| <?xml version="1.0" encoding="ISO-8859-1"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <document> |
| <body> |
| <section name="WSS4J configuration"> |
| <p> |
| This page describes how to use configure Apache WSS4J. This page only applies |
| to WSS4J 2.1.x, 2.0.x and 1.6.x, a lot of the properties have changed since |
| WSS4J 1.5.x. |
| </p> |
| <subsection name="Crypto properties"> |
| <p> |
| Apache WSS4J uses the Crypto interface to get keys and certificates for |
| encryption/decryption and for signature creation/verification. WSS4J ships |
| with three implementations: |
| </p> |
| <ul> |
| <li><a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java?view=markup"> |
| Merlin</a>: The standard implementation, based around two JDK keystores for |
| key/cert retrieval, and trust verification.</li> |
| <li><a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java?view=markup"> |
| CertificateStore</a>: Holds an array of X509 Certificates. Can only be used |
| for encryption and signature verification.</li> |
| <li><a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/MerlinDevice.java?view=markup"> |
| MerlinDevice</a>: Based on Merlin, allows loading of keystores using a null |
| InputStream - for example on a smart-card device.</li> |
| </ul> |
| <p> |
| For more information on the Crypto implementations see the |
| <a href="http://ws.apache.org/wss4j/topics.html#Crypto_Interface">Special |
| Topics page</a>. It is possible to instantiate a Crypto implementation |
| directly, but it can also be loaded via a properties file. For Apache WSS4J |
| 2.0.0 onwards, the property names ${PREFIX} below is "org.apache.wss4j.crypto". |
| For Apache WSS4J 1.6.x, the property names ${PREFIX} below is |
| "org.apache.ws.security.crypto". WSS4J 2.0.0 onwards will also accept the older |
| ${PREFIX} value. The property values for the standard Merlin implementation |
| are as follows: |
| </p> |
| <p> |
| General properties: |
| </p> |
| <table name="General Properties"> |
| <tr> |
| <th>Property name</th> |
| <th>Property value</th> |
| </tr> |
| <tr> |
| <td>${PREFIX}.provider</td> |
| <td>WSS4J specific provider used to create Crypto instances. Defaults to |
| "org.apache.wss4j.common.crypto.Merlin".</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.x509crl.file</td> |
| <td>The location of an (X509) CRL file to use.</td> |
| </tr> |
| </table> |
| <p> |
| Keystore properties: |
| </p> |
| <table name="Merlin Keystore Properties"> |
| <tr> |
| <th>Property name</th> |
| <th>Property value</th> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.keystore.provider</td> |
| <td>The provider used to load keystores. Defaults to installed provider.</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.cert.provider</td> |
| <td>The provider used to load certificates. Defaults to keystore provider.</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.keystore.file</td> |
| <td>The location of the keystore</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.keystore.password</td> |
| <td>The password used to load the keystore. Default value is "security".</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.keystore.type</td> |
| <td>Type of keystore. Defaults to: java.security.KeyStore.getDefaultType())</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.keystore.alias</td> |
| <td>The default keystore alias to use, if none is specified.</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.keystore.private.password</td> |
| <td>The default password used to load the private key.</td> |
| </tr> |
| </table> |
| <p> |
| TrustStore properties: |
| </p> |
| <table name="Merlin TrustStore properties"> |
| <tr> |
| <th>Property name</th> |
| <th>Property value</th> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.load.cacerts</td> |
| <td>Whether or not to load the CA certs in ${java.home}/lib/security/cacerts (default is false)</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.truststore.file</td> |
| <td>The location of the truststore</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.truststore.password </td> |
| <td>The truststore password. Defaults to "changeit".</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.truststore.type</td> |
| <td>The truststore type. Defaults to: java.security.KeyStore.getDefaultType().</td> |
| </tr> |
| <tr> |
| <td>${PREFIX}.merlin.truststore.provider</td> |
| <td><b>WSS4J 2.1.5</b> The provider used to load truststores. By default it's the same as the keystore provider. Set to an empty value to force use of the JRE's default provider.</td> |
| </tr> |
| </table> |
| |
| </subsection> |
| <subsection name="SAML properties"> |
| <p> |
| <b>WSS4J 1.6.x only</b> Apache WSS4J 1.6.x uses the SAMLIssuer interface to |
| configure the creation and signing of a SAML Assertion. In Apache WSS4J 2.0.0, |
| the SAMLIssuer functionality has been moved to the SAMLCallback, so that the |
| CallbackHandler used to create a SAML Assertion is responsible for all of the |
| signing configuration as well. |
| </p> |
| <p> |
| WSS4J 1.6.x ships with a default "SAMLIssuerImpl" implementation. It is |
| possible to instantiate a SAMLIssuer implementation directly, but it can also |
| be loaded via a properties file. The property values are as follows: |
| </p> |
| <table name="SAMLIssuer properties"> |
| <tr> |
| <th>Property name</th> |
| <th>Property value</th> |
| </tr> |
| <tr> |
| <td>org.apache.ws.security.saml.issuerClass</td> |
| <td>The SAML Issuer implementation (defaults to "org.apache.ws.security.saml.SAMLIssuerImpl").</td> |
| </tr> |
| <tr> |
| <td>org.apache.ws.security.saml.issuer.cryptoProp.file</td> |
| <td>The crypto properties file corresponding to the issuer crypto instance, if the assertion is to |
| be signed.</td> |
| </tr> |
| <tr> |
| <td>org.apache.ws.security.saml.issuer.key.name</td> |
| <td>The KeyStore alias for the issuer key.</td> |
| </tr> |
| <tr> |
| <td>org.apache.ws.security.saml.issuer.key.password</td> |
| <td>The KeyStore password for the issuer key.</td> |
| </tr> |
| <tr> |
| <td>org.apache.ws.security.saml.issuer</td> |
| <td>The issuer name</td> |
| </tr> |
| <tr> |
| <td>org.apache.ws.security.saml.issuer.sendKeyValue</td> |
| <td>Whether to send the key value or the X509Certificate. Default is "false".</td> |
| </tr> |
| <tr> |
| <td>org.apache.ws.security.saml.issuer.signAssertion</td> |
| <td>Whether the SAMLIssuer implementation will sign the assertion or not. Defaults is |
| "false".</td> |
| </tr> |
| <tr> |
| <td>org.apache.ws.security.saml.callback</td> |
| <td>The name of the SAML CallbackHandler implementation used to populate the SAML Assertion.</td> |
| </tr> |
| </table> |
| </subsection> |
| <subsection name="Configuration tags"> |
| <p> |
| Apache WSS4J provides a set of configuration tags that can be used to configure |
| both the DOM-based and StAX-based (WSS4J 2.0.0 onwards) outbound and inbound |
| processing. As both DOM and StAX code are very similar, both approaches share |
| a set of common configuration tags given in <a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java?view=markup">ConfigurationConstants</a>. Note |
| that the WSS4J 1.6.x configuration class (WSHandlerConstants) extends this |
| class in WSS4J 2.0.0, so there is no need to change any configuration code |
| when upgrading. |
| </p> |
| <p> |
| The configuration tags for Actions are as follows: |
| </p> |
| <table name="Action configuration tags"> |
| <tr> |
| <th>Tag name</th> |
| <th>Tag value</th> |
| <th>Tag meaning</th> |
| </tr> |
| <tr> |
| <td>ACTION</td> |
| <td>action</td> |
| <td>The action to perform, e.g. ConfigurationConstants.TIMESTAMP</td> |
| </tr> |
| <tr> |
| <td>NO_SECURITY</td> |
| <td>NoSecurity</td> |
| <td>Do not perform any action, do nothing. Only applies to DOM code.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> USERNAME_TOKEN_SIGNATURE</td> |
| <td>UsernameTokenSignature</td> |
| <td>Perform a UsernameTokenSignature action.</td> |
| </tr> |
| <tr> |
| <td>USERNAME_TOKEN</td> |
| <td>UsernameToken</td> |
| <td>Perform a UsernameToken action.</td> |
| </tr> |
| <tr> |
| <td>USERNAME_TOKEN_NO_PASSWORD</td> |
| <td>UsernameTokenNoPassword</td> |
| <td>Used on the receiving side to specify a UsernameToken with no password</td> |
| </tr> |
| <tr> |
| <td>SAML_TOKEN_UNSIGNED</td> |
| <td>SAMLTokenUnsigned</td> |
| <td>Perform an unsigned SAML Token action.</td> |
| </tr> |
| <tr> |
| <td>SAML_TOKEN_SIGNED</td> |
| <td>SAMLTokenSigned</td> |
| <td>Perform a signed SAML Token action.</td> |
| </tr> |
| <tr> |
| <td>SIGNATURE</td> |
| <td>Signature</td> |
| <td>Perform a signature action.</td> |
| </tr> |
| <tr> |
| <td>ENCRYPT</td> |
| <td>Encrypt</td> |
| <td>Perform an encryption action.</td> |
| </tr> |
| <tr> |
| <td>TIMESTAMP</td> |
| <td>Timestamp</td> |
| <td>Perform a Timestamp action.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> SIGNATURE_DERIVED</td> |
| <td>SignatureDerived</td> |
| <td>Perform a Signature action with derived keys.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> ENCRYPT_DERIVED</td> |
| <td>EncryptDerived</td> |
| <td>Perform a Encryption action with derived keys.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> SIGNATURE_WITH_KERBEROS_TOKEN</td> |
| <td>SignatureWithKerberosToken</td> |
| <td>Perform a Signature action with a kerberos token. Only for StAX code.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> ENCRYPT_WITH_KERBEROS_TOKEN</td> |
| <td>EncryptWithKerberosToken</td> |
| <td>Perform a Encryption action with a kerberos token. Only for StAX code.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> KERBEROS_TOKEN</td> |
| <td>KerberosToken</td> |
| <td>Add a kerberos token.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> CUSTOM_TOKEN</td> |
| <td>CustomToken</td> |
| <td>Add a "Custom" token from a CallbackHandler</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 1.6.x only</b> SIGN_WITH_UT_KEY</td> |
| <td>UsernameTokenSignature</td> |
| <td>Perform a .NET specific signature using a Username Token action.</td> |
| </tr> |
| </table> |
| <p> |
| The configuration tags for WSHandler user properties are as follows: |
| </p> |
| <table name="WSHandler User configuration tags"> |
| <tr> |
| <th>Tag name</th> |
| <th>Tag value</th> |
| <th>Tag meaning</th> |
| </tr> |
| <tr> |
| <td>ACTOR</td> |
| <td>"actor"</td> |
| <td>The actor or role name of the wsse:Security header.</td> |
| </tr> |
| <tr> |
| <td>USER</td> |
| <td>"user"</td> |
| <td>The user's name. Consult the Javadoc for an explanation of this property. |
| </td> |
| </tr> |
| <tr> |
| <td>ENCRYPTION_USER</td> |
| <td>"encryptionUser"</td> |
| <td>The user's name for encryption. Consult the Javadoc for an explanation of |
| this property.</td> |
| </tr> |
| <tr> |
| <td>SIGNATURE_USER</td> |
| <td>"signatureUser"</td> |
| <td>The user's name for signature. Consult the Javadoc for an explanation of |
| this property.</td> |
| </tr> |
| <tr> |
| <td>USE_REQ_SIG_CERT</td> |
| <td>"useReqSigCert"</td> |
| <td>A special value for ENCRYPTION_USER. Consult the Javadoc for an |
| explanation of this property.</td> |
| </tr> |
| </table> |
| <p> |
| The configuration tags for callback class and property file configuration are |
| summarised here: |
| </p> |
| <table name="Callback class and Property File configuration tags"> |
| <tr> |
| <th>Tag name</th> |
| <th>Tag value</th> |
| <th>Tag meaning</th> |
| </tr> |
| <tr> |
| <td>PW_CALLBACK_CLASS</td> |
| <td>passwordCallbackClass</td> |
| <td>The CallbackHandler implementation class used to obtain passwords.</td> |
| </tr> |
| <tr> |
| <td>PW_CALLBACK_REF</td> |
| <td>passwordCallbackRef</td> |
| <td>The CallbackHandler implementation object used to obtain passwords.</td> |
| </tr> |
| <tr> |
| <td>SAML_CALLBACK_CLASS</td> |
| <td>samlCallbackClass</td> |
| <td>The CallbackHandler implementation class used to construct SAML Assertions. |
| </td> |
| </tr> |
| <tr> |
| <td>SAML_CALLBACK_REF</td> |
| <td>samlCallbackRef</td> |
| <td>The CallbackHandler implementation object used to construct SAML Assertions.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 1.6.x only</b> ENC_CALLBACK_CLASS</td> |
| <td>embeddedKeyCallbackClass</td> |
| <td>The CallbackHandler implementation class used to get the key associated |
| with a key name.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 1.6.x only</b> ENC_CALLBACK_REF</td> |
| <td>embeddedKeyCallbackRef</td> |
| <td>The CallbackHandler implementation object used to get the key associated |
| with a key name.</td> |
| </tr> |
| <tr> |
| <td>SIG_PROP_FILE</td> |
| <td>signaturePropFile</td> |
| <td>The path of the crypto property file to use for Signature.</td> |
| </tr> |
| <tr> |
| <td>SIG_PROP_REF_ID</td> |
| <td>signaturePropRefId</td> |
| <td>The String ID that is used to store a reference to the Crypto object or |
| the Crypto Properties object for Signature. |
| </td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> SIG_VER_PROP_FILE</td> |
| <td>signatureVerificationPropFile</td> |
| <td>The path of the crypto property file to use for Signature verification.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> SIG_VER_PROP_REF_ID</td> |
| <td>signatureVerificationPropRefId</td> |
| <td>The String ID that is used to store a reference to the Crypto object or |
| the Crypto Properties object for Signature verification. |
| </td> |
| </tr> |
| <tr> |
| <td>DEC_PROP_FILE</td> |
| <td>decryptionPropFile</td> |
| <td>The path of the crypto property file to use for Decryption.</td> |
| </tr> |
| <tr> |
| <td>DEC_PROP_REF_ID</td> |
| <td>decryptionPropRefId</td> |
| <td>The String ID that is used to store a reference to the Crypto object or |
| the Crypto Properties object for decryption.</td> |
| </tr> |
| <tr> |
| <td>ENC_PROP_FILE</td> |
| <td>encryptionPropFile</td> |
| <td>The path of the crypto property file to use for encryption.</td> |
| </tr> |
| <tr> |
| <td>ENC_PROP_REF_ID</td> |
| <td>encryptionPropRefId</td> |
| <td>The String ID that is used to store a reference to the Crypto object or |
| the Crypto Properties object for encryption.</td> |
| </tr> |
| <tr> |
| <td>SAML_PROP_FILE</td> |
| <td>samlPropFile</td> |
| <td>The path of the property file to use for creating SAML Assertions.</td> |
| </tr> |
| </table> |
| <p> |
| The configuration tags for properties that are configured via a boolean |
| parameter (i.e. "true" or "false") are as follows: |
| </p> |
| <table name="Boolean configuration tags"> |
| <tr> |
| <th>Tag name</th> |
| <th>Tag value</th> |
| <th>Tag meaning</th> |
| </tr> |
| <tr> |
| <td>ENABLE_SIGNATURE_CONFIRMATION</td> |
| <td>enableSignatureConfirmation</td> |
| <td>Whether to enable signature confirmation or not. Default is "false".</td> |
| </tr> |
| <tr> |
| <td>MUST_UNDERSTAND</td> |
| <td>mustUnderstand</td> |
| <td>Set the outbound MustUnderstand flag or not. Default is "true".</td> |
| </tr> |
| <tr> |
| <td>IS_BSP_COMPLIANT</td> |
| <td>isBSPCompliant</td> |
| <td>Whether or not to ensure compliance with the BSP 1.1 spec. Default is |
| "true".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> ADD_INCLUSIVE_PREFIXES</td> |
| <td>addInclusivePrefixes</td> |
| <td>Whether to add an InclusiveNamespaces PrefixList as a |
| CanonicalizationMethod child when generating Signatures using |
| WSConstants.C14N_EXCL_OMIT_COMMENTS. Default is "true".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> ADD_USERNAMETOKEN_NONCE</td> |
| <td>addUsernameTokenNonce</td> |
| <td>Whether to add a Nonce Element to a UsernameToken (for plaintext). Default |
| is "false"</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> ADD_USERNAMETOKEN_CREATED</td> |
| <td>addUsernameTokenCreated</td> |
| <td>Whether to add a Created Element to a UsernameToken (for plaintext). |
| Default is "false"</td> |
| </tr> |
| <tr> |
| <td>HANDLE_CUSTOM_PASSWORD_TYPES</td> |
| <td>handleCustomPasswordTypes</td> |
| <td>Whether to allow non-standard password types in a UsernameToken. Default |
| is "false".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 1.6.x only</b> PASSWORD_TYPE_STRICT</td> |
| <td>passwordTypeStrict</td> |
| <td>Whether to enable strict Username Token password type handling. Default is |
| "false".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> ALLOW_USERNAMETOKEN_NOPASSWORD</td> |
| <td>allowUsernameTokenNoPassword</td> |
| <td>Whether a UsernameToken with no password element is allowed. Default is |
| "false".</td> |
| </tr> |
| <tr> |
| <td>REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS</td> |
| <td>requireSignedEncryptedDataElements</td> |
| <td>Whether the engine needs to enforce EncryptedData elements are in a signed |
| subtree of the document. Default is "false".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 1.6.x only</b> USE_DERIVED_KEY</td> |
| <td>useDerivedKey</td> |
| <td>Whether to use the standard UsernameToken Key Derivation algorithm. |
| Default is "true".</td> |
| </tr> |
| <tr> |
| <td>ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES</td> |
| <td>allowNamespaceQualifiedPasswordTypes</td> |
| <td>Whether (wsse) namespace qualified password types are accepted when |
| processing UsernameTokens. Default is "false".</td> |
| </tr> |
| <tr> |
| <td>ENABLE_REVOCATION</td> |
| <td>enableRevocation</td> |
| <td>Whether to enable Certificate Revocation List (CRL) checking when |
| verifying trust in a certificate. Default is "false".</td> |
| </tr> |
| <tr> |
| <td>USE_ENCODED_PASSWORDS</td> |
| <td>useEncodedPasswords</td> |
| <td>Set whether to treat passwords as binary values for Username Tokens. |
| Default is "false". DOM code only.</td> |
| </tr> |
| <tr> |
| <td>USE_SINGLE_CERTIFICATE</td> |
| <td>useSingleCertificate</td> |
| <td>Whether to use a single certificate or a whole certificate chain to |
| construct a BinarySecurityToken. Default is "true".</td> |
| </tr> |
| <tr> |
| <td>USE_DERIVED_KEY_FOR_MAC</td> |
| <td>useDerivedKeyForMAC</td> |
| <td>Whether to use the Username Token derived key for a MAC. Default is |
| "true".</td> |
| </tr> |
| <tr> |
| <td>TIMESTAMP_PRECISION</td> |
| <td>precisionInMilliseconds</td> |
| <td>Set whether outbound timestamps have precision in milliseconds. Default is |
| "true".</td> |
| </tr> |
| <tr> |
| <td>TIMESTAMP_STRICT</td> |
| <td>timestampStrict</td> |
| <td>Set whether to enable strict Timestamp handling, i.e. throw an exception if |
| the current receiver time is past the Expires time of the Timestamp. Default |
| is "true".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.4/2.1.0</b> REQUIRE_TIMESTAMP_EXPIRES</td> |
| <td>requireTimestampExpires</td> |
| <td>Set the value of this parameter to true to require that a Timestamp must |
| have an "Expires" Element. The default is "false".</td> |
| </tr> |
| <tr> |
| <td>ENC_SYM_ENC_KEY</td> |
| <td>encryptSymmetricEncryptionKey</td> |
| <td>Set whether to encrypt the symmetric encryption key or not. Default is |
| "true".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM</td> |
| <td>allowRSA15KeyTransportAlgorithm</td> |
| <td>Whether to allow the RSA v1.5 Key Transport Algorithm or not. Default is |
| "false".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> VALIDATE_SAML_SUBJECT_CONFIRMATION</td> |
| <td>validateSamlSubjectConfirmation</td> |
| <td>Whether to validate the SubjectConfirmation requirements of a received |
| SAML Token (sender-vouches or holder-of-key). Default is "true".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> INCLUDE_SIGNATURE_TOKEN</td> |
| <td>includeSignatureToken</td> |
| <td>Whether to include the Signature Token in the security header as well or |
| not (for IssuerSerial, Thumbprint, SKI cases). Default is "false"</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> INCLUDE_ENCRYPTION_TOKEN</td> |
| <td>includeEncryptionToken</td> |
| <td>Whether to include the Encryption Token in the security header as well or |
| not (for IssuerSerial, Thumbprint, SKI cases). Default is "false"</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> USE_2005_12_NAMESPACE</td> |
| <td>use200512Namespace</td> |
| <td>Whether to use the 2005/12 namespace for SecureConveration + DerivedKeys, |
| or the older namespace. The default is "true"</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.1.2/2.0.5</b> GET_SECRET_KEY_FROM_CALLBACK_HANDLER</td> |
| <td>getSecretKeyFromCallbackHandler</td> |
| <td>Whether to get a secret key from a CallbackHandler or not for encryption |
| only. The default is false. If set to true WSS4J attempts to get the secret |
| key from the CallbackHandler instead of generating a random key internally. |
| </td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.1.2/2.0.5</b> STORE_BYTES_IN_ATTACHMENT</td> |
| <td>storeBytesInAttachment</td> |
| <td>Whether to store bytes (CipherData or BinarySecurityToken) in an |
| attachment. The default is false, meaning that bytes are BASE-64 encoded and |
| "inlined" in the message. Setting this to true is more efficient, as it means |
| that the BASE-64 encoding step can be skipped. For this to work, a |
| CallbackHandler must be set on RequestData that can handle attachments. |
| </td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.1.2/2.0.5</b> EXPAND_XOP_INCLUDE_FOR_SIGNATURE</td> |
| <td>expandXOPIncludeForSignature</td> |
| <td>(Deprecated in 2.2.0). Whether to expand xop:Include Elements encountered when verifying a |
| Signature. The default is true, meaning that the relevant attachment bytes are |
| BASE-64 encoded and inserted into the Element. This ensures that the actual |
| bytes are signed, and not just the reference. |
| </td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.2.0</b> EXPAND_XOP_INCLUDE</td> |
| <td>expandXOPInclude</td> |
| <td> |
| Whether to search for and expand xop:Include Elements for encryption and |
| signature (on the outbound side) or for signature verification (on the inbound |
| side). The default is false on the outbound side and true on the inbound side. |
| What this means on the inbound side, is that the relevant attachment bytes are |
| BASE-64 encoded and inserted into the Element. This ensures that the actual |
| bytes are signed, and not just the reference. |
| </td> |
| </tr> |
| </table> |
| <p> |
| The configuration tags for properties that are configured via a non-boolean |
| parameter are as follows: |
| </p> |
| <table name="Non-boolean configuration tags"> |
| <tr> |
| <th>Tag name</th> |
| <th>Tag value</th> |
| <th>Tag meaning</th> |
| </tr> |
| <tr> |
| <td>PASSWORD_TYPE</td> |
| <td>passwordType</td> |
| <td>The encoding of the password for a Username Token. The default is |
| WSConstants.PW_DIGEST.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 1.6.x only</b> ENC_KEY_NAME</td> |
| <td>embeddedKeyName</td> |
| <td>The text of the key name to be sent in the KeyInfo for encryption</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 1.6.x only</b> ADD_UT_ELEMENTS</td> |
| <td>addUTElements</td> |
| <td>Additional elements to add to a Username Token, i.e. "nonce" and "created". |
| </td> |
| </tr> |
| <tr> |
| <td>SIG_KEY_ID</td> |
| <td>signatureKeyIdentifier</td> |
| <td>The key identifier type to use for signature. The default is "IssuerSerial".</td> |
| </tr> |
| <tr> |
| <td>SIG_ALGO</td> |
| <td>signatureAlgorithm</td> |
| <td>The signature algorithm to use. The default is set by the data in the |
| certificate. |
| </td> |
| </tr> |
| <tr> |
| <td>SIG_DIGEST_ALGO</td> |
| <td>signatureDigestAlgorithm</td> |
| <td>The signature digest algorithm to use. The default is SHA-1.</td> |
| </tr> |
| <tr> |
| <td>SIG_C14N_ALGO</td> |
| <td>signatureC14nAlgorithm</td> |
| <td>Defines which signature c14n (canonicalization) algorithm to use. The |
| default is: "http://www.w3.org/2001/10/xml-exc-c14n#".</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 1.6.x only</b> WSE_SECRET_KEY_LENGTH</td> |
| <td>wseSecretKeyLength</td> |
| <td>The length of the secret (derived) key to use for the WSE UT_SIGN |
| functionality.</td> |
| </tr> |
| <tr> |
| <td>SIGNATURE_PARTS</td> |
| <td>signatureParts</td> |
| <td>Parameter to define which parts of the request shall be signed. The SOAP |
| body is signed by default.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> OPTIONAL_SIGNATURE_PARTS</td> |
| <td>optionalSignatureParts</td> |
| <td>Parameter to define which parts of the request shall be signed, if they |
| exist in the request.</td> |
| </tr> |
| <tr> |
| <td>DERIVED_KEY_ITERATIONS</td> |
| <td>derivedKeyIterations</td> |
| <td>The number of iterations to use when deriving a key from a Username Token. |
| The default is 1000.</td> |
| </tr> |
| <tr> |
| <td>ENC_KEY_ID</td> |
| <td>encryptionKeyIdentifier</td> |
| <td>The key identifier type to use for encryption. The default is |
| "IssuerSerial".</td> |
| </tr> |
| <tr> |
| <td>ENC_SYM_ALGO</td> |
| <td>encryptionSymAlgorithm</td> |
| <td>The symmetric encryption algorithm to use. The default is AES-128.</td> |
| </tr> |
| <tr> |
| <td>ENC_KEY_TRANSPORT</td> |
| <td>encryptionKeyTransportAlgorithm</td> |
| <td>The algorithm to use to encrypt the generated symmetric key. The default is RSA-OAEP.</td> |
| </tr> |
| <tr> |
| <td>ENC_DIGEST_ALGO</td> |
| <td>encryptionDigestAlgorithm</td> |
| <td>The encryption digest algorithm to use with the RSA-OAEP key transport |
| algorithm. The default is SHA-1.</td> |
| </tr> |
| <tr> |
| <td>ENCRYPTION_PARTS</td> |
| <td>encryptionParts</td> |
| <td>Parameter to define which parts of the request shall be encrypted. The |
| SOAP body is encrypted in "Content" mode by default.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> OPTIONAL_ENCRYPTION_PARTS</td> |
| <td>optionalEncryptionParts</td> |
| <td>Parameter to define which parts of the request shall be encrypted, if they |
| exist in the request.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> ENC_MGF_ALGO</td> |
| <td>encryptionMGFAlgorithm</td> |
| <td>Defines which encryption mgf algorithm to use with the RSA OAEP Key |
| Transport algorithm for encryption. The default is mgfsha1.</td> |
| </tr> |
| <tr> |
| <td>TTL_TIMESTAMP</td> |
| <td>timeToLive</td> |
| <td>The time difference between creation and expiry time in seconds in the WSS |
| Timestamp. The default is "300".</td> |
| </tr> |
| <tr> |
| <td>TTL_FUTURE_TIMESTAMP</td> |
| <td>futureTimeToLive</td> |
| <td>The time in seconds in the future within which the Created time of an |
| incoming Timestamp is valid. The default is "60".</td> |
| </tr> |
| <tr> |
| <td>TTL_USERNAMETOKEN</td> |
| <td>utTimeToLive</td> |
| <td>The time difference between creation and expiry time in seconds in the WSS |
| UsernameToken created element. The default is "300".</td> |
| </tr> |
| <tr> |
| <td>TTL_FUTURE_USERNAMETOKEN</td> |
| <td>utFutureTimeToLive</td> |
| <td>The time in seconds in the future within which the Created time of an |
| incoming UsernameToken is valid. The default is "60".</td> |
| </tr> |
| <tr> |
| <td>SIG_SUBJECT_CERT_CONSTRAINTS</td> |
| <td>sigSubjectCertConstraints</td> |
| <td>A comma separated String of regular expressions which will be applied to |
| the subject DN of the certificate used for signature validation, after trust |
| verification of the certificate chain associated with the certificate. </td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> VALIDATOR_MAP</td> |
| <td>validatorMap</td> |
| <td>A map of QName, Object (Validator) instances to be used to validate |
| tokens identified by their QName.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> NONCE_CACHE_INSTANCE</td> |
| <td>nonceCacheInstance</td> |
| <td>A ReplayCache instance used to cache UsernameToken nonces. The default |
| instance that is used is the EHCacheReplayCache.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> TIMESTAMP_CACHE_INSTANCE</td> |
| <td>timestampCacheInstance</td> |
| <td>A ReplayCache instance used to cache Timestamp Created Strings. The default |
| instance that is used is the EHCacheReplayCache.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> SAML_ONE_TIME_USE_CACHE_INSTANCE</td> |
| <td>samlOneTimeUseCacheInstance</td> |
| <td>A ReplayCache instance used to cache SAML2 Token Identifier Strings (if |
| the token contains a OneTimeUse Condition). The default instance that is used |
| is the EHCacheReplayCache.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> PASSWORD_ENCRYPTOR_INSTANCE</td> |
| <td>passwordEncryptorInstance</td> |
| <td>A PasswordEncryptor instance used to decrypt encrypted passwords in Crypto |
| properties files. The default is the JasyptPasswordEncryptor.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> DERIVED_TOKEN_REFERENCE</td> |
| <td>derivedTokenReference</td> |
| <td>This controls how deriving tokens are referenced.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> DERIVED_TOKEN_KEY_ID</td> |
| <td>derivedTokenKeyIdentifier</td> |
| <td>This controls the key identifier of Derived Tokens.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> DERIVED_SIGNATURE_KEY_LENGTH</td> |
| <td>derivedSignatureKeyLength</td> |
| <td>The length to use (in bytes) when deriving a key for Signature.</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> DERIVED_ENCRYPTION_KEY_LENGTH</td> |
| <td>derivedEncryptionKeyLength</td> |
| <td>The length to use (in bytes) when deriving a key for Encryption.</td> |
| </tr> |
| </table> |
| <p> |
| The configuration values for setting the KeyIdentifiers for signature or |
| encryption are shown below. For an in depth explanation |
| with examples, see this blog <a href="http://coheigea.blogspot.com/2013/03/signature-and-encryption-key.html">entry</a>. |
| </p> |
| <table name="KeyIdentifier values"> |
| <tr> |
| <th>Value</th> |
| </tr> |
| <tr> |
| <td>DirectReference</td> |
| </tr> |
| <tr> |
| <td>IssuerSerial</td> |
| </tr> |
| <tr> |
| <td>X509KeyIdentifier</td> |
| </tr> |
| <tr> |
| <td>SKIKeyIdentifier</td> |
| </tr> |
| <tr> |
| <td>EmbeddedKeyName</td> |
| </tr> |
| <tr> |
| <td>Thumbprint</td> |
| </tr> |
| <tr> |
| <td>EncryptedKeySHA1</td> |
| </tr> |
| <tr> |
| <td>KeyValue</td> |
| </tr> |
| <tr> |
| <td><b>WSS4J 2.0.0</b> KerberosSHA1</td> |
| </tr> |
| </table> |
| </subsection> |
| </section> |
| </body> |
| </document> |