Google Git
Sign in
apache / cxf-fediz / b4206b2008e4c2d066a23ec7022d794c3ed2bbb8 / . / plugins / core / src / main / resources / schemas / FedizConfig.xsd
blob: 15f82cf6499ca914d6ae68811861a9edbb05c5ec [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<xs:element name="FedizConfig">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element ref="contextConfig" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="contextConfig">
<xs:complexType>
<xs:sequence>
<xs:element ref="audienceUris" minOccurs="0" />
<xs:element ref="certificateValidation" />
<xs:element ref="certificateStores" />
<xs:element ref="tokenExpirationValidation" minOccurs="0" />
<xs:element ref="addAuthenticatedRole" minOccurs="0" />
<xs:element ref="maximumClockSkew" />
<xs:element ref="tokenReplayCache" />
<xs:element ref="serviceCertificate" />
<xs:element ref="signingKey" />
<xs:element ref="tokenDecryptionKey" />
<xs:element ref="trustedIssuers" />
<xs:element ref="protocol" />
<xs:element ref="claimsProcessor" minOccurs="0" />
<xs:element ref="logoutURL" minOccurs="0" />
<xs:element ref="logoutRedirectTo" minOccurs="0" />
<xs:element ref="logoutRedirectToConstraint" minOccurs="0" />
<xs:element ref="requestStateValidation" minOccurs="0" />
</xs:sequence>
<xs:attribute name="name" use="required" type="xs:string" />
</xs:complexType>
</xs:element>
<xs:element name="trustedIssuers">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="issuer" type="TrustedIssuerType" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType name="TrustedIssuerType">
<xs:attribute name="name" type="xs:string" use="optional" />
<xs:attribute name="certificateValidation" type="validationType" use="optional" />
<xs:attribute name="subject" type="xs:string" use="optional" />
</xs:complexType>
<xs:element name="certificateStores">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="trustManager" type="TrustManagersType" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="audienceUris">
<xs:annotation>
<xs:documentation>If a SAML token contains a audience restriction which is not listed
within this collection,
the token will be refused.
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element ref="audienceItem" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="audienceItem" type="xs:anyURI">
<xs:annotation>
<xs:documentation>Valid value within the SAML token audience restriction element.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="certificateValidation" type="validationType" />
<xs:simpleType name="validationType">
<xs:restriction base="xs:string">
<xs:enumeration value="PeerTrust" />
<xs:enumeration value="ChainTrust" />
</xs:restriction>
</xs:simpleType>
<xs:element name="maximumClockSkew" type="xs:integer" default="5" />
<xs:element name="tokenExpirationValidation" type="xs:boolean" default="false" >
<xs:annotation>
<xs:documentation>Decision whether the token validation (e.g. lifetime) shall be
performed on every request
(true) or only once at initial authentication (false).
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="addAuthenticatedRole" type="xs:boolean" default="false" >
<xs:annotation>
<xs:documentation>Whether to add the "Authenticated" role to the list of roles associated
with the "authenticated" user. This could be useful if you don't care about authorizing
the user, only about authentication. A role is required to activate authentication, and it
may be problematic to list all relevant roles in web.xml. Note that if the user has no
roles, then the "Authenticated" role is added automatically.
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="tokenReplayCache" type="xs:string" />
<xs:element name="serviceCertificate" type="KeyManagersType" />
<xs:element name="signingKey" type="KeyManagersType">
<xs:annotation>
<xs:documentation>Signing key required to generate a XML signature element within the federation
metadata
document, as well as for generating a signed signin request.
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="tokenDecryptionKey" type="KeyManagersType" />
<xs:element name="protocol" type="protocolType" />
<xs:element name="logoutURL" type="xs:string">
<xs:annotation>
<xs:documentation>User defined logout URL to trigger federated logout process. This URL will be
available in
addition to the 'wa=wsignout1.0' URL parameter.
If the URL is overlapping an existing resource URL, the
logout handling will be performed instead of
accessing the resource.
Example: '/logout'
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="logoutRedirectTo" type="xs:string">
<xs:annotation>
<xs:documentation>URL to landing-page after successful logout.
Example: '/index.jsp'
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:complexType name="federationProtocolType">
<xs:complexContent>
<xs:extension base="protocolType">
<xs:sequence>
<xs:element ref="authenticationType" />
<xs:element ref="homeRealm" />
<xs:element ref="freshness" />
<xs:element ref="request" />
<xs:element ref="signInQuery" />
<xs:element ref="signOutQuery" />
</xs:sequence>
<xs:attribute name="version" use="required" type="xs:string" />
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="samlProtocolType">
<xs:complexContent>
<xs:extension base="protocolType">
<xs:sequence>
<xs:element ref="signRequest" />
<xs:element ref="authnRequestBuilder" />
<xs:element ref="disableDeflateEncoding" />
<xs:element ref="disableClientAddressCheck" />
<xs:element ref="doNotEnforceKnownIssuer" />
<xs:element ref="issuerLogoutURL" />
</xs:sequence>
<xs:attribute name="version" use="required" type="xs:string" />
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:element name="roleDelimiter" type="xs:string" />
<xs:element name="roleURI" type="xs:string" />
<xs:element name="realm" type="CallbackType" />
<xs:element name="applicationServiceURL" type="xs:string" />
<xs:element name="metadataURI" type="xs:string" />
<xs:element name="signRequest" type="xs:boolean" />
<xs:element name="authnRequestBuilder" type="xs:string" />
<xs:element name="disableDeflateEncoding" type="xs:boolean" />
<xs:element name="doNotEnforceKnownIssuer" type="xs:boolean" />
<xs:element name="issuerLogoutURL" type="xs:string" />
<xs:element name="disableClientAddressCheck" type="xs:boolean"/>
<xs:complexType name="protocolType" abstract="true">
<xs:sequence>
<xs:element ref="applicationServiceURL" />
<xs:element ref="roleDelimiter" />
<xs:element ref="roleURI" />
<xs:element ref="claimTypesRequested" />
<xs:element ref="issuer" />
<xs:element ref="realm" />
<xs:element ref="tokenValidators" />
<xs:element ref="metadataURI" />
<xs:element ref="reply" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="CallbackType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type" type="argumentType" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:element name="logoutRedirectToConstraint" type="CallbackType">
<xs:annotation>
<xs:documentation>A regular expression constraint on the 'wreply' parameter, which is used to obtain the URL to
navigate to after successful logout. If the constraint is not specified, then the 'wreply' parameter is ignored
and instead the URL is taken from the "logoutRedirectTo" configuration option.
Example: 'https://localhost:12345/logout.*/'. Alternatively it can be specified in a CallbackHandler
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="issuer" type="CallbackType" />
<xs:element name="homeRealm" type="CallbackType" />
<xs:element name="authenticationType" type="CallbackType" />
<xs:element name="request" type="CallbackType" />
<xs:element name="freshness" type="CallbackType" />
<xs:element name="signInQuery" type="CallbackType" />
<xs:element name="signOutQuery" type="CallbackType" />
<xs:element name="reply" type="CallbackType" />
<xs:element name="claimsProcessor" type="CallbackType" />
<xs:simpleType name="argumentType">
<xs:restriction base="xs:string">
<xs:enumeration value="Class" />
<xs:enumeration value="String" />
</xs:restriction>
</xs:simpleType>
<xs:element name="claimTypesRequested">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element ref="claimType" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="claimType">
<xs:complexType>
<xs:attribute name="optional" use="required" type="optionalType" />
<xs:attribute name="type" use="required" type="xs:string" />
</xs:complexType>
</xs:element>
<xs:element name="tokenValidators">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="validator" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:simpleType name="optionalType">
<xs:restriction base="xs:boolean" />
</xs:simpleType>
<xs:complexType name="TrustManagersType">
<xs:annotation>
<xs:documentation>
This structure contains the specification of JSSE
TrustManagers for
a single Keystore used for trusted certificates.
</xs:documentation>
</xs:annotation>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="keyStore" type="KeyStoreType" minOccurs="1">
<xs:annotation>
<xs:documentation>
This element contains the KeyStore used as a
trust
store.
</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="provider" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute contains the KeyManagers provider
name.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="factoryAlgorithm" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute contains the algorithm the KeyManagers Factory
will use in creating the KeyManagers from the KeyStore. Most
common examples are "PKIX".
</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="KeyStoreType">
<xs:annotation>
<xs:documentation>
A KeyStoreType represents the information needed to
load a collection
of key and certificate material from a desired
location.
The "url", "file", and "resource" attributes are intended
to be
mutually exclusive, though this assumption is not encoded in
schema.
The precedence order observed by the runtime is
1) "file", 2)
"resource", and 3) "url".
</xs:documentation>
</xs:annotation>
<xs:attribute name="type" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute specifies the type of the keystore.
It is highly correlated to the provider. Most common examples
are
"jks" "pkcs12".
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="password" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute specifies the integrity password for
the keystore.
This is not the password that unlock keys within the
keystore.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="provider" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute specifies the keystore
implementation provider.
Most common examples are "SUN".
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="url" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute specifies the URL location of the
keystore.
This element should be a properly accessible URL, such as
"http://..." "file:///...", etc. Only one attribute of
"url",
"file", or "resource" is allowed.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="file" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute specifies the File location of the
keystore.
This element should be a properly accessible file from the
working directory. Only one attribute of
"url", "file", or
"resource" is allowed.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="resource" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute specifies the Resource location of
the keystore.
This element should be a properly accessible on the
classpath.
Only one attribute of "url", "file", or "resource" is
allowed.
</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="CertStoreType">
<xs:annotation>
<xs:documentation>
A CertStoreType represents a catenated sequence of
X.509 certificates,
in PEM or DER format.
The "url", "file", and
"resource" attributes are intended to be
mutually exclusive, though
this assumption is not encoded in schema.
The precedence order
observed by the runtime is
1) "file", 2) "resource", and 3) "url".
</xs:documentation>
</xs:annotation>
<xs:attribute name="file" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute specifies the File location of the
certificate store.
This element should be a properly accessible file
from the working directory. Only one attribute of
"url", "file", or
"resource" is allowed.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="resource" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute specifies the Resource location of
the certificate store.
This element should be a properly accessible
on the classpath.
Only one attribute of "url", "file", or "resource"
is allowed.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="url" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute specifies the URL location of the
certificate store.
This element should be a properly accessible URL,
such as
"http://..." "file:///...", etc. Only one attribute of
"url", "file", or "resource" is allowed.
</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="KeyManagersType">
<xs:annotation>
<xs:documentation>
This structure specifies the JSSE based KeyManagers
for a single Keystore.
</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="keyStore" type="KeyStoreType" minOccurs="0">
<xs:annotation>
<xs:documentation>
This element specified the Keystore for these
JSSE KeyManagers.
</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="keyPassword" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute contains the password that unlocks
the keys within the keystore.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="keyAlias" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute contains the alias of the selected
key within the keystore.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="provider" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute contains the KeyManagers provider name.
</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="factoryAlgorithm" type="xs:string">
<xs:annotation>
<xs:documentation>
This attribute contains the algorithm the KeyManagers Factory
will use in creating the KeyManagers from the KeyStore. Most
common examples are "PKIX".
</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:element name="requestStateValidation" type="xs:boolean" default="true" >
<xs:annotation>
<xs:documentation>Decision whether the received state must match the
state saved in the context.
</xs:documentation>
</xs:annotation>
</xs:element>
</xs:schema>