...
BouncyCastle provider can be registered and unregistered as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
import java.security.Security; import org.bouncycastle.jce.provider.BouncyCastleProvider; private static void registerBouncyCastle() throws Exception { Security.addProvider(new BouncyCastleProvider()); } private static void unregisterBouncyCastle() throws Exception { Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME); } |
...
JWT (JSON Web Token) is a collection of claims in JSON format. It offers is simply a standard JSON container for representing various properties or claimsregular JSON document where each top elevel property is called a 'claim'.
JWT can be JWS signed and/or encrypted, i.e, serve as a JOSE signature or encryption input JWE encrypted like any other data structure.
JWT has been primarily is mainly used in OAuth2 and OIDC applications to represent self-contained OAuth2 access tokens, OIDC IdToken, UserInfo, but can also be used in other contexts. For example, see the section below on linking JWT authentication tokens to JWS or JWE secured payloads.
CXF offers an initial a JWT support in this package.
JOSE JAX-RS Filters
JWS
JWE
Typically one would create a set of claims and submit them to JWS/JWE JWT processors, for example, see a JWS section above.
JWS and JWE Combined
If you have a requirement to sign the data and then encrypt the signed payload then it can be easily achieved by selecting a required JWS Producer and creating a JWS Compact sequence, and next submitting this sequence to a JWE producer, and processing it all in the reverse sequence
JOSE JAX-RS Filters
JWS
JWE
Linking JWT authentications to JWS or JWE content
...
The above code needs to be executed in the context of the current request (in server or client in/out interceptors or server service code) as it expects the current CXF Message be available in order to deduce where to load the configuration properties from. However JwsUtils and JweUtils provide a number of utility methods for loading the providers without loading the properties first which can be used when setting up the client code or when no properties are available in the current request context.
...
When the code needs to load the configuration properties it first looks for the property 'container' file which contains the specific properties instructing which keys and algorithms need to be used. Singature or encryption properties for in/out operations can be provided.
Configuration Property Containers
Signature
rs.security.signature.out.keystoreproperties | The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically. | rs.security.keystore.type | The keystore type. Suitable values are "jks" or "jwk"signature properties file for Compact or JSON signature creation. If not specified then it falls back to "rs.security.signature.properties". |
rs.security.signature.in.properties | The signature properties file for Compact or JSON signature verification. If not specified then it falls back to "rs.security.signature.properties". | ||
rs.security.keystoresignature.passwordThe password required to access the keystore.properties | The signature properties file for Compact or JSON signature creation/verification. |
Encryption
rs.security.encryption.keystoreout.alias The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations: - jwe.out - jwe.in - jws.out - jws.inproperties | The encryption properties file for Compact or JSON encryption creation. If not specified then it falls back to "rs.security.encryption.properties". |
rs.security.encryption.in.properties | The encryption properties file for Compact or JSON decryption. If not specified then it falls back to "rs.security.encryption.properties". |
rs.security.keystoreencryption.aliases | The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations: - jws.out - jws.in |
rs.security.keystore.file | The path to the keystore file. |
rs.security.key.password | The password required to access the private key (in the keystore). |
rs.security.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys. |
rs.security.accept.public.key | Whether to allow using a JWK received in the header for signature validation. The default is "false". |
Configuration that applies to signature only
properties | The signature properties file for encryption/decryption. |
Once the properties are loaded the runtime proceeds with initializing JWS/JWE providers accordingly. The following section lists the properties, some oif them being common and some - unique to the signature/verification and encryption/decryption processes.
Note that one can override some of the properties, for example, 'rs.security.store' can be set as a dynamic request property pointing to a preloaded Java KeyStore object.
Configuration that applies to both encryption and signature
rs.security.keystore | The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically. | ||
rs.security.keystore.type | The keystore type. Suitable values are "jks" or "jwk | ||
rs.security.signature.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for signature. If this is not specified it falls back to use "rs.security.key.password.provider". | ||
rs.security.signature.algorithm | The signature algorithm to use. The default algorithm if not specified is 'RS256'. | ||
rs.security.signature.out.properties | The signature properties file for compact signature creation. If not specified then it falls back to "rs.security.signature.properties". | ||
rs.security.signaturekeystore.in.propertiespassword | The password required to access the keystore. | ||
The signature properties file for compact signature verification. If not specified then it falls back to "rs.security.signature.properties". | rs.security.signature.properties | keystore.alias | The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations: - jwe.out - jwe.in - jws.out - jws.inThe signature properties file for compact signature creation/verification. |
rs.security.signature.include.public.keyInclude the JWK public key for signature in the "jwk" header.keystore.aliases | The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations: - jws.out - jws.in | ||
rs.security.signaturekeystore.include.certfile | The path to the keystore fileInclude the X.509 certificate for signature in the "x5c" header. | ||
rs.security.signature.include.key.idpassword | The password required to access the private key (in the keystore)Include the JWK key id for signature in the "kid" header. | ||
rs.security.signature.include.cert.sha1.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys. | ||
rs.security.accept.public.key | Whether to allow using a JWK received in the header for signature validation. The default is "false" Include the X.509 certificate SHA-1 digest for signature in the "x5t" header. |
Configuration that applies to
...
signature only
rs.security.decryptionsignature.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for decryptionsignature. If this is not specified it falls back to use "rs.security.key.password.provider". |
rs.security.encryption.contentsignature.algorithm | The encryption content signature algorithm to use. The default algorithm if not specified is 'A128GCMRS256'. |
rs.security.signature.include.encryption.key.algorithmThe encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW' if it is an octet sequencepublic.key | Include the JWK public key for signature in the "jwk" header. |
rs.security.signature.include.cert | Include the X.509 certificate for signature in the "x5c" header. |
rs.security.signature.include.key.id | Include the JWK key id for signature in the "kid" header. |
rs.security.encryption.zip.algorithmThe encryption zip algorithm to use..signature.include.cert.sha1 | Include the X.509 certificate SHA-1 digest for signature in the "x5t" header. |
Configuration that applies to encryption only
rs.security.decryption. | encryptionkey. | outpassword. | propertiesThe signature properties file for encryption creation. If not specified then provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys for decryption. If this is not specified it falls back to use "rs.security. | encryptionkey.password. | propertiesprovider". |
rs.security.encryption.incontent.propertiesalgorithm | The encryption content algorithm to use. The default algorithm if not specified is 'A128GCM'. | |||||
signature properties file for decryption. If not specified then it falls back to "rs.security.encryption.key.algorithm | The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an RSA key, and 'A128GCMKW' if it is an octet sequence.properties". | |||||
rs.security.encryption.zip.propertiesalgorithm | The signature properties file for encryption/decryptionencryption zip algorithm to use. | |||||
rs.security.encryption.include.public.key | Include the JWK public key for encryption in the "jwk" header. | |||||
rs.security.encryption.include.cert | Include the X.509 certificate for encryption in the "x5c" header. | |||||
rs.security.encryption.include.key.id | Include the JWK key id for encryption in the "kid" header. | |||||
rs.security.encryption.include.cert.sha1 | Include the X.509 certificate SHA-1 digest for encryption in the "x5t" header. |
...
rs.security.enable.unsigned-jwt.principal | Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is false. |
Interoperability
...
Third-Party Libraries
...