...
This option makes it straighforward to do JOSE in the application code. One has to extend or delegate to a specific JOSE helper instance and configure the endpoint with the locatiion of the key store.
Produce JOSE data
Step1. Use JoseProducer or JoseJwtProducer
If you need to protect some non JWT property - extend or delegate to JoseProducer:
Code Block | ||
---|---|---|
| ||
import org.apache.cxf.rs.security.jose.common.JoseProducer; @Path("service") public class SecureService extends JoseProducer { @GET public String getProtectedValue() { // encrypt and/or sign the data return super.processData("some data"); } } // or @Path("service") public class SecureService extends AbstractSecureService { private JoseProducer producer = new JoseProducer(); @GET public String getProtectedValue() { // encrypt and/or sign the data return producer.processData("some data"); } } |
...
If you need to protect some JWT property - then extend or delegate to JoseJwtProducer:
Code Block | ||
---|---|---|
| ||
import org.apache.cxf.rs.security.jose.jwt.JoseJwtProducer; @Path("service") public class SecureService extends JoseJwtProducer { @GET public String getProtectedToken() { // encrypt and/or sign JWT JwtClaims claims = new JwtClaims(); claims.setIssuer("some issuer"); // set other claims return super.processJwt(new JwtToken(claims)); } } // or @Path("service") public class SecureService extends AbstractSecureService { private JoseJwtProducer producer = new JoseJwtProducer(); @GET public String getProtectedValue() { // encrypt and/or sign JWT return producer.processDataprocessJwt(new JwtToken(new JwtClaims())); } } |
In both cases the producer helpers will detect the endpoint specific configuration thus they do not need to be preconfigured - however if needed they have the 'encryptionProvider' and 'signatureProvider' setters which can be used to inject JwsSignatureProvider and/or JweSignatureProvider JweEncryptionProvider instances instead.
The producer helpers require a signature creation only by default. Use their 'setJwsRequired' or 'setJwsRequired' properties to customize it - example, disable JWS but require JWE, or enable JWE to get JWS-protected data encrypted as well.
...
Consume JOSE data
If you need to decrypt and/or verify some non-JWT JOSE property - extend or delegate to JoseConsumer:
Code Block | ||
---|---|---|
| ||
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:jaxrs="http://cxf.apache.org/jaxrs"> <bean id="serviceBean" class="org.apache.cxf.systest.jaxrsimport org.apache.cxf.rs.security.jose.common.JoseConsumer; @Path("service") public class SecureService extends JoseConsumer { @POST public void acceptProtectedValue(String joseValue) { // decrypt the value first if needed, verify the signature String data = super.getData(joseValue); } } // or @Path("service") public class SecureService extends AbstractSecureService { private JoseConsumer consumer = new JoseConsumer(); @POST public void acceptProtectedValue(String joseValue) { // decrypt the value first if needed, verify the signature String data = consumer.getData(joseValue); } } |
If you need to decrypt and/or verify some JWT property then extend or delegate to JoseJwtConsumer:
Code Block | ||
---|---|---|
| ||
import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
@Path("service")
public class SecureService extends JoseJwtConsumer {
@POST
public void acceptProtectedToken(String joseValue) {
// decrypt the value first if needed, verify the signature
JwtToken data = super.getJwtToken(joseValue);
}
}
// or
@Path("service")
public class SecureService extends AbstractSecureService {
private JoseJwtConsumer consumer = new JoseJwtConsumer();
@POST
public void acceptProtectedToken(String joseValue) {
// decrypt the value first if needed, verify the signature
JwtToken data = consumer.getJwtToken(joseValue);
}
} |
In both cases the producer helpers will detect the endpoint specific configuration thus they do not need to be preconfigured - however if needed they have the 'jweDecryptor' and 'jwsVerifier' setters which can be used to inject JwsSignatureVerifier and/or JweDecryptionProvider instances instead.
The producer helpers require a signature creation only by default. Use their 'setJwsRequired' or 'setJwsRequired' properties to customize it - example, disable JWS but require JWE, or enable JWE to get JWS-protected data encrypted as well.
Produce and Consume JOSE data
Configure the endpoint
These properties will contain a location of the key store, signature and/or encryption algorithm properties, etc. See the Configuration section for all the available configuration options.
Code Block | ||
---|---|---|
| ||
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:jaxrs="http://cxf.apache.org/jaxrs"> <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.jose.SecureService"/> .SecureService"/> <jaxrs:server address="/secure"> <jaxrs:serviceBeans> <ref bean="serviceBean"/> </jaxrs:serviceBeans> <jaxrs:properties> <entry key="rs.security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/> <entry key="rs.security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/> </jaxrs:properties> </jaxrs:server> </beans |
See the Configuration section for all the available configuration options.
Consume JOSE data
Step1. Use JoseConsumer or JoseJwtConsumer
Step2. Set the key store location and the algorithm info
Produce and Consume JOSE data
Step1. Use JoseProducerConsumer or JoseJwtProducerConsumer
...
Configuration
CXF JOSE configuration provides for loading JWS and JWE keys and supporting various processing options. Configuration properties can be shared between JWS and JWE processors or in/out only JWS and or JWE properties can be set.
...