Introduction
CXF adds support for the HTTP Signatures draft spec since CXF 3.3.0.
Maven Dependencies
Having the following dependency will let developers write JOSE JWS or JWE code:
<dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-rt-rs-security-http-signature</artifactId> <version>3.3.1</version> </dependency>
HTTP Signature overview and Implementation
Configuration
The following configuration properties can be used to configure HTTP Signature with the various filters. Note that they are shared for the most part with JAX-RS JOSE.
Configuration Tag | Default | Description |
---|---|---|
rs.security.keystore | The Java KeyStore Object to use. This configuration tag is used if you want to pass the KeyStore Object through dynamically. | |
rs.security.keystore.type | JKS | The keystore type. |
rs.security.keystore.password | The password required to access the keystore. | |
rs.security.keystore.alias | The keystore alias corresponding to the key to use. | |
rs.security.keystore.file | The path to the keystore file. | |
rs.security.key.password | The password required to access the private key (in the keystore). | |
rs.security.key.password.provider | A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys. | |
rs.security.signature.out.properties | The signature properties file for Compact or JSON signature creation. If not specified then it falls back to "rs.security.signature.properties". | |
rs.security.signature.in.properties | The signature properties file for Compact or JSON signature verification. If not specified then it falls back to "rs.security.signature.properties". | |
rs.security.signature.properties | The signature properties file for Compact or JSON signature creation/verification. | |
rs.security.signature.algorithm | rsa-sha256 | The signature algorithm to use. |
rs.security.http.signature.key.id | The signature key id. | |
rs.security.http.signature.out.headers | all headers incl "(request-target)" | A list of String values which correspond to the list of HTTP headers that will be signed in the outbound request. |