Include the JWK public key (for signature or encryption) in the "jwk" header. |
rs.security.include.cert | Include the X.509 certificate (for signature or encryption) in the "x5c" header. |
Whether to allow using a JWK received in the header for signature validation. The default is "false". |
Configuration that applies to signature only
rs.security.signature.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for signature. If this is not specified it falls back to use "rs.security.key.password.provider" | rs.security.include.key.id | Include the JWK key id (for signature or encryption) in the "kid" header. |
rs.security.signature.algorithm | The signature algorithm to use. The default algorithm if not specified is 'RS256'. | ||
rs.security.signature.out.properties | The signature properties file for compact signature creation. If not specified then it falls back to "rs.security.signature.properties". | ||
rs.security.signature.in.properties | The signature properties file for compact signature verification. If not specified then it falls back to "rs.security.signature.properties". | ||
rs.security.signature.properties | The signature properties file for compact signature creation/verification. | ||
rs.security.signature.out.list.properties | The signature properties file for JSON Serialization signature creation. If not specified then it falls back to "rs.security.signature.list.properties". | ||
rs.security.signature.in.list.properties | The signature properties file for JSON Serialization signature verification. If not specified then it falls back to "rs.security.signature.list.properties". | ||
rs.security.signature.list.properties | The signature properties file for JSON Serialization signature creation/verification. | ||
rs.security.signature.include.public.key | Include the JWK public key for signature in the "jwk" header. | ||
rs.security.signature.include.certinclude.cert.sha1 | Include the X.509 certificate SHA-1 digest ( for signature or encryption) in the "x5tx5c" header. | ||
rs.security.acceptsignature.publicinclude.key.id | Include the JWK key id for signature in the "kid" header. | ||
rs.security.signature.include.cert.sha1 | Include the X.509 certificate SHA-1 digest for signature in the "x5t" headerWhether to allow using a JWK received in the header for signature validation. The default is "false". |
Configuration that applies to
...
encryption only
rs.security.signaturedecryption.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for signaturedecryption. If this is not specified it falls back to use "rs.security.key.password.provider". | ||
rs.security.signatureencryption.content.algorithm | The signature algorithm to use. The default algorithm if not specified is 'RS256'. | rs.security.signature.out.properties | The signature properties file for compact signature creation. If not specified then it falls back to "rs.security.signature.properties"encryption content algorithm to use. The default algorithm if not specified is 'A128GCM'. |
rs.security.signatureencryption.inkey.propertiesalgorithm | The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW' if it is an octet sequence.The signature properties file for compact signature verification. If not specified then it falls back to "rs.security.signature.properties". | ||
rs.security.encryption.signaturezip.propertiesalgorithm | The signature properties file for compact signature creation/verificationencryption zip algorithm to use. | ||
rs.security.signatureencryption.out.list.properties | The signature properties file for JSON Serialization signature encryption creation. If not specified then it falls back to "rs.security.signature.listencryption.properties". | ||
rs.security.signatureencryption.in.list.properties | The signature properties file for JSON Serialization signature verificationdecryption. If not specified then it falls back to "rs.security.signature.listencryption.properties". | ||
rs.security.signature.listencryption.properties | The signature properties file for JSON Serialization signature creation/verificationencryption/decryption. | ||
rs.security.signatureencryption.include.public.key | Include the JWK public key for signature in the "jwk" header. If not specified then it falls back to "rs.security.include. public . key for encryption in the "jwk" header. | ||
rs.security.signatureencryption.include.cert | Include the X.509 certificate for signature for encryption in the "x5c" header. If not specified then it falls back to "rs.security.include.cert". | ||
rs.security.signatureencryption.include.key.id | Include the JWK key id for signature in the "kid" header. If not specified then it falls back to "rs.security.include.key.id"the JWK key id for encryption in the "kid" header. | ||
rs.security.signatureencryption.include.cert.sha1 | Include the X.509 certificate SHA-1 digest for signature for encryption in the "x5t" header. If not specified then it falls back to " |
Configuration that applies to JWT tokens only
rs.security | .include.cert.sha1"/.enable.unsigned-jwt.principal | Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is false. |
Encrypting JWK stores
JAX-RS filters can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate storages (files). By default the filters expect that the stores has been encrypted using
...