ConfigurationConstants (Apache WSS4J WS-Security Common 2.0.2 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.apache.wss4j.common
Class ConfigurationConstants

java.lang.Object
  org.apache.wss4j.common.ConfigurationConstants

public class ConfigurationConstants
extends Object
extends Object

This class defines Configuration Constants that are shared between the DOM + StAX code. This allows a user to configure both layers in the same way (e.g. via a Map).

Field Summary
`static String`	`ACTION` The action parameter.
`static String`	`ACTOR` The actor or role name of the `wsse:Security` header.
`static String`	`ADD_INCLUSIVE_PREFIXES` Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS.
`static String`	`ADD_USERNAMETOKEN_CREATED` Whether to add a Created Element to a UsernameToken.
`static String`	`ADD_USERNAMETOKEN_NONCE` Whether to add a Nonce Element to a UsernameToken.
`static String`	`ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES` This variable controls whether (wsse) namespace qualified password types are accepted when processing UsernameTokens.
`static String`	`ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM` Whether to allow the RSA v1.5 Key Transport Algorithm or not.
`static String`	`ALLOW_USERNAMETOKEN_NOPASSWORD` This variable controls whether a UsernameToken with no password element is allowed.
`static String`	`CUSTOM_TOKEN` Add a "Custom" token.
`static String`	`DEC_PROP_FILE` The path of the crypto property file to use for Decryption.
`static String`	`DEC_PROP_REF_ID` The key that holds a reference to the object holding complete information about the decryption Crypto implementation.
`static String`	`DERIVED_ENCRYPTION_KEY_LENGTH` The length to use (in bytes) when deriving a key for Encryption.
`static String`	`DERIVED_KEY_ITERATIONS` This parameter sets the number of iterations to use when deriving a key from a Username Token.
`static String`	`DERIVED_SIGNATURE_KEY_LENGTH` The length to use (in bytes) when deriving a key for Signature.
`static String`	`DERIVED_TOKEN_KEY_ID` This controls the key identifier of Derived Tokens, i.e.
`static String`	`DERIVED_TOKEN_REFERENCE` This controls the deriving token from which DerivedKeyTokens derive keys from.
`static String`	`ENABLE_NONCE_CACHE` Whether to cache UsernameToken nonces.
`static String`	`ENABLE_REVOCATION` This variable controls whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate.
`static String`	`ENABLE_SAML_ONE_TIME_USE_CACHE` Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition.
`static String`	`ENABLE_SIGNATURE_CONFIRMATION` Whether to enable signatureConfirmation or not.
`static String`	`ENABLE_TIMESTAMP_CACHE` Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message Signature).
`static String`	`ENC_DIGEST_ALGO` Defines which encryption digest algorithm to use with the RSA OAEP Key Transport algorithm for encryption.
`static String`	`ENC_KEY_ID` Defines which key identifier type to use for encryption.
`static String`	`ENC_KEY_TRANSPORT` Defines which algorithm to use to encrypt the generated symmetric key.
`static String`	`ENC_MGF_ALGO` Defines which encryption mgf algorithm to use with the RSA OAEP Key Transport algorithm for encryption.
`static String`	`ENC_PROP_FILE` The path of the crypto property file to use for Encryption.
`static String`	`ENC_PROP_REF_ID` The key that holds a reference to the object holding complete information about the encryption Crypto implementation.
`static String`	`ENC_SYM_ALGO` Defines which symmetric encryption algorithm to use.
`static String`	`ENC_SYM_ENC_KEY` Defines whether to encrypt the symmetric encryption key or not.
`static String`	`ENCRYPT` Perform an Encryption action.
`static String`	`ENCRYPT_DERIVED` Perform an Encryption action with derived keys.
`static String`	`ENCRYPT_WITH_KERBEROS_TOKEN` Perform a Encryption action with a kerberos token.
`static String`	`ENCRYPTION_PARTS` Parameter to define which parts of the request shall be encrypted.
`static String`	`ENCRYPTION_USER` The user's name for encryption.
`static String`	`HANDLE_CUSTOM_PASSWORD_TYPES` This variable controls whether types other than PasswordDigest or PasswordText are allowed when processing UsernameTokens.
`static String`	`INCLUDE_ENCRYPTION_TOKEN` Whether to include the Encryption token (BinarySecurityToken) in the security header as well or not.
`static String`	`INCLUDE_SIGNATURE_TOKEN` Whether to include the Signature Token in the security header as well or not.
`static String`	`IS_BSP_COMPLIANT` Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not.
`static String`	`KERBEROS_TOKEN` Add a kerberos token.
`static String`	`MUST_UNDERSTAND` Whether to set the mustUnderstand flag on an outbound message or not.
`static String`	`NONCE_CACHE_INSTANCE` This holds a reference to a ReplayCache instance used to cache UsernameToken nonces.
`static String`	`OPTIONAL_ENCRYPTION_PARTS` Parameter to define which parts of the request shall be encrypted, if they exist in the request.
`static String`	`OPTIONAL_SIGNATURE_PARTS` Parameter to define which parts of the request shall be signed, if they exist in the request.
`static String`	`PASSWORD_ENCRYPTOR_INSTANCE` This holds a reference to a PasswordEncryptor instance, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations).
`static String`	`PASSWORD_TYPE` Specific parameter for UsernameTokens to define the encoding of the password.
`static String`	`PW_CALLBACK_CLASS` This tag refers to the CallbackHandler implementation class used to obtain passwords.
`static String`	`PW_CALLBACK_REF` This tag refers to the CallbackHandler implementation object used to obtain passwords.
`static String`	`REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS` Whether the engine needs to enforce EncryptedData elements are in a signed subtree of the document.
`static String`	`SAML_CALLBACK_CLASS` This tag refers to the SAML CallbackHandler implementation class used to construct SAML Assertions.
`static String`	`SAML_CALLBACK_REF` This tag refers to the SAML CallbackHandler implementation object used to construct SAML Assertions.
`static String`	`SAML_ONE_TIME_USE_CACHE_INSTANCE` This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifier Strings (if the token contains a OneTimeUse Condition).
`static String`	`SAML_TOKEN_SIGNED` Perform a signed SAML Token action.
`static String`	`SAML_TOKEN_UNSIGNED` Perform an unsigned SAML Token action.
`static String`	`SIG_ALGO` Defines which signature algorithm to use.
`static String`	`SIG_C14N_ALGO` Defines which signature c14n (canonicalization) algorithm to use.
`static String`	`SIG_DIGEST_ALGO` Defines which signature digest algorithm to use.
`static String`	`SIG_KEY_ID` Defines which key identifier type to use for signature.
`static String`	`SIG_PROP_FILE` The path of the crypto property file to use for Signature creation.
`static String`	`SIG_PROP_REF_ID` The key that holds a reference to the object holding complete information about the signature Crypto implementation.
`static String`	`SIG_SUBJECT_CERT_CONSTRAINTS` This configuration tag is a comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.
`static String`	`SIG_VER_PROP_FILE` The path of the crypto property file to use for Signature verification.
`static String`	`SIG_VER_PROP_REF_ID` The key that holds a reference to the object holding complete information about the signature verification Crypto implementation.
`static String`	`SIGNATURE` Perform a Signature action.
`static String`	`SIGNATURE_DERIVED` Perform a Signature action with derived keys.
`static String`	`SIGNATURE_PARTS` Parameter to define which parts of the request shall be signed.
`static String`	`SIGNATURE_USER` The user's name for signature.
`static String`	`SIGNATURE_WITH_KERBEROS_TOKEN` Perform a Signature action with a kerberos token.
`static String`	`TIMESTAMP` Add a timestamp to the security header.
`static String`	`TIMESTAMP_CACHE_INSTANCE` This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings.
`static String`	`TIMESTAMP_PRECISION` Set whether Timestamps have precision in milliseconds.
`static String`	`TIMESTAMP_STRICT` Set the value of this parameter to true to enable strict timestamp handling.
`static String`	`TTL_FUTURE_TIMESTAMP` This configuration tag specifies the time in seconds in the future within which the Created time of an incoming Timestamp is valid.
`static String`	`TTL_FUTURE_USERNAMETOKEN` This configuration tag specifies the time in seconds in the future within which the Created time of an incoming UsernameToken is valid.
`static String`	`TTL_TIMESTAMP` Time-To-Live is the time difference between creation and expiry time in seconds in the WSS Timestamp.
`static String`	`TTL_USERNAMETOKEN` Time-To-Live is the time difference between creation and expiry time in seconds of the UsernameToken Created value.
`static String`	`USE_2005_12_NAMESPACE` Whether to use the "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" namespace for SecureConversation + Derived Keys.
`static String`	`USE_DERIVED_KEY_FOR_MAC` This parameter sets whether to use the Username Token derived key for a MAC or not.
`static String`	`USE_REQ_SIG_CERT` Specifying this name as `ENCRYPTION_USER` triggers a special action to get the public key to use for encryption.
`static String`	`USE_SINGLE_CERTIFICATE` This parameter sets whether to use a single certificate or a whole certificate chain when constructing a BinarySecurityToken used for direct reference in signature.
`static String`	`USER` The user's name.
`static String`	`USERNAME_TOKEN` Perform a UsernameToken action.
`static String`	`USERNAME_TOKEN_NO_PASSWORD` Perform a UsernameToken action with no password.
`static String`	`USERNAME_TOKEN_SIGNATURE` Perform a UsernameTokenSignature action.
`static String`	`VALIDATE_SAML_SUBJECT_CONFIRMATION` Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key).
`static String`	`VALIDATOR_MAP` This tag refers to a Map of QName, Object (Validator) instances to be used to validate tokens identified by their QName.

Constructor Summary
`protected`	`ConfigurationConstants()`

Method Summary

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

ACTION

public static final String ACTION

The action parameter. It is a blank separated list of actions to perform.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN);

See Also:: Constant Field Values

USERNAME_TOKEN

public static final String USERNAME_TOKEN

Perform a UsernameToken action.

See Also:: Constant Field Values

USERNAME_TOKEN_SIGNATURE

public static final String USERNAME_TOKEN_SIGNATURE

Perform a UsernameTokenSignature action.

See Also:: Constant Field Values

USERNAME_TOKEN_NO_PASSWORD

public static final String USERNAME_TOKEN_NO_PASSWORD

Perform a UsernameToken action with no password.

See Also:: Constant Field Values

SAML_TOKEN_UNSIGNED

public static final String SAML_TOKEN_UNSIGNED

Perform an unsigned SAML Token action.

See Also:: Constant Field Values

SAML_TOKEN_SIGNED

public static final String SAML_TOKEN_SIGNED

Perform a signed SAML Token action.

See Also:: Constant Field Values

SIGNATURE

public static final String SIGNATURE

Perform a Signature action. The signature specific parameters define how to sign, which keys to use, and so on.

See Also:: Constant Field Values

ENCRYPT

public static final String ENCRYPT

Perform an Encryption action. The encryption specific parameters define how to encrypt, which keys to use, and so on.

See Also:: Constant Field Values

TIMESTAMP

public static final String TIMESTAMP

Add a timestamp to the security header.

See Also:: Constant Field Values

SIGNATURE_DERIVED

public static final String SIGNATURE_DERIVED

Perform a Signature action with derived keys. The signature specific parameters define how to sign, which keys to use, and so on.

See Also:: Constant Field Values

ENCRYPT_DERIVED

public static final String ENCRYPT_DERIVED

Perform an Encryption action with derived keys. The encryption specific parameters define how to encrypt, which keys to use, and so on.

See Also:: Constant Field Values

SIGNATURE_WITH_KERBEROS_TOKEN

public static final String SIGNATURE_WITH_KERBEROS_TOKEN

Perform a Signature action with a kerberos token. The signature specific parameters define how to sign, which keys to use, and so on.

See Also:: Constant Field Values

ENCRYPT_WITH_KERBEROS_TOKEN

public static final String ENCRYPT_WITH_KERBEROS_TOKEN

Perform a Encryption action with a kerberos token. The signature specific parameters define how to encrypt, which keys to use, and so on.

See Also:: Constant Field Values

KERBEROS_TOKEN

public static final String KERBEROS_TOKEN

Add a kerberos token.

See Also:: Constant Field Values

CUSTOM_TOKEN

public static final String CUSTOM_TOKEN

Add a "Custom" token. This token will be retrieved from a CallbackHandler via WSPasswordCallback.Usage.CUSTOM_TOKEN and written out as is in the security header.

See Also:: Constant Field Values

ACTOR

public static final String ACTOR

The actor or role name of the wsse:Security header. If this parameter is omitted, the actor name is not set.

The value of the actor or role has to match the receiver's setting or may contain standard values.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.ACTOR, "ActorName");

See Also:: Constant Field Values

USER

public static final String USER

The user's name. It is used differently by each of the WS-Security functions.

The UsernameToken function sets this name in the UsernameToken.
The Signing function uses this name as the alias name in the keystore to get user's certificate and private key to perform signing if SIGNATURE_USER is not used.
The encryption functions uses this parameter as fallback if ENCRYPTION_USER is not used.

See Also:: Constant Field Values

ENCRYPTION_USER

public static final String ENCRYPTION_USER

The user's name for encryption. The encryption functions use the public key of this user's certificate to encrypt the generated symmetric key.

If this parameter is not set, then the encryption function falls back to the USER parameter to get the certificate.

If only encryption of the SOAP body data is requested, it is recommended to use this parameter to define the username.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.ENCRYPTION_USER, "encryptionUser");

See Also:: Constant Field Values

SIGNATURE_USER

public static final String SIGNATURE_USER

The user's name for signature. This name is used as the alias name in the keystore to get user's certificate and private key to perform signing.

If this parameter is not set, then the signature function falls back to the USER parameter.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.SIGNATURE_USER, "signatureUser");

See Also:: Constant Field Values

USE_REQ_SIG_CERT

public static final String USE_REQ_SIG_CERT

Specifying this name as ENCRYPTION_USER triggers a special action to get the public key to use for encryption.

The handler uses the public key of the sender's certificate. Using this way to define an encryption key simplifies certificate management to a large extent.

See Also:: Constant Field Values

PW_CALLBACK_CLASS

public static final String PW_CALLBACK_CLASS

This tag refers to the CallbackHandler implementation class used to obtain passwords. The value of this tag must be the class name of a CallbackHandler instance.

The callback function

CallbackHandler.handle(
 javax.security.auth.callback.Callback[])

gets an array of WSPasswordCallback objects. Only the first entry of the array is used. This object contains the username/keyname as identifier. The callback handler must set the password or key associated with this identifier before it returns.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.PW_CALLBACK_CLASS, "PWCallbackClass");

See Also:: Constant Field Values

PW_CALLBACK_REF

public static final String PW_CALLBACK_REF

This tag refers to the CallbackHandler implementation object used to obtain passwords. The value of this tag must be a CallbackHandler instance.

Refer to PW_CALLBACK_CLASS for further information about password callback handling.

See Also:: Constant Field Values

SAML_CALLBACK_CLASS

public static final String SAML_CALLBACK_CLASS

This tag refers to the SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this tag must be the class name of a CallbackHandler instance.

See Also:: Constant Field Values

SAML_CALLBACK_REF

public static final String SAML_CALLBACK_REF

This tag refers to the SAML CallbackHandler implementation object used to construct SAML Assertions. The value of this tag must be a CallbackHandler instance.

See Also:: Constant Field Values

SIG_PROP_FILE

public static final String SIG_PROP_FILE

The path of the crypto property file to use for Signature creation. The classloader loads this file. Therefore it must be accessible via the classpath.

To locate the implementation of the Crypto interface implementation the property file must contain the property org.apache.wss4j.crypto.provider. The value of this property is the classname of the implementation class.

The following line defines the standard implementation:

 org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin

The other contents of the property file depend on the implementation of the Crypto interface. Please see the WSS4J website for more information on the Merlin property tags and values.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.SIG_PROP_FILE, "myCrypto.properties");

See Also:: Constant Field Values

SIG_PROP_REF_ID

public static final String SIG_PROP_REF_ID

The key that holds a reference to the object holding complete information about the signature Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of SIG_PROP_FILE.

See Also:: Constant Field Values

SIG_VER_PROP_FILE

public static final String SIG_VER_PROP_FILE

The path of the crypto property file to use for Signature verification. The classloader loads this file. Therefore it must be accessible via the classpath.

Refer to documentation of SIG_PROP_FILE.

See Also:: Constant Field Values

SIG_VER_PROP_REF_ID

public static final String SIG_VER_PROP_REF_ID

The key that holds a reference to the object holding complete information about the signature verification Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of SIG_VER_PROP_FILE.

See Also:: Constant Field Values

DEC_PROP_FILE

public static final String DEC_PROP_FILE

The path of the crypto property file to use for Decryption. The classloader loads this file. Therefore it must be accessible via the classpath. Refer to documentation of SIG_PROP_FILE for more information about the contents of the Properties file.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.DEC_PROP_FILE, "myCrypto.properties");

See Also:: Constant Field Values

DEC_PROP_REF_ID

public static final String DEC_PROP_REF_ID

The key that holds a reference to the object holding complete information about the decryption Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of DEC_PROP_FILE.

See Also:: Constant Field Values

ENC_PROP_FILE

public static final String ENC_PROP_FILE

The path of the crypto property file to use for Encryption. The classloader loads this file. Therefore it must be accessible via the classpath. Refer to documentation of SIG_PROP_FILE for more information about the contents of the Properties file.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.ENC_PROP_FILE, "myCrypto.properties");

See Also:: Constant Field Values

ENC_PROP_REF_ID

public static final String ENC_PROP_REF_ID

The key that holds a reference to the object holding complete information about the encryption Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of ENC_PROP_FILE.

See Also:: Constant Field Values

ENABLE_SIGNATURE_CONFIRMATION

public static final String ENABLE_SIGNATURE_CONFIRMATION

Whether to enable signatureConfirmation or not. The default value is "false".

See Also:: Constant Field Values

MUST_UNDERSTAND

public static final String MUST_UNDERSTAND

Whether to set the mustUnderstand flag on an outbound message or not. The default setting is "true".

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.MUST_UNDERSTAND, "false");

See Also:: Constant Field Values

IS_BSP_COMPLIANT

public static final String IS_BSP_COMPLIANT

Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true".

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.IS_BSP_COMPLIANT, "false");

See Also:: Constant Field Values

ADD_INCLUSIVE_PREFIXES

public static final String ADD_INCLUSIVE_PREFIXES

Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. The default is true.

See Also:: Constant Field Values

ADD_USERNAMETOKEN_NONCE

public static final String ADD_USERNAMETOKEN_NONCE

Whether to add a Nonce Element to a UsernameToken. This only applies when the password type is of type "text". A Nonce is automatically added for the "digest" case. The default is false.

See Also:: Constant Field Values

ADD_USERNAMETOKEN_CREATED

public static final String ADD_USERNAMETOKEN_CREATED

Whether to add a Created Element to a UsernameToken. This only applies when the password type is of type "text". A Created is automatically added for the "digest" case. The default is false.

See Also:: Constant Field Values

HANDLE_CUSTOM_PASSWORD_TYPES

public static final String HANDLE_CUSTOM_PASSWORD_TYPES

This variable controls whether types other than PasswordDigest or PasswordText are allowed when processing UsernameTokens. The default value is "false".

See Also:: Constant Field Values

ALLOW_USERNAMETOKEN_NOPASSWORD

public static final String ALLOW_USERNAMETOKEN_NOPASSWORD

This variable controls whether a UsernameToken with no password element is allowed. The default value is "false". Set it to "true" to allow deriving keys from UsernameTokens or to support UsernameTokens for purposes other than authentication.

See Also:: Constant Field Values

ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES

public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES

This variable controls whether (wsse) namespace qualified password types are accepted when processing UsernameTokens. The default value is "false".

See Also:: Constant Field Values

ENABLE_REVOCATION

public static final String ENABLE_REVOCATION

This variable controls whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false".

See Also:: Constant Field Values

USE_SINGLE_CERTIFICATE

public static final String USE_SINGLE_CERTIFICATE

This parameter sets whether to use a single certificate or a whole certificate chain when constructing a BinarySecurityToken used for direct reference in signature. The default is "true", meaning that only a single certificate is used.

See Also:: Constant Field Values

USE_DERIVED_KEY_FOR_MAC

public static final String USE_DERIVED_KEY_FOR_MAC

This parameter sets whether to use the Username Token derived key for a MAC or not. The default is "true".

See Also:: Constant Field Values

TIMESTAMP_PRECISION

public static final String TIMESTAMP_PRECISION

Set whether Timestamps have precision in milliseconds. This applies to the creation of Timestamps only. The default value is "true".

See Also:: Constant Field Values

TIMESTAMP_STRICT

public static final String TIMESTAMP_STRICT

Set the value of this parameter to true to enable strict timestamp handling. The default value is "true". Strict Timestamp handling: throw an exception if a Timestamp contains an Expires element and the semantics of the request are expired, i.e. the current time at the receiver is past the expires time.

See Also:: Constant Field Values

ENC_SYM_ENC_KEY

public static final String ENC_SYM_ENC_KEY

Defines whether to encrypt the symmetric encryption key or not. If true (the default), the symmetric key used for encryption is encrypted in turn, and inserted into the security header in an "EncryptedKey" structure. If set to false, no EncryptedKey structure is constructed.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.ENC_SYM_ENC_KEY, "false");

See Also:: Constant Field Values

REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS

public static final String REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS

Whether the engine needs to enforce EncryptedData elements are in a signed subtree of the document. This can be used to prevent some wrapping based attacks when encrypt-before-sign token protection is selected.

See Also:: Constant Field Values

ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM

public static final String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM

Whether to allow the RSA v1.5 Key Transport Algorithm or not. Use of this algorithm is discouraged, and so the default is "false".

See Also:: Constant Field Values

VALIDATE_SAML_SUBJECT_CONFIRMATION

public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION

Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key). The default is true.

See Also:: Constant Field Values

INCLUDE_SIGNATURE_TOKEN

public static final String INCLUDE_SIGNATURE_TOKEN

Whether to include the Signature Token in the security header as well or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false.

See Also:: Constant Field Values

INCLUDE_ENCRYPTION_TOKEN

public static final String INCLUDE_ENCRYPTION_TOKEN

Whether to include the Encryption token (BinarySecurityToken) in the security header as well or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false.

See Also:: Constant Field Values

ENABLE_NONCE_CACHE

public static final String ENABLE_NONCE_CACHE

Whether to cache UsernameToken nonces. The default value is "true".

See Also:: Constant Field Values

ENABLE_TIMESTAMP_CACHE

public static final String ENABLE_TIMESTAMP_CACHE

Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message Signature). The default value is "true".

See Also:: Constant Field Values

ENABLE_SAML_ONE_TIME_USE_CACHE

public static final String ENABLE_SAML_ONE_TIME_USE_CACHE

Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition. The default value is "true".

See Also:: Constant Field Values

USE_2005_12_NAMESPACE

public static final String USE_2005_12_NAMESPACE

Whether to use the "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" namespace for SecureConversation + Derived Keys. If set to "false", it will use the namespace "http://schemas.xmlsoap.org/ws/2005/02/sc". The default is true.

See Also:: Constant Field Values

PASSWORD_TYPE

public static final String PASSWORD_TYPE

Specific parameter for UsernameTokens to define the encoding of the password. It can be used on either the outbound or inbound side. The valid values are: - PasswordDigest - PasswordText - PasswordNone On the Outbound side, the default value is PW_DIGEST. There is no default value on the inbound side. If a value is specified on the inbound side, the password type of the received UsernameToken must match the specified type, or an exception will be thrown.

See Also:: Constant Field Values

SIG_KEY_ID

public static final String SIG_KEY_ID

Defines which key identifier type to use for signature. The WS-Security specifications recommends to use the identifier type IssuerSerial. For signature IssuerSerial, DirectReference, X509KeyIdentifier, Thumbprint, SKIKeyIdentifier and KeyValue are valid only.

The default is IssuerSerial.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.SIG_KEY_ID, "DirectReference");

See Also:: Constant Field Values

SIG_ALGO

public static final String SIG_ALGO

Defines which signature algorithm to use. The default is set by the data in the certificate, i.e. one of the following: "http://www.w3.org/2000/09/xmldsig#rsa-sha1" "http://www.w3.org/2000/09/xmldsig#dsa-sha1"

The application may set this parameter using the following method:

 call.setProperty(
     ConfigurationConstants.SIG_ALGO, 
     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
 );

See Also:: Constant Field Values

SIG_DIGEST_ALGO

public static final String SIG_DIGEST_ALGO

Defines which signature digest algorithm to use. The default is: "http://www.w3.org/2000/09/xmldsig#sha1"

The application may set this parameter using the following method:

 call.setProperty(
    ConfigurationConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
 );

See Also:: Constant Field Values

SIG_C14N_ALGO

public static final String SIG_C14N_ALGO

Defines which signature c14n (canonicalization) algorithm to use. The default is: "http://www.w3.org/2001/10/xml-exc-c14n#"

See Also:: Constant Field Values

SIGNATURE_PARTS

public static final String SIGNATURE_PARTS

Parameter to define which parts of the request shall be signed.

Refer to ENCRYPTION_PARTS for a detailed description of the format of the value string.

If this parameter is not specified the handler signs the SOAP Body by default, i.e.:

 <parameter name="signatureParts"
   value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />

To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

If there is no other element in the request with a local name of Body then the SOAP namespace identifier can be empty ({}).

See Also:: Constant Field Values

OPTIONAL_SIGNATURE_PARTS

public static final String OPTIONAL_SIGNATURE_PARTS

Parameter to define which parts of the request shall be signed, if they exist in the request. If they do not, then no error is thrown. This contrasts with the SIGNATURE_PARTS Identifier, which specifies elements that must be signed in the request.

Refer to ENCRYPTION_PARTS for a detailed description of the format of the value string.

See Also:: Constant Field Values

DERIVED_KEY_ITERATIONS

public static final String DERIVED_KEY_ITERATIONS

This parameter sets the number of iterations to use when deriving a key from a Username Token. The default is 1000.

See Also:: Constant Field Values

ENC_KEY_ID

public static final String ENC_KEY_ID

Defines which key identifier type to use for encryption. The WS-Security specifications recommends to use the identifier type IssuerSerial. For encryption IssuerSerial, DirectReference, X509KeyIdentifier, Thumbprint, SKIKeyIdentifier, EncryptedKeySHA1 and EmbeddedKeyName are valid only.

The default is IssuerSerial.

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.ENC_KEY_ID, "X509KeyIdentifier");

See Also:: Constant Field Values

ENC_SYM_ALGO

public static final String ENC_SYM_ALGO

Defines which symmetric encryption algorithm to use. WSS4J supports the following algorithms: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; "http://www.w3.org/2001/04/xmlenc#aes256-cbc"; "http://www.w3.org/2001/04/xmlenc#aes192-cbc"; Except for AES 192 all of these algorithms are required by the XML Encryption specification. The default algorithm is: "http://www.w3.org/2001/04/xmlenc#aes128-cbc"

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.ENC_SYM_ALGO, WSConstants.AES_256);

See Also:: Constant Field Values

ENC_KEY_TRANSPORT

public static final String ENC_KEY_TRANSPORT

Defines which algorithm to use to encrypt the generated symmetric key. The default algorithm is: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"

The application may set this parameter using the following method:

 call.setProperty(ConfigurationConstants.ENC_KEY_TRANSPORT, WSConstants.KEYTRANSPORT_RSA15);

See Also:: Constant Field Values

ENCRYPTION_PARTS

public static final String ENCRYPTION_PARTS

Parameter to define which parts of the request shall be encrypted.

The value of this parameter is a list of semi-colon separated element names that identify the elements to encrypt. An encryption mode specifier and a namespace identification, each inside a pair of curly brackets, may preceed each element name.

The encryption mode specifier is either {Content} or {Element}. Please refer to the W3C XML Encryption specification about the differences between Element and Content encryption. The encryption mode defaults to Content if it is omitted. Example of a list:

 <parameter name="encryptionParts"
   value="{Content}{http://example.org/paymentv2}CreditCard;
             {Element}{}UserName" />

The the first entry of the list identifies the element CreditCard in the namespace http://example.org/paymentv2, and will encrypt its content. Be aware that the element name, the namespace identifier, and the encryption modifier are case sensitive.

The encryption modifier and the namespace identifier can be ommited. In this case the encryption mode defaults to Content and the namespace is set to the SOAP namespace.

An empty encryption mode defaults to Content, an empty namespace identifier defaults to the SOAP namespace. The second line of the example defines Element as encryption mode for an UserName element in the SOAP namespace.

Note that the special value "{}cid:Attachments;" means that all of the message attachments should be encrypted.

To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

If no list is specified, the handler encrypts the SOAP Body in Content mode by default.

See Also:: Constant Field Values

OPTIONAL_ENCRYPTION_PARTS

public static final String OPTIONAL_ENCRYPTION_PARTS

Parameter to define which parts of the request shall be encrypted, if they exist in the request. If they do not, then no error is thrown. This contrasts with the ENCRYPTION_PARTS Identifier, which specifies elements that must be encrypted in the request.

Refer to ENCRYPTION_PARTS for a detailed description of the format of the value string.

See Also:: Constant Field Values

ENC_DIGEST_ALGO

public static final String ENC_DIGEST_ALGO

Defines which encryption digest algorithm to use with the RSA OAEP Key Transport algorithm for encryption. The default is SHA-1.

The application may set this parameter using the following method:

 call.setProperty(
    ConfigurationConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
 );

See Also:: Constant Field Values

ENC_MGF_ALGO

public static final String ENC_MGF_ALGO

Defines which encryption mgf algorithm to use with the RSA OAEP Key Transport algorithm for encryption. The default is mgfsha1.

The application may set this parameter using the following method:

 call.setProperty(
    ConfigurationConstants.ENC_MGF_ALGO, "http://www.w3.org/2009/xmlenc11#mgf1sha256"
 );

See Also:: Constant Field Values

TTL_USERNAMETOKEN

public static final String TTL_USERNAMETOKEN

Time-To-Live is the time difference between creation and expiry time in seconds of the UsernameToken Created value. After this time the SOAP request is invalid (at least the security data shall be treated this way).

If this parameter is not defined, contains a value less or equal zero, or an illegal format the handlers use a default TTL of 300 seconds (5 minutes).

See Also:: Constant Field Values

TTL_FUTURE_USERNAMETOKEN

public static final String TTL_FUTURE_USERNAMETOKEN

This configuration tag specifies the time in seconds in the future within which the Created time of an incoming UsernameToken is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created UsernameTokens, set this value to "0".

See Also:: Constant Field Values

SIG_SUBJECT_CERT_CONSTRAINTS

public static final String SIG_SUBJECT_CERT_CONSTRAINTS

This configuration tag is a comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.

See Also:: Constant Field Values

TTL_TIMESTAMP

public static final String TTL_TIMESTAMP

Time-To-Live is the time difference between creation and expiry time in seconds in the WSS Timestamp. After this time the SOAP request is invalid (at least the security data shall be treated this way).

If this parameter is not defined, contains a value less or equal zero, or an illegal format the handlers use a default TTL of 300 seconds (5 minutes).

See Also:: Constant Field Values

TTL_FUTURE_TIMESTAMP

public static final String TTL_FUTURE_TIMESTAMP

This configuration tag specifies the time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created Timestamps, set this value to "0".

See Also:: Constant Field Values

VALIDATOR_MAP

public static final String VALIDATOR_MAP

This tag refers to a Map of QName, Object (Validator) instances to be used to validate tokens identified by their QName. For the DOM layer, the Object should be a org.apache.wss4j.dom.validate.Validator instance. For the StAX layer, it should be a org.apache.wss4j.stax.validate.Validator instance.

See Also:: Constant Field Values

NONCE_CACHE_INSTANCE

public static final String NONCE_CACHE_INSTANCE

This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The default instance that is used is the EHCacheReplayCache.

See Also:: Constant Field Values

TIMESTAMP_CACHE_INSTANCE

public static final String TIMESTAMP_CACHE_INSTANCE

This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The default instance that is used is the EHCacheReplayCache.

See Also:: Constant Field Values

SAML_ONE_TIME_USE_CACHE_INSTANCE

public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE

This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifier Strings (if the token contains a OneTimeUse Condition). The default instance that is used is the EHCacheReplayCache.

See Also:: Constant Field Values

PASSWORD_ENCRYPTOR_INSTANCE

public static final String PASSWORD_ENCRYPTOR_INSTANCE

This holds a reference to a PasswordEncryptor instance, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations). By default, WSS4J uses the JasyptPasswordEncryptor, which must be instantiated with a master password to use to decrypt keystore passwords in the Merlin Crypto properties file. This master password is obtained via the CallbackHandler defined via PW_CALLBACK_CLASS or PW_CALLBACK_REF. The encrypted passwords must be stored in the format "ENC(encoded encrypted password)".

See Also:: Constant Field Values

DERIVED_TOKEN_REFERENCE

public static final String DERIVED_TOKEN_REFERENCE

This controls the deriving token from which DerivedKeyTokens derive keys from. Valid values are: - DirectReference: A reference to a BinarySecurityToken - EncryptedKey: A reference to an EncryptedKey - SecurityContextToken: A reference to a SecurityContextToken

See Also:: Constant Field Values

DERIVED_TOKEN_KEY_ID

public static final String DERIVED_TOKEN_KEY_ID

This controls the key identifier of Derived Tokens, i.e. how they reference the deriving key.

See Also:: Constant Field Values

DERIVED_SIGNATURE_KEY_LENGTH

public static final String DERIVED_SIGNATURE_KEY_LENGTH

The length to use (in bytes) when deriving a key for Signature. If this is not specified, it defaults to a value based on the signature algorithm.

See Also:: Constant Field Values

DERIVED_ENCRYPTION_KEY_LENGTH

public static final String DERIVED_ENCRYPTION_KEY_LENGTH

The length to use (in bytes) when deriving a key for Encryption. If this is not specified, it defaults to a value based on the encryption algorithm.

See Also:: Constant Field Values

Constructor Detail