| /* |
| |
| * Copyright 2003-2005 The Apache Software Foundation. |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| * |
| */ |
| |
| package org.apache.ws.security.handler; |
| |
| import org.apache.ws.security.WSConstants; |
| import java.util.Hashtable; |
| import java.util.Map; |
| |
| /** |
| * This class defines the names, actions, and other string for the deployment |
| * data of the WSS handler. Both the Axis handler as well as the JAX-RPC handler |
| * use this class. |
| * |
| * @author Werner Dittmann (werner@apache.org) |
| */ |
| |
| public class WSHandlerConstants { |
| /** |
| * The action parameter. The |
| * handlers use the value of this parameter to determine how |
| * to process the SOAP Envelope. For example in a Axis WSDD file: |
| * <pre> |
| * <handler type="java:org.apache.ws.axis.security.WSDoAllSender"> |
| * <parameter name="action" value="UsernameToken"/> |
| * ... |
| * </pre> |
| * orders the handler to attach a <code>UsernameToken</code> to the SOAP |
| * enevelope. It is a blank separated list of actions to perform. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting) |
| */ |
| public static final String ACTION = "action"; |
| public static final String SEND = "send"; |
| public static final String RECEIVE = "receive"; |
| |
| /** |
| * Perform nothing. |
| */ |
| public static final String NO_SECURITY = "NoSecurity"; |
| |
| /** |
| * Perform a UsernameToken identification only. |
| */ |
| public static final String USERNAME_TOKEN = "UsernameToken"; |
| |
| /** |
| * Perform a SAML Token identification. |
| */ |
| public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned"; |
| public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned"; |
| |
| /** |
| * Perform Signature. |
| * The signature specific parameters define how to sign, which keys |
| * to use, and so on |
| */ |
| public static final String SIGNATURE = "Signature"; |
| |
| /** |
| * Perform Encryption. |
| * The encryption specific parameters define how to encrypt, which keys |
| * to use, and so on. |
| */ |
| public static final String ENCRYPT = "Encrypt"; |
| |
| /** |
| * Add a timestamp to the security header. |
| */ |
| public static final String TIMESTAMP = "Timestamp"; |
| |
| /** |
| * Supress the serialization of the SOAP message. |
| * <p/> |
| * Usually the handler serializes the processed SOAP message into a string |
| * and sets it into the Axis message context as new current message. To |
| * supress this action, define this action. In this case the handler |
| * stores the processed SOAP message as <code>Document</code> in the |
| * Axis message context with the property name <code>SND_SECURITY</code>. |
| * <p/> |
| * A chained handler can retrieve the SOAP message and process it. The |
| * last handler in the chain must set the processed SOAP message as |
| * current message in Axis message context. |
| */ |
| public static final String NO_SERIALIZATION = "NoSerialization"; |
| |
| /** |
| * Use this to use a specific signature mechanism for .Net. |
| * This signature mechanism uses data from the username token and |
| * a well defined constant string and constructs a signature |
| * key. |
| */ |
| public static final String SIGN_WITH_UT_KEY = "UsernameTokenSignature"; |
| |
| /** |
| * This is an interal property name to support handler chaining. |
| * The Axis WSS4J handlers use this message context property to |
| * hand over the SOAP partially processed envelope document to |
| * the next WSS4J handler in the chain. |
| */ |
| public static final String SND_SECURITY = "SND_SECURITY"; |
| |
| /** |
| * The actor name of the <code>wsse:Security</code> header. |
| * <p/> |
| * If this parameter is omitted, the actor name is not set. Please |
| * refer to {@link org.apache.axis.Constants#ATTR_ACTOR} and {@link org.apache.axis.Constants#ATTR_ROLE} |
| * about the parameter names. They are set to <code>"actor"</code> |
| * and <code>"role"</code> respectively. |
| * <p/> |
| * The value of the actor or role has to match the receiver's setting |
| * or may contain standard values. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ACTOR, "ActorName"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| * |
| * @see org.apache.axis.Constants#URI_SOAP11_NEXT_ACTOR |
| * @see org.apache.axis.Constants#URI_SOAP12_NEXT_ROLE |
| */ |
| public static final String ACTOR = "actor"; |
| |
| /** |
| * The role name of the <code>wsse:Security</code> header. |
| * This is used for SOAP 1.2. Refer also to {@link #ACTOR}. |
| */ |
| public static final String ROLE = "role"; |
| |
| /** |
| * Sets the <code>mustUnderstand</code> flag. |
| * <p/> |
| * If the parameter has the value <code>1</code> |
| * or <code>true</code> the <code>mustUnderstand</code> is set. |
| * The values <code>0</code> or <code>false</code> supress the |
| * flag. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.MUST_UNDERSTAND, "false"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| * <p/> |
| * The default setting is <code>true</code> |
| * <p/> |
| * Please refer to {@link org.apache.axis.Constants#ATTR_MUST_UNDERSTAND} |
| * about the parameter name (<code>"mustUnderstand"</code>). |
| */ |
| public static final String MUST_UNDERSTAND = "mustUnderstand"; |
| |
| /** |
| * The user's name. It is used differently by the WS Security functions. |
| * <ul> |
| * <li>The <i>UsernameToken</i> function sets this name in the |
| * <code>UsernameToken</code>. |
| * </li> |
| * <li>The <i>Signing</i> function uses this name as the alias name |
| * in the keystore to get user's certificate and private key to |
| * perform signing. |
| * </li> |
| * <li>The <i>encryption</i> |
| * functions uses this parameter as fallback if {@link #ENCRYPTION_USER} |
| * is not used. |
| * </li> |
| * </ul> |
| * It is also possible to set the user's name and the according password |
| * via the call function, for example: |
| * <pre> |
| * ... |
| * call.setUsername("name"); |
| * call.setPassword("WSS4Java"); |
| * ... |
| * </pre> |
| * The user parameter in the deployment descritor (WSDD) file overwrites |
| * the application's setting. |
| * </p> |
| * For an additional way to set the password refer to |
| * {@link #PW_CALLBACK_CLASS} and {@link #PW_CALLBACK_REF}. |
| * <p/> |
| * If the security functions uses the username from the message context, it |
| * clears the username from the message context |
| * after they copied it. This prevents sending of the username in the |
| * HTTP header. |
| * <p/> |
| * In this case the HTTP authentication mechansisms do <b>not</b> work |
| * anymore. User authentication shall be done via the username token or |
| * the certificate verification of the signature certificate. |
| */ |
| public static final String USER = "user"; |
| |
| /** |
| * The Axis WSS4J handlers provide several ways to get the password required |
| * to construct a username token or to sign a message. |
| * In addition the callback class may check if a username/password |
| * combination is valid. Refer to the documentation of |
| * {@link org.apache.ws.security.WSPasswordCallback} for more information |
| * about this feature. |
| * <ul> |
| * <li> A class that implements a callback interface (see below). The |
| * handler loads this class and calls the callback method. This |
| * class must have a public default constructor with not parameters. |
| * </li> |
| * <li> The application (or a preceeding handler) sets a reference to an |
| * object that implements the callback interface |
| * </li> |
| * <li> The application sets the password directly using the |
| * <code>setPassword</code> function of the <code>Call</code>. |
| * </ul> |
| * The callback class or callback object shall implement specific password |
| * getter methods, for example reading a database or directory. |
| * <p/> |
| * The handler first checks if it can get a the password via a callback |
| * class. If that fails it checks if it can get the password from the |
| * object reference, if that also fails the handler tries the password |
| * property. |
| * <p/> |
| * The following parameter defines a class that implements a callback |
| * handler interface. The handler loads the class and calls the callback |
| * handler method to get the password. The callback |
| * class needs to implement the |
| * {@link javax.security.auth.callback.CallbackHandler} interface. |
| * <p/> |
| * The callback function |
| * {@link javax.security.auth.callback.CallbackHandler#handle(javax.security.auth.callback.Callback[])} |
| * gets an array of {@link org.apache.ws.security.WSPasswordCallback} |
| * objects. Only the first entry of the array is used. This object |
| * contains the username/keyname as identifier. The callback handler must |
| * set the password or key associated with this identifier before it returns. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, "PWCallbackClass"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| * <p/> |
| * Refer also to comment in {@link #USER} about HTTP authentication |
| * functions. |
| */ |
| public static final String PW_CALLBACK_CLASS = "passwordCallbackClass"; |
| |
| /** |
| * An application may set an object reference to an object that implements |
| * the {@link javax.security.auth.callback.CallbackHandler} interface. |
| * Only the application can set this property using: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.PW_CALLBACK_REF, anPWCallbackObject); |
| * </pre> |
| * Refer to {@link #PW_CALLBACK_CLASS} for further information about |
| * password callback handling and the priority of the different |
| * methods. |
| * <p/> |
| * Note: every handler that preceeds this handler in the chain can set |
| * this property too. This may be useful on the server side. |
| */ |
| public static final String PW_CALLBACK_REF = "passwordCallbackRef"; |
| |
| /** |
| * The user's name for encryption. |
| * <p/> |
| * The encryption functions uses the public key of this user's certificate |
| * to encrypt the generated symmetric key. |
| * <p/> |
| * If this parameter is not set, then the encryption |
| * function falls back to the {@link #USER} parameter to get the |
| * certificate. |
| * <p/> |
| * If <b>only</b> encryption of the SOAP body data is requested, |
| * it is recommended to use this parameter to define the username. |
| * The application can then use the standard user and password |
| * functions (see example at {@link #USER} to enable HTTP authentication |
| * functions. |
| * <p/> |
| * Encryption only does not authenticate a user / sender, therefore it |
| * does not need a password. |
| * <p/> |
| * Placing the username of the encryption certficate in the WSDD is not |
| * a security risk, because the public key of that certificate is used |
| * only. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENCYRPTION_USER, "encryptionuser"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| */ |
| public static final String ENCRYPTION_USER = "encryptionUser"; |
| |
| /** |
| * Specifying this name as {@link #ENCRYPTION_USER} |
| * triggers a special action to get the public key to use for encryption. |
| * <p/> |
| * The handler uses the public key of the sender's certificate. Using this |
| * way to define an encryption key simplifies certificate management to |
| * a large extend. |
| */ |
| public static final String USE_REQ_SIG_CERT = "useReqSigCert"; |
| |
| /** |
| * This parameter works in the same way as {@link #PW_CALLBACK_CLASS} but |
| * the Axis WSS4J handler uses it to get the key associated with a key name. |
| */ |
| public static final String ENC_CALLBACK_CLASS = "EmbeddedKeyCallbackClass"; |
| |
| /** |
| * This parameter works in the same way as {@link #PW_CALLBACK_REF} but |
| * the Axis WSS4J handler uses it to get the key associated with a key name. |
| */ |
| public static final String ENC_CALLBACK_REF = "EmbeddedKeyCallbackRef"; |
| |
| /** |
| * Text of the key name that needs to be sent |
| */ |
| public static final String ENC_KEY_NAME = "EmbeddedKeyName"; |
| |
| /** |
| * The name of the crypto propterty file to use for SOAP Signature. |
| * <p/> |
| * The classloader loads this file. Therefore it must be accessible |
| * via the classpath. |
| * <p/> |
| * To locate the implementation of the |
| * {@link org.apache.ws.security.components.crypto.Crypto Crypto} |
| * interface implementation the property file must contain the property |
| * <code>org.apache.ws.security.crypto.provider</code>. The value of |
| * this property is the classname of the implementation class. |
| * <p/> |
| * The following line defines the standard implementation: |
| * <pre> |
| * org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin |
| * </pre> |
| * The other contents of the property file depend on the implementation |
| * of the {@link org.apache.ws.security.components.crypto.Crypto Crypto} |
| * interface implementation. |
| * <p/> |
| * The property file of the standard implementation |
| * {@link org.apache.ws.security.components.crypto.Merlin} uses |
| * the following properties: |
| * <pre> |
| * org.apache.ws.security.crypto.provider |
| * org.apache.ws.security.crypto.merlin.file |
| * org.apache.ws.security.crypto.merlin.keystore.type |
| * org.apache.ws.security.crypto.merlin.keystore.provider |
| * org.apache.ws.security.crypto.merlin.keystore.password |
| * org.apache.ws.security.crypto.merlin.keystore.alias |
| * org.apache.ws.security.crypto.merlin.cert.provider |
| * </pre> |
| * The entries are: |
| * <ul> |
| * <li> <code>org.apache.ws.security.crypto.provider</code> see |
| * description above |
| * </li> |
| * <li><code>org.apache.ws.security.crypto.merlin.file</code> |
| * The path to the keystore file. At first the classloader tries to load |
| * this file, if this fails the implementations performs a file system |
| * lookup. |
| * </li> |
| * <li><code>org.apache.ws.security.crypto.merlin.keystore.type</code> |
| * The keystore type, for example <code>JKS</code> for the Java key store. |
| * Other keystore type, such as <code>pkcs12</code> are also possible but depend |
| * on the actual <code>Crypto</code> implementation. |
| * </li> |
| * <li><code>org.apache.ws.security.crypto.merlin.keystore.password</code> |
| * The password to read the keystore. If this property is not set, then |
| * the <code>pwcallback</code>property must be defined. |
| * </li> |
| * </ul> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.SIG_PROP_FILE, "myCrypto.properties"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| * <p/> |
| * If a property file is not set and a signature is requested, |
| * the handler throws an <code>AxisFault</code>. |
| */ |
| public static final String SIG_PROP_FILE = "signaturePropFile"; |
| |
| /** |
| * The key that hold the refernce of the <code>java.util.Properties</code> |
| * object holding complete info about signature Crypto implementation. |
| * This should contain all information that would contain in an equivalent |
| * .properties file which includes the Crypto implementation class name. |
| * |
| * Refer to documentation of {@link #SIG_PROP_FILE}. |
| */ |
| public final static String SIG_PROP_REF_ID = "SignaturePropRefId"; |
| |
| /** |
| * The WSDoAllReceiver handler stores a result <code>Vector</code> |
| * in this property. |
| * <p/> |
| * The vector contains <code>WSDoAllReceiverResult</code> objects |
| * for each chained WSDoAllReceiver handler. |
| */ |
| public static final String RECV_RESULTS = "RECV_RESULTS"; |
| |
| /** |
| * The name of the crypto propterty file to use for SOAP Decryption. |
| * <p/> |
| * Refer to documentation of {@link #SIG_PROP_FILE}. |
| * <p/> |
| * Refer to {@link #SIG_PROP_FILE} for a detail description |
| * about the format and how to use this property file. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.DEC_PROP_FILE, "myCrypto.properties"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| * <p/> |
| * If this parameter is not used, but the signature crypto property |
| * file is defined (combined Encryption/Signature action), then the |
| * encryption function uses that file. Otherwise the handler throws |
| * an <code>AxisFault</code>. |
| */ |
| public static final String DEC_PROP_FILE = "decryptionPropFile"; |
| |
| /** |
| * The key that hold the refernce of the <code>java.util.Properties</code> |
| * object holding complete info about decryption Crypto implementation. This |
| * should contain all information that would contain in an equivalent |
| * .properties file which includes the Crypto implementation class name. |
| * |
| * Refer to documentation of {@link #DEC_PROP_FILE}. |
| */ |
| public final static String DEC_PROP_REF_ID = "decryptionPropRefId"; |
| |
| /** |
| * Specific parameter for UsernameToken action to define the encoding |
| * of the password. |
| * <p/> |
| * The parameter can be set to either {@link WSConstants#PW_DIGEST} |
| * or to {@link WSConstants#PW_TEXT}. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| * <p/> |
| * The default setting is PW_DIGEST. |
| */ |
| public static final String PASSWORD_TYPE = "passwordType"; |
| |
| /** |
| * This variable controls whether types other than PasswordDigest or PasswordText |
| * are allowed when processing UsernameTokens. |
| * |
| * By default this is set to false so that the user doesn't have to explicitly |
| * reject custom token types in the callback handler. |
| */ |
| public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes"; |
| |
| /** |
| * Parameter to generate additional elements in <code>UsernameToken</code>. |
| * <p/> |
| * The value of this parameter is a list of element names that are added |
| * to the UsernameToken. The names of the list a separated by spaces. |
| * <p/> |
| * The list may containe the names <code>nonce</code> and |
| * <code>created</code> only. Use this option if the password type is |
| * <code>passwordText</code> and the handler shall add the <code>Nonce</code> |
| * and/or <code>Created</code> elements. |
| */ |
| public static final String ADD_UT_ELEMENTS = "addUTElements"; |
| |
| /** |
| * Defines which key identifier type to use. The WS-Security specifications |
| * recommends to use the identifier type <code>IssuerSerial</code>. For |
| * possible signature key identifier types refer to |
| * {@link #keyIdentifier}. For signature <code>IssuerSerial</code> |
| * and <code>DirectReference</code> are valid only. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| */ |
| public static final String SIG_KEY_ID = "signatureKeyIdentifier"; |
| |
| /** |
| * Defines which signature algorithm to use. Currently this |
| * parameter is ignored - SHA1RSA is the only supported algorithm, |
| * will be enhanced soon. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.SIG_ALGO, "SHA1RSA"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| */ |
| public static final String SIG_ALGO = "signatureAlgorithm"; |
| |
| /** |
| * Parameter to define which parts of the request shall be signed. |
| * <p/> |
| * Refer to {@link #ENCRYPTION_PARTS} for a detailed description of |
| * the format of the value string. |
| * <p/> |
| * If this parameter is not specified the handler signs the SOAP Body |
| * by default. |
| * <p/> |
| * The WS Security specifications define several formats to transfer the |
| * signature tokens (certificates) or references to these tokens. |
| * Thus, the plain element name <code>Token</code> |
| * signs the token and takes care of the different format. |
| * <p/> |
| * To sign the SOAP body <b>and</b> the signature token the value of this |
| * parameter must contain: |
| * <pre> |
| * <parameter name="signatureParts" |
| * value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body; Token" /> |
| * </pre> |
| * To specify an element without a namespace use the string |
| * <code>Null</code> as the namespace name (this is a case sensitive |
| * string) |
| * <p/> |
| * If there is no other element in the request with a local name of |
| * <code>Body</code> then the SOAP namespace identifier can be empty |
| * (<code>{}</code>). |
| */ |
| public static final String SIGNATURE_PARTS = "signatureParts"; |
| |
| /** |
| * The name of the crypto propterty file to use for SOAP Encryption. |
| * <p/> |
| * Refer to documentation of {@link #SIG_PROP_FILE}. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENC_PROP_FILE, "myCrypto.properties"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| * <p/> |
| * If this parameter is not used, but the signature crypto property |
| * file is defined (combined Encryption/Signature action), then the |
| * encryption function uses signature property file. Otherwise the |
| * handler throws an <code>AxisFault</code>. |
| */ |
| public static final String ENC_PROP_FILE = "encryptionPropFile"; |
| |
| /** |
| * The key that hold the refernce of the |
| * <code>java.util.Properties</code> object holding complete info about |
| * encryption Crypto implementation. This should contain all information |
| * that would contain in an equivalent .properties file which includes the |
| * Crypto implementation class name. |
| * |
| * Refer to documentation of {@link #DEC_PROP_FILE}. |
| */ |
| public final static String ENC_PROP_REF_ID = "encryptionPropRefId"; |
| |
| |
| /** |
| * Defines which key identifier type to use. The WS-Security specifications |
| * recommends to use the identifier type <code>IssuerSerial</code>. For |
| * possible encryption key identifier types refer to |
| * {@link #keyIdentifier}. For encryption <code>IssuerSerial</code>, |
| * <code>X509KeyIdentifier</code>, <code>DirectReference</code>, |
| * <code>Thumbprint</code>, <code>SKIKeyIdentifier</code>, and |
| * <code>EmbeddedKeyName</code> are valid only. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENC_KEY_ID, "X509KeyIdentifier"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| */ |
| public static final String ENC_KEY_ID = "encryptionKeyIdentifier"; |
| |
| /** |
| * Defines which symmetric encryption algorithm to use. WSS4J supports the |
| * following alorithms: {@link WSConstants#TRIPLE_DES}, |
| * {@link WSConstants#AES_128}, {@link WSConstants#AES_256}, |
| * and {@link WSConstants#AES_192}. Except for AES 192 all of these |
| * algorithms are required by the XML Encryption specification. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENC_SYM_ALGO, WSConstants.AES_256); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| */ |
| public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm"; |
| |
| /** |
| * Defines which algorithm to use to encrypt the generated symmetric key. |
| * Currently WSS4J supports {@link WSConstants#KEYTRANSPORT_RSA15} only. |
| * <p/> |
| * The application may set this parameter using the following method: |
| * <pre> |
| * call.setProperty(WSHandlerConstants.ENC_KEY_TRANSPORT, "RSA15"); |
| * </pre> |
| * However, the parameter in the WSDD deployment file overwrites the |
| * property setting (deployment setting overwrites application setting). |
| */ |
| public static final String ENC_KEY_TRANSPORT = |
| "encryptionKeyTransportAlgorithm"; |
| |
| /** |
| * Parameter to define which parts of the request shall be encrypted. |
| * <p/> |
| * The value of this parameter is a list of semi-colon separated |
| * element names that identify the elements to encrypt. An encryption mode |
| * specifier and a namespace identification, each inside a pair of curly |
| * brackets, may preceed each element name. |
| * <p/> |
| * The encryption mode specifier is either <code>{Content}</code> or |
| * <code>{Element}</code>. Please refer to the W3C XML Encryption |
| * specification about the differences between Element and Content |
| * encryption. The encryption mode defaults to <code>Content</code> |
| * if it is omitted. Example of a list: |
| * <pre> |
| * <parameter name="encryptionParts" |
| * value="{Content}{http://example.org/paymentv2}CreditCard; |
| * {Element}{}UserName" /> |
| * </pre> |
| * The the first entry of the list identifies the element |
| * <code>CreditCard</code> in the namespace |
| * <code>http://example.org/paymentv2</code>, and will encrypt its content. |
| * Be aware that the element name, the namespace identifier, and the |
| * encryption modifier are case sensitive. |
| * <p/> |
| * The encryption modifier and the namespace identifier can be ommited. |
| * In this case the encryption mode defaults to <code>Content</code> and |
| * the namespace is set to the SOAP namespace. |
| * <p/> |
| * An empty encryption mode defaults to <code>Content</code>, an empty |
| * namespace identifier defaults to the SOAP namespace. |
| * The second line of the example defines <code>Element</code> as |
| * encryption mode for an <code>UserName</code> element in the SOAP |
| * namespace. |
| * <p/> |
| * To specify an element without a namespace use the string |
| * <code>Null</code> as the namespace name (this is a case sensitive |
| * string) |
| * <p/> |
| * If no list is specified, the handler encrypts the SOAP Body in |
| * <code>Content</code> mode by default. |
| */ |
| public static final String ENCRYPTION_PARTS = "encryptionParts"; |
| |
| /** |
| * The name of the SAML Issuer factory property file. |
| * The classloader loads this file. Therefore it must be accessible |
| * via the classpath. |
| */ |
| public static final String SAML_PROP_FILE = "samlPropFile"; |
| |
| /** |
| * Time-To-Live is the time difference between creation and expiry time in |
| * the WSS Timestamp. |
| * The time-to-live in seconds. After this time the SOAP request is |
| * invalid (at least the security data shall be treated this way). |
| * <p/> |
| * If this parameter is not defined, contains a value less or equal |
| * zero, or an illegal format the handlers use a default TTL of |
| * 300 seconds (5 minutes). |
| */ |
| public static final String TTL_TIMESTAMP = "timeToLive"; |
| |
| /** |
| * Whether to enable signatureConfirmation or not |
| * By default signatureConfirmation is enabled |
| */ |
| public static final String ENABLE_SIGNATURE_CONFIRMATION = "enableSignatureConfirmation"; |
| |
| /** |
| * Should timestamps have precision in milliseconds |
| */ |
| public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds"; |
| |
| /** |
| * Set the value of this parameter to true to enable strict timestamp |
| * handling. |
| * |
| * Strict Timestamp handling: throw an exception if a Timestamp contains |
| * an <code>Expires</code> element and the semantics of the request are |
| * expired, i.e. the current time at the receiver is past the expires time. |
| */ |
| public static final String TIMESTAMP_STRICT = "timestampStrict"; |
| |
| /** |
| * Define the parameter values to set the key identifier types. These are: |
| * <ul> |
| * <li><code>DirectReference</code> for {@link WSConstants#BST_DIRECT_REFERENCE} |
| * </li> |
| * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL} |
| * </li> |
| * <li><code>X509KeyIdentifier</code> for {@link WSConstants#X509_KEY_IDENTIFIER} |
| * </li> |
| * <li><code>SKIKeyIdentifier</code> for {@link WSConstants#SKI_KEY_IDENTIFIER} |
| * </li> |
| * <li><code>EmbeddedKeyName</code> for {@link WSConstants#EMBEDDED_KEYNAME} |
| * </li> |
| * <li><code>Thumbprint</code> for {@link WSConstants#THUMBPRINT} |
| * </li> |
| * </ul |
| * See {@link #SIG_KEY_ID} {@link #ENC_KEY_ID}. |
| */ |
| public static Map keyIdentifier = new Hashtable(); |
| |
| static { |
| keyIdentifier.put("DirectReference", |
| new Integer(WSConstants.BST_DIRECT_REFERENCE)); |
| keyIdentifier.put("IssuerSerial", |
| new Integer(WSConstants.ISSUER_SERIAL)); |
| keyIdentifier.put("X509KeyIdentifier", |
| new Integer(WSConstants.X509_KEY_IDENTIFIER)); |
| keyIdentifier.put("SKIKeyIdentifier", |
| new Integer(WSConstants.SKI_KEY_IDENTIFIER)); |
| keyIdentifier.put("EmbeddedKeyName", |
| new Integer(WSConstants.EMBEDDED_KEYNAME)); |
| keyIdentifier.put("Thumbprint", |
| new Integer(WSConstants.THUMBPRINT_IDENTIFIER)); |
| } |
| /* |
| * internally used property names to store values inside the message context |
| * that must have the same livetime as a message (request/response model). |
| */ |
| public static final String SEND_SIGV = "_sendSignatureValues_"; |
| public static final String SIG_CONF_DONE = "_sigConfDone_"; |
| } |
| |