Apache CXF API

org.apache.cxf.ws.security
Class SecurityConstants

java.lang.Object
  extended by org.apache.cxf.ws.security.SecurityConstants

public final class SecurityConstants
extends Object

Configuration tags used to configure the WS-SecurityPolicy layer. Some of them are also used by the non WS-SecurityPolicy approach in the WSS4J(Out|In)Interceptors.


Field Summary
static String ACTOR
          The actor or role name of the wsse:Security header.
static Set<String> ALL_PROPERTIES
           
static String ALWAYS_ENCRYPT_UT
          Whether to always encrypt UsernameTokens that are defined as a SupportingToken.
static String ASYMMETRIC_SIGNATURE_ALGORITHM
          This configuration tag allows the user to override the default Asymmetric Signature algorithm (RSA-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification does not allow the use of other algorithms at present.
static String BST_TOKEN_VALIDATOR
          The WSS4J Validator instance to use to validate BinarySecurityTokens.
static String CACHE_CONFIG_FILE
          Set this property to point to a configuration file for the underlying caching implementation.
static String CACHE_IDENTIFIER
          The Cache Identifier to use with the TokenStore.
static String CACHE_ISSUED_TOKEN_IN_ENDPOINT
          Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider.
static String CALLBACK_HANDLER
          The CallbackHandler implementation class used to obtain passwords, for both outbound and inbound requests.
static String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
          Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info.
static String ENABLE_NONCE_CACHE
          Whether to cache UsernameToken nonces.
static String ENABLE_REVOCATION
          Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate.
static String ENABLE_SAML_ONE_TIME_USE_CACHE
          Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition.
static String ENABLE_STREAMING_SECURITY
          Whether to enable streaming WS-Security.
static String ENABLE_TIMESTAMP_CACHE
          Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message Signature).The default value is "true" for message recipients, and "false" for message initiators.
static String ENCRYPT_CRYPTO
          A Crypto object to be used for encryption.
static String ENCRYPT_PROPERTIES
          The Crypto property configuration to use for encryption, if ENCRYPT_CRYPTO is not set instead.
static String ENCRYPT_USERNAME
          The user's name for encryption.
static String IS_BSP_COMPLIANT
          Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not.
static String KERBEROS_CLIENT
          A reference to the KerberosClient class used to obtain a service ticket.
static String KERBEROS_JAAS_CONTEXT_NAME
          The JAAS Context name to use for Kerberos.
static String KERBEROS_SPN
          The Kerberos Service Provider Name (spn) to use.
static String MUST_UNDERSTAND
          Set this to "false" in order to remove the SOAP mustUnderstand header from security headers generated based on a WS-SecurityPolicy.
static String NONCE_CACHE_INSTANCE
          This holds a reference to a ReplayCache instance used to cache UsernameToken nonces.
static String PASSWORD
          The user's password when a CALLBACK_HANDLER is not defined.
static String PASSWORD_ENCRYPTOR_INSTANCE
          This holds a reference to a PasswordEncryptor instance, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations).
static String RETURN_SECURITY_ERROR
          Whether to return the security error message to the client, and not one of the default error QNames.
static String SAML_CALLBACK_HANDLER
          The SAML CallbackHandler implementation class used to construct SAML Assertions.
static String SAML_ONE_TIME_USE_CACHE_INSTANCE
          This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifiers, when the token has a "OneTimeUse" Condition.
static String SAML_ROLE_ATTRIBUTENAME
          The attribute URI of the SAML AttributeStatement where the role information is stored.
static String SAML1_TOKEN_VALIDATOR
          The WSS4J Validator instance to use to validate SAML 1.1 Tokens.
static String SAML2_TOKEN_VALIDATOR
          The WSS4J Validator instance to use to validate SAML 2.0 Tokens.
static String SC_FROM_JAAS_SUBJECT
          Set this to "false" if security context must not be created from JAAS Subject.
static String SCT_TOKEN_VALIDATOR
          The WSS4J Validator instance to use to validate SecurityContextTokens.
static String SIGNATURE_CRYPTO
          A Crypto object to be used for signature.
static String SIGNATURE_PROPERTIES
          The Crypto property configuration to use for signature, if SIGNATURE_CRYPTO is not set instead.
static String SIGNATURE_TOKEN_VALIDATOR
          The WSS4J Validator instance to use to validate trust in credentials used in Signature verification.
static String SIGNATURE_USERNAME
          The user's name for signature.
static String SPNEGO_CLIENT_ACTION
          The SpnegoClientAction implementation to use for SPNEGO.
static String STS_APPLIES_TO
          The "AppliesTo" address to send to the STS.
static String STS_CLIENT
          A reference to the STSClient class used to communicate with the STS.
static String STS_CLIENT_SOAP12_BINDING
          Switch STS client to send Soap 1.2 messages
static String STS_TOKEN_ACT_AS
          The token to be sent to the STS in an "ActAs" field.
static String STS_TOKEN_CRYPTO
          A Crypto object to be used for the STS.
static String STS_TOKEN_DO_CANCEL
          Whether to cancel a token when using SecureConversation after successful invocation.
static String STS_TOKEN_ON_BEHALF_OF
          The token to be sent to the STS in an "OnBehalfOf" field.
static String STS_TOKEN_PROPERTIES
          The Crypto property configuration to use for the STS, if STS_TOKEN_CRYPTO is not set instead.
static String STS_TOKEN_USE_CERT_FOR_KEYINFO
          Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure.
static String STS_TOKEN_USERNAME
          The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case.
static String SUBJECT_CERT_CONSTRAINTS
          A comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.
static String SUBJECT_ROLE_CLASSIFIER
          The Subject Role Classifier to use.
static String SUBJECT_ROLE_CLASSIFIER_TYPE
          The Subject Role Classifier Type to use.
static String TIMESTAMP_CACHE_INSTANCE
          This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings.
static String TIMESTAMP_FUTURE_TTL
          The time in seconds in the future within which the Created time of an incoming Timestamp is valid.
static String TIMESTAMP_TOKEN_VALIDATOR
          The WSS4J Validator instance to use to validate Timestamps.
static String TIMESTAMP_TTL
          The time in seconds to append to the Creation value of an incoming Timestamp to determine whether to accept the Timestamp as valid or not.
static String TOKEN
           
static String TOKEN_ID
           
static String TOKEN_STORE_CACHE_INSTANCE
          The TokenStore instance to use to cache security tokens.
static String USERNAME
          The user's name.
static String USERNAME_TOKEN_VALIDATOR
          The WSS4J Validator instance to use to validate UsernameTokens.
static String USERNAMETOKEN_FUTURE_TTL
          The time in seconds in the future within which the Created time of an incoming UsernameToken is valid.
static String USERNAMETOKEN_TTL
          The time in seconds to append to the Creation value of an incoming UsernameToken to determine whether to accept the UsernameToken as valid or not.
static String VALIDATE_SAML_SUBJECT_CONFIRMATION
          Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key).
static String VALIDATE_TOKEN
          Whether to validate the password of a received UsernameToken or not.
 
Method Summary
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

USERNAME

public static final String USERNAME
The user's name. It is used differently by each of the WS-Security functions: a) It is used as the name in the UsernameToken b) It is used as the alias name in the keystore to get the user's cert and private key for signature if SIGNATURE_USERNAME is not set. c) It is used as the alias name in the keystore to get the user's public key for encryption if ENCRYPT_USERNAME is not set.

See Also:
Constant Field Values

PASSWORD

public static final String PASSWORD
The user's password when a CALLBACK_HANDLER is not defined. It is currently only used for the case of adding a password to a UsernameToken.

See Also:
Constant Field Values

SIGNATURE_USERNAME

public static final String SIGNATURE_USERNAME
The user's name for signature. It is used as the alias name in the keystore to get the user's cert and private key for signature. If this is not defined, then USERNAME is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by SIGNATURE_PROPERTIES. If that's also not set, and the keystore only contains a single key, that key will be used.

See Also:
Constant Field Values

ENCRYPT_USERNAME

public static final String ENCRYPT_USERNAME
The user's name for encryption. It is used as the alias name in the keystore to get the user's public key for encryption. If this is not defined, then USERNAME is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by ENCRYPT_PROPERTIES. If that's also not set, and the keystore only contains a single key, that key will be used. For the web service provider, the "useReqSigCert" keyword can be used to accept (encrypt to) any client whose public key is in the service's truststore (defined in ENCRYPT_PROPERTIES).

See Also:
Constant Field Values

ACTOR

public static final String ACTOR
The actor or role name of the wsse:Security header. If this parameter is omitted, the actor name is not set.

See Also:
Constant Field Values

CALLBACK_HANDLER

public static final String CALLBACK_HANDLER
The CallbackHandler implementation class used to obtain passwords, for both outbound and inbound requests. The value of this tag must be either: a) The class name of a CallbackHandler instance, which must be accessible via the classpath. b) A CallbackHandler instance.

See Also:
Constant Field Values

SAML_CALLBACK_HANDLER

public static final String SAML_CALLBACK_HANDLER
The SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this tag must be either: a) The class name of a CallbackHandler instance, which must be accessible via the classpath. b) A CallbackHandler instance.

See Also:
Constant Field Values

SIGNATURE_PROPERTIES

public static final String SIGNATURE_PROPERTIES
The Crypto property configuration to use for signature, if SIGNATURE_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.

See Also:
Constant Field Values

ENCRYPT_PROPERTIES

public static final String ENCRYPT_PROPERTIES
The Crypto property configuration to use for encryption, if ENCRYPT_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.

See Also:
Constant Field Values

SIGNATURE_CRYPTO

public static final String SIGNATURE_CRYPTO
A Crypto object to be used for signature. If this is not defined then the SIGNATURE_PROPERTIES is used instead.

See Also:
Constant Field Values

ENCRYPT_CRYPTO

public static final String ENCRYPT_CRYPTO
A Crypto object to be used for encryption. If this is not defined then the ENCRYPT_PROPERTIES is used instead.

See Also:
Constant Field Values

VALIDATE_TOKEN

public static final String VALIDATE_TOKEN
Whether to validate the password of a received UsernameToken or not. The default is true.

See Also:
Constant Field Values

ENABLE_REVOCATION

public static final String ENABLE_REVOCATION
Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false".

See Also:
Constant Field Values

ALWAYS_ENCRYPT_UT

public static final String ALWAYS_ENCRYPT_UT
Whether to always encrypt UsernameTokens that are defined as a SupportingToken. The default is true. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire.

See Also:
Constant Field Values

IS_BSP_COMPLIANT

public static final String IS_BSP_COMPLIANT
Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true".

See Also:
Constant Field Values

ENABLE_NONCE_CACHE

public static final String ENABLE_NONCE_CACHE
Whether to cache UsernameToken nonces. The default value is "true" for message recipients, and "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken WS-SecurityPolicy is in effect, or else that a UsernameToken action has been configured for the non-security-policy case.

See Also:
Constant Field Values

ENABLE_TIMESTAMP_CACHE

public static final String ENABLE_TIMESTAMP_CACHE
Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message Signature).The default value is "true" for message recipients, and "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to not cache Timestamp Created Strings. Note that caching only applies when either a "IncludeTimestamp" policy is in effect, or else that a Timestamp action has been configured for the non-security-policy case.

See Also:
Constant Field Values

ENABLE_SAML_ONE_TIME_USE_CACHE

public static final String ENABLE_SAML_ONE_TIME_USE_CACHE
Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition. The default value is "true" for message recipients, and "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to not cache SAML2 Token Identifiers. Note that caching only applies when either a "SamlToken" policy is in effect, or else that a SAML action has been configured for the non-security-policy case.

See Also:
Constant Field Values

VALIDATE_SAML_SUBJECT_CONFIRMATION

public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION
Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key). The default is true.

See Also:
Constant Field Values

ENABLE_STREAMING_SECURITY

public static final String ENABLE_STREAMING_SECURITY
Whether to enable streaming WS-Security. If set to false (the default), the old DOM implementation is used. If set to true, the new streaming (StAX) implementation is used.

See Also:
Constant Field Values

RETURN_SECURITY_ERROR

public static final String RETURN_SECURITY_ERROR
Whether to return the security error message to the client, and not one of the default error QNames. The default is false.

See Also:
Constant Field Values

TIMESTAMP_TTL

public static final String TIMESTAMP_TTL
The time in seconds to append to the Creation value of an incoming Timestamp to determine whether to accept the Timestamp as valid or not. The default value is 300 seconds (5 minutes).

See Also:
Constant Field Values

TIMESTAMP_FUTURE_TTL

public static final String TIMESTAMP_FUTURE_TTL
The time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created Timestamps, set this value to "0".

See Also:
Constant Field Values

USERNAMETOKEN_TTL

public static final String USERNAMETOKEN_TTL
The time in seconds to append to the Creation value of an incoming UsernameToken to determine whether to accept the UsernameToken as valid or not. The default value is 300 seconds (5 minutes).

See Also:
Constant Field Values

USERNAMETOKEN_FUTURE_TTL

public static final String USERNAMETOKEN_FUTURE_TTL
The time in seconds in the future within which the Created time of an incoming UsernameToken is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created UsernameTokens, set this value to "0".

See Also:
Constant Field Values

SAML_ROLE_ATTRIBUTENAME

public static final String SAML_ROLE_ATTRIBUTENAME
The attribute URI of the SAML AttributeStatement where the role information is stored. The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".

See Also:
Constant Field Values

KERBEROS_CLIENT

public static final String KERBEROS_CLIENT
A reference to the KerberosClient class used to obtain a service ticket.

See Also:
Constant Field Values

SPNEGO_CLIENT_ACTION

public static final String SPNEGO_CLIENT_ACTION
The SpnegoClientAction implementation to use for SPNEGO. This allows the user to plug in a different implementation to obtain a service ticket.

See Also:
Constant Field Values

KERBEROS_JAAS_CONTEXT_NAME

public static final String KERBEROS_JAAS_CONTEXT_NAME
The JAAS Context name to use for Kerberos. This is currently only supported for SPNEGO.

See Also:
Constant Field Values

KERBEROS_SPN

public static final String KERBEROS_SPN
The Kerberos Service Provider Name (spn) to use. This is currently only supported for SPNEGO.

See Also:
Constant Field Values

NONCE_CACHE_INSTANCE

public static final String NONCE_CACHE_INSTANCE
This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The default instance that is used is the EHCacheReplayCache.

See Also:
Constant Field Values

TIMESTAMP_CACHE_INSTANCE

public static final String TIMESTAMP_CACHE_INSTANCE
This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The default instance that is used is the EHCacheReplayCache.

See Also:
Constant Field Values

SAML_ONE_TIME_USE_CACHE_INSTANCE

public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE
This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifiers, when the token has a "OneTimeUse" Condition. The default instance that is used is the EHCacheReplayCache.

See Also:
Constant Field Values

CACHE_CONFIG_FILE

public static final String CACHE_CONFIG_FILE
Set this property to point to a configuration file for the underlying caching implementation. The default configuration file that is used is cxf-ehcache.xml in this module.

See Also:
Constant Field Values

TOKEN_STORE_CACHE_INSTANCE

public static final String TOKEN_STORE_CACHE_INSTANCE
The TokenStore instance to use to cache security tokens. By default this uses the EHCacheTokenStore if EhCache is available. Otherwise it uses the MemoryTokenStore.

See Also:
Constant Field Values

CACHE_IDENTIFIER

public static final String CACHE_IDENTIFIER
The Cache Identifier to use with the TokenStore. CXF uses the following key to retrieve a token store: "org.apache.cxf.ws.security.tokenstore.TokenStore-". This key can be used to configure service-specific cache configuration. If the identifier does not match, then it falls back to a cache configuration with key "org.apache.cxf.ws.security.tokenstore.TokenStore". The default "" is the QName of the service in question. However to pick up a custom cache configuration (for example, if you want to specify a TokenStore per-client proxy), it can be configured with this identifier instead.

See Also:
Constant Field Values

SUBJECT_CERT_CONSTRAINTS

public static final String SUBJECT_CERT_CONSTRAINTS
A comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.

See Also:
Constant Field Values

SUBJECT_ROLE_CLASSIFIER

public static final String SUBJECT_ROLE_CLASSIFIER
The Subject Role Classifier to use. If one of the WSS4J Validators returns a JAAS Subject from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on this Subject. If this value is not specified, then it tries to get roles using the DefaultSecurityContext in cxf-rt-core. Otherwise it uses this value in combination with the SUBJECT_ROLE_CLASSIFIER_TYPE to get the roles from the Subject.

See Also:
Constant Field Values

SUBJECT_ROLE_CLASSIFIER_TYPE

public static final String SUBJECT_ROLE_CLASSIFIER_TYPE
The Subject Role Classifier Type to use. If one of the WSS4J Validators returns a JAAS Subject from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on this Subject. Currently accepted values are "prefix" or "classname". Must be used in conjunction with the SUBJECT_ROLE_CLASSIFIER. The default value is "prefix".

See Also:
Constant Field Values

ASYMMETRIC_SIGNATURE_ALGORITHM

public static final String ASYMMETRIC_SIGNATURE_ALGORITHM
This configuration tag allows the user to override the default Asymmetric Signature algorithm (RSA-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification does not allow the use of other algorithms at present.

See Also:
Constant Field Values

PASSWORD_ENCRYPTOR_INSTANCE

public static final String PASSWORD_ENCRYPTOR_INSTANCE
This holds a reference to a PasswordEncryptor instance, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations). By default, WSS4J uses the JasyptPasswordEncryptor, which must be instantiated with a master password to use to decrypt keystore passwords in the Merlin Crypto properties file. This master password is obtained via the CallbackHandler defined via PW_CALLBACK_CLASS or PW_CALLBACK_REF. The encrypted passwords must be stored in the format "ENC(encoded encrypted password)".

See Also:
Constant Field Values

USERNAME_TOKEN_VALIDATOR

public static final String USERNAME_TOKEN_VALIDATOR
The WSS4J Validator instance to use to validate UsernameTokens. The default value is the UsernameTokenValidator.

See Also:
Constant Field Values

SAML1_TOKEN_VALIDATOR

public static final String SAML1_TOKEN_VALIDATOR
The WSS4J Validator instance to use to validate SAML 1.1 Tokens. The default value is the SamlAssertionValidator.

See Also:
Constant Field Values

SAML2_TOKEN_VALIDATOR

public static final String SAML2_TOKEN_VALIDATOR
The WSS4J Validator instance to use to validate SAML 2.0 Tokens. The default value is the SamlAssertionValidator.

See Also:
Constant Field Values

TIMESTAMP_TOKEN_VALIDATOR

public static final String TIMESTAMP_TOKEN_VALIDATOR
The WSS4J Validator instance to use to validate Timestamps. The default value is the TimestampValidator.

See Also:
Constant Field Values

SIGNATURE_TOKEN_VALIDATOR

public static final String SIGNATURE_TOKEN_VALIDATOR
The WSS4J Validator instance to use to validate trust in credentials used in Signature verification. The default value is the SignatureTrustValidator.

See Also:
Constant Field Values

BST_TOKEN_VALIDATOR

public static final String BST_TOKEN_VALIDATOR
The WSS4J Validator instance to use to validate BinarySecurityTokens. The default value is the NoOpValidator.

See Also:
Constant Field Values

SCT_TOKEN_VALIDATOR

public static final String SCT_TOKEN_VALIDATOR
The WSS4J Validator instance to use to validate SecurityContextTokens. The default value is the NoOpValidator.

See Also:
Constant Field Values

STS_CLIENT

public static final String STS_CLIENT
A reference to the STSClient class used to communicate with the STS.

See Also:
Constant Field Values

STS_APPLIES_TO

public static final String STS_APPLIES_TO
The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider.

See Also:
Constant Field Values

STS_TOKEN_USE_CERT_FOR_KEYINFO

public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO
Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure. The default value is "false".

See Also:
Constant Field Values

STS_TOKEN_DO_CANCEL

public static final String STS_TOKEN_DO_CANCEL
Whether to cancel a token when using SecureConversation after successful invocation. The default is "false".

See Also:
Constant Field Values

CACHE_ISSUED_TOKEN_IN_ENDPOINT

public static final String CACHE_ISSUED_TOKEN_IN_ENDPOINT
Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true".

See Also:
Constant Field Values

DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS

public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false".

See Also:
Constant Field Values

STS_CLIENT_SOAP12_BINDING

public static final String STS_CLIENT_SOAP12_BINDING
Switch STS client to send Soap 1.2 messages

See Also:
Constant Field Values

STS_TOKEN_CRYPTO

public static final String STS_TOKEN_CRYPTO
A Crypto object to be used for the STS. If this is not defined then the STS_TOKEN_PROPERTIES is used instead. WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO the full security on the message. These properties control the way the STS client will decrypt the EncryptedData elements in the response. These are also used by the STSClient to send/process any RSA/DSAKeyValue tokens used if the KeyType is "PublicKey"

See Also:
Constant Field Values

STS_TOKEN_PROPERTIES

public static final String STS_TOKEN_PROPERTIES
The Crypto property configuration to use for the STS, if STS_TOKEN_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.

See Also:
Constant Field Values

STS_TOKEN_USERNAME

public static final String STS_TOKEN_USERNAME
The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case.

See Also:
Constant Field Values

STS_TOKEN_ACT_AS

public static final String STS_TOKEN_ACT_AS
The token to be sent to the STS in an "ActAs" field. It can be either: a) A String (which must be an XML statement like "...") b) A DOM Element c) A CallbackHandler object to use to obtain the token In the case of a CallbackHandler, it must be able to handle a org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a reference to the current Message. The CallbackHandler implementation is required to set the token Element to be sent in the request on the Callback. Some examples that can be reused are: org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler

See Also:
Constant Field Values

STS_TOKEN_ON_BEHALF_OF

public static final String STS_TOKEN_ON_BEHALF_OF
The token to be sent to the STS in an "OnBehalfOf" field. It can be either: a) A String (which must be an XML statement like "...") b) A DOM Element c) A CallbackHandler object to use to obtain the token In the case of a CallbackHandler, it must be able to handle a org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a reference to the current Message. The CallbackHandler implementation is required to set the token Element to be sent in the request on the Callback. Some examples that can be reused are: org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler

See Also:
Constant Field Values

MUST_UNDERSTAND

public static final String MUST_UNDERSTAND
Set this to "false" in order to remove the SOAP mustUnderstand header from security headers generated based on a WS-SecurityPolicy. The default value is "true" which included the SOAP mustUnderstand header.

See Also:
Constant Field Values

SC_FROM_JAAS_SUBJECT

public static final String SC_FROM_JAAS_SUBJECT
Set this to "false" if security context must not be created from JAAS Subject. The default value is "true".

See Also:
Constant Field Values

TOKEN

public static final String TOKEN
See Also:
Constant Field Values

TOKEN_ID

public static final String TOKEN_ID
See Also:
Constant Field Values

ALL_PROPERTIES

public static final Set<String> ALL_PROPERTIES

Apache CXF API

Apache CXF