Versions Compared

Old Version 84

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version Current

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This approach is more effective compared to the ones where the body hash is calculated before it is submitted to a signature creation function, with the signature added as HTTP header.

Note that the "JWT" scheme is not standard, and from CXF 4.0.0 the default scheme has changed to "Bearer".

JWT authorization

CXF supports both role and claims based authorization for JAX-RS endpoints based on information contained in a received JWT. Please see the JAX-RS Token Authorization page for more information.

...

This option is about using the CXF JOSE library to sign, encrypt, or/and decrypt and verify the data as documented above. This option should be preferred if one needs to keep a closer control, for example, set the custom JWS or JWE headers, etc.

...

These properties will contain a location of the key store, signature and/or encryption algorithm properties, etc. See the Configuration section for all the available configuration options.

...

rs.security.keystoreThe Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically.

rs.security.keystore.type

The keystore type. Suitable values are "jks" or "jwk".

rs.security.keystore.passwordThe password required to access the keystore.
rs.security.keystore.alias The keystore alias corresponding to the key to use. You can append one of the following to this tag to get the alias for more specific operations:
     - jwe.out
     - jwe.in
     - jws.out
     - jws.in
rs.security.keystore.aliasesThe keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can append one of the following to this tag to get the alias for more specific operations:
     - jws.out
     - jws.in
rs.security.keystore.fileThe path to the keystore file.
rs.security.key.passwordThe password required to access the private key (in the keystore).
rs.security.key.password.providerA reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys.
rs.security.accept.public.key

Whether to allow using a JWK received in the header for signature validation. The default is "false".

rs.security.enable.revocation CXF 3.4.0Whether to enable revocation or not when validating a certificate chain. The default is "false".

...