SecurityConstants (Apache CXF JavaDoc 3.1.0 API)

java.lang.Object
- org.apache.cxf.rt.security.SecurityConstants
- - org.apache.cxf.ws.security.SecurityConstants

```
public final class SecurityConstants
extends SecurityConstants
```
Configuration tags used to configure the WS-SecurityPolicy layer. Some of them are also used by the non WS-SecurityPolicy approach in the WSS4J(Out|In)Interceptors.

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`ACTOR` The actor or role name of the wsse:Security header.
`static Set<String>`	`ALL_PROPERTIES`
`static String`	`ALWAYS_ENCRYPT_UT` Whether to always encrypt UsernameTokens that are defined as a SupportingToken.
`static String`	`ASYMMETRIC_SIGNATURE_ALGORITHM` This configuration tag allows the user to override the default Asymmetric Signature algorithm (RSA-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification does not allow the use of other algorithms at present.
`static String`	`BST_TOKEN_VALIDATOR` The WSS4J Validator instance to use to validate BinarySecurityTokens.
`static String`	`CACHE_CONFIG_FILE` Set this property to point to a configuration file for the underlying caching implementation.
`static String`	`CACHE_IDENTIFIER` The Cache Identifier to use with the TokenStore.
`static String`	`CACHE_ISSUED_TOKEN_IN_ENDPOINT` Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider.
`static String`	`DELEGATED_CREDENTIAL` A delegated credential to use for WS-Security.
`static String`	`DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS` Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info.
`static String`	`ENABLE_NONCE_CACHE` Whether to cache UsernameToken nonces.
`static String`	`ENABLE_SAML_ONE_TIME_USE_CACHE` Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition.
`static String`	`ENABLE_STREAMING_SECURITY` Whether to enable streaming WS-Security.
`static String`	`ENABLE_TIMESTAMP_CACHE` Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message Signature).The default value is "true" for message recipients, and "false" for message initiators.
`static String`	`IS_BSP_COMPLIANT` Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not.
`static String`	`KERBEROS_CLIENT` A reference to the KerberosClient class used to obtain a service ticket.
`static String`	`KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM` Whether the Kerberos username is in servicename form or not.
`static String`	`KERBEROS_JAAS_CONTEXT_NAME` The JAAS Context name to use for Kerberos.
`static String`	`KERBEROS_REQUEST_CREDENTIAL_DELEGATION` Whether to request credential delegation or not in the KerberosClient.
`static String`	`KERBEROS_SPN` The Kerberos Service Provider Name (spn) to use.
`static String`	`KERBEROS_USE_CREDENTIAL_DELEGATION` Whether to use credential delegation or not in the KerberosClient.
`static String`	`MUST_UNDERSTAND` Set this to "false" in order to remove the SOAP mustUnderstand header from security headers generated based on a WS-SecurityPolicy.
`static String`	`NONCE_CACHE_INSTANCE` This holds a reference to a ReplayCache instance used to cache UsernameToken nonces.
`static String`	`PASSWORD_ENCRYPTOR_INSTANCE` This holds a reference to a PasswordEncryptor instance, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations).
`static String`	`POLICY_VALIDATOR_MAP` This refers to a Map of QName, SecurityPolicyValidator, which retrieves a SecurityPolicyValidator implementation to validate a particular security policy, based on the QName of the policy.
`static String`	`PREFER_WSMEX_OVER_STS_CLIENT_CONFIG` Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties when making an STS RequestSecurityToken call.
`static String`	`RETURN_SECURITY_ERROR` Whether to return the security error message to the client, and not the default error message.
`static String`	`SAML_ONE_TIME_USE_CACHE_INSTANCE` This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifiers, when the token has a "OneTimeUse" Condition.
`static String`	`SAML1_TOKEN_VALIDATOR` The WSS4J Validator instance to use to validate SAML 1.1 Tokens.
`static String`	`SAML2_TOKEN_VALIDATOR` The WSS4J Validator instance to use to validate SAML 2.0 Tokens.
`static String`	`SCT_TOKEN_VALIDATOR` The WSS4J Validator instance to use to validate SecurityContextTokens.
`static String`	`SIGNATURE_TOKEN_VALIDATOR` The WSS4J Validator instance to use to validate trust in credentials used in Signature verification.
`static String`	`SPNEGO_CLIENT_ACTION` The SpnegoClientAction implementation to use for SPNEGO.
`static String`	`STS_APPLIES_TO` The "AppliesTo" address to send to the STS.
`static String`	`STS_CLIENT` A reference to the STSClient class used to communicate with the STS.
`static String`	`STS_CLIENT_SOAP12_BINDING` Switch STS client to send Soap 1.2 messages
`static String`	`STS_ISSUE_AFTER_FAILED_RENEW` Whether to fall back to calling "issue" after failing to renew an expired token.
`static String`	`STS_TOKEN_ACT_AS` The token to be sent to the STS in an "ActAs" field.
`static String`	`STS_TOKEN_CRYPTO` A Crypto object to be used for the STS.
`static String`	`STS_TOKEN_DO_CANCEL` Whether to cancel a token when using SecureConversation after successful invocation.
`static String`	`STS_TOKEN_IMMINENT_EXPIRY_VALUE` This is the value in seconds within which a token is considered to be expired by the client.
`static String`	`STS_TOKEN_ON_BEHALF_OF` The token to be sent to the STS in an "OnBehalfOf" field.
`static String`	`STS_TOKEN_PROPERTIES` The Crypto property configuration to use for the STS, if `STS_TOKEN_CRYPTO` is not set instead.
`static String`	`STS_TOKEN_USE_CERT_FOR_KEYINFO` Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure.
`static String`	`STS_TOKEN_USERNAME` The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case.
`static String`	`SUBJECT_ROLE_CLASSIFIER` The Subject Role Classifier to use.
`static String`	`SUBJECT_ROLE_CLASSIFIER_TYPE` The Subject Role Classifier Type to use.
`static String`	`TIMESTAMP_CACHE_INSTANCE` This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings.
`static String`	`TIMESTAMP_FUTURE_TTL` The time in seconds in the future within which the Created time of an incoming Timestamp is valid.
`static String`	`TIMESTAMP_TOKEN_VALIDATOR` The WSS4J Validator instance to use to validate Timestamps.
`static String`	`TIMESTAMP_TTL` The time in seconds to append to the Creation value of an incoming Timestamp to determine whether to accept the Timestamp as valid or not.
`static String`	`TOKEN`
`static String`	`TOKEN_ID`
`static String`	`TOKEN_STORE_CACHE_INSTANCE` The TokenStore instance to use to cache security tokens.
`static String`	`USERNAME_TOKEN_VALIDATOR` The WSS4J Validator instance to use to validate UsernameTokens.
`static String`	`USERNAMETOKEN_FUTURE_TTL` The time in seconds in the future within which the Created time of an incoming UsernameToken is valid.
`static String`	`USERNAMETOKEN_TTL` The time in seconds to append to the Creation value of an incoming UsernameToken to determine whether to accept the UsernameToken as valid or not.
`static String`	`VALIDATE_TOKEN` Whether to validate the password of a received UsernameToken or not.

Method Summary
- Methods inherited from class java.lang.Object
  clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - ACTOR
```
public static final String ACTOR
```
    The actor or role name of the wsse:Security header. If this parameter is omitted, the actor name is not set.
    
    See Also:
    Constant Field Values
  - VALIDATE_TOKEN
```
public static final String VALIDATE_TOKEN
```
    Whether to validate the password of a received UsernameToken or not. The default is true.
    
    See Also:
    Constant Field Values
  - ALWAYS_ENCRYPT_UT
```
public static final String ALWAYS_ENCRYPT_UT
```
    Whether to always encrypt UsernameTokens that are defined as a SupportingToken. The default is true. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire.
    
    See Also:
    Constant Field Values
  - IS_BSP_COMPLIANT
```
public static final String IS_BSP_COMPLIANT
```
    Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true".
    
    See Also:
    Constant Field Values
  - ENABLE_NONCE_CACHE
```
public static final String ENABLE_NONCE_CACHE
```
    Whether to cache UsernameToken nonces. The default value is "true" for message recipients, and "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken WS-SecurityPolicy is in effect, or else that a UsernameToken action has been configured for the non-security-policy case.
    
    See Also:
    Constant Field Values
  - ENABLE_TIMESTAMP_CACHE
```
public static final String ENABLE_TIMESTAMP_CACHE
```
    Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message Signature).The default value is "true" for message recipients, and "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to not cache Timestamp Created Strings. Note that caching only applies when either a "IncludeTimestamp" policy is in effect, or else that a Timestamp action has been configured for the non-security-policy case.
    
    See Also:
    Constant Field Values
  - ENABLE_STREAMING_SECURITY
```
public static final String ENABLE_STREAMING_SECURITY
```
    Whether to enable streaming WS-Security. If set to false (the default), the old DOM implementation is used. If set to true, the new streaming (StAX) implementation is used.
    
    See Also:
    Constant Field Values
  - RETURN_SECURITY_ERROR
```
public static final String RETURN_SECURITY_ERROR
```
    Whether to return the security error message to the client, and not the default error message. The "real" security errors should not be returned to the client in a deployment scenario, as they may leak information about the deployment, or otherwise provide a "oracle" for attacks. The default is false.
    
    See Also:
    Constant Field Values
  - MUST_UNDERSTAND
```
public static final String MUST_UNDERSTAND
```
    Set this to "false" in order to remove the SOAP mustUnderstand header from security headers generated based on a WS-SecurityPolicy. The default value is "true" which included the SOAP mustUnderstand header.
    
    See Also:
    Constant Field Values
  - ENABLE_SAML_ONE_TIME_USE_CACHE
```
public static final String ENABLE_SAML_ONE_TIME_USE_CACHE
```
    Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition. The default value is "true" for message recipients, and "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to not cache SAML2 Token Identifiers. Note that caching only applies when either a "SamlToken" policy is in effect, or else that a SAML action has been configured for the non-security-policy case.
    
    See Also:
    Constant Field Values
  - TIMESTAMP_TTL
```
public static final String TIMESTAMP_TTL
```
    The time in seconds to append to the Creation value of an incoming Timestamp to determine whether to accept the Timestamp as valid or not. The default value is 300 seconds (5 minutes).
    
    See Also:
    Constant Field Values
  - TIMESTAMP_FUTURE_TTL
```
public static final String TIMESTAMP_FUTURE_TTL
```
    The time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created Timestamps, set this value to "0".
    
    See Also:
    Constant Field Values
  - USERNAMETOKEN_TTL
```
public static final String USERNAMETOKEN_TTL
```
    The time in seconds to append to the Creation value of an incoming UsernameToken to determine whether to accept the UsernameToken as valid or not. The default value is 300 seconds (5 minutes).
    
    See Also:
    Constant Field Values
  - USERNAMETOKEN_FUTURE_TTL
```
public static final String USERNAMETOKEN_FUTURE_TTL
```
    The time in seconds in the future within which the Created time of an incoming UsernameToken is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created UsernameTokens, set this value to "0".
    
    See Also:
    Constant Field Values
  - SPNEGO_CLIENT_ACTION
```
public static final String SPNEGO_CLIENT_ACTION
```
    The SpnegoClientAction implementation to use for SPNEGO. This allows the user to plug in a different implementation to obtain a service ticket.
    
    See Also:
    Constant Field Values
  - NONCE_CACHE_INSTANCE
```
public static final String NONCE_CACHE_INSTANCE
```
    This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The default instance that is used is the EHCacheReplayCache.
    
    See Also:
    Constant Field Values
  - TIMESTAMP_CACHE_INSTANCE
```
public static final String TIMESTAMP_CACHE_INSTANCE
```
    This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The default instance that is used is the EHCacheReplayCache.
    
    See Also:
    Constant Field Values
  - SAML_ONE_TIME_USE_CACHE_INSTANCE
```
public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE
```
    This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifiers, when the token has a "OneTimeUse" Condition. The default instance that is used is the EHCacheReplayCache.
    
    See Also:
    Constant Field Values
  - CACHE_CONFIG_FILE
```
public static final String CACHE_CONFIG_FILE
```
    Set this property to point to a configuration file for the underlying caching implementation. The default configuration file that is used is cxf-ehcache.xml in this module.
    
    See Also:
    Constant Field Values
  - TOKEN_STORE_CACHE_INSTANCE
```
public static final String TOKEN_STORE_CACHE_INSTANCE
```
    The TokenStore instance to use to cache security tokens. By default this uses the EHCacheTokenStore if EhCache is available. Otherwise it uses the MemoryTokenStore.
    
    See Also:
    Constant Field Values
  - CACHE_IDENTIFIER
```
public static final String CACHE_IDENTIFIER
```
    The Cache Identifier to use with the TokenStore. CXF uses the following key to retrieve a token store: "org.apache.cxf.ws.security.tokenstore.TokenStore-". This key can be used to configure service-specific cache configuration. If the identifier does not match, then it falls back to a cache configuration with key "org.apache.cxf.ws.security.tokenstore.TokenStore". The default "" is the QName of the service in question. However to pick up a custom cache configuration (for example, if you want to specify a TokenStore per-client proxy), it can be configured with this identifier instead.
    
    See Also:
    Constant Field Values
  - SUBJECT_ROLE_CLASSIFIER
```
public static final String SUBJECT_ROLE_CLASSIFIER
```
    The Subject Role Classifier to use. If one of the WSS4J Validators returns a JAAS Subject from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on this Subject. If this value is not specified, then it tries to get roles using the DefaultSecurityContext in cxf-rt-core. Otherwise it uses this value in combination with the SUBJECT_ROLE_CLASSIFIER_TYPE to get the roles from the Subject.
    
    See Also:
    Constant Field Values
  - SUBJECT_ROLE_CLASSIFIER_TYPE
```
public static final String SUBJECT_ROLE_CLASSIFIER_TYPE
```
    The Subject Role Classifier Type to use. If one of the WSS4J Validators returns a JAAS Subject from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on this Subject. Currently accepted values are "prefix" or "classname". Must be used in conjunction with the SUBJECT_ROLE_CLASSIFIER. The default value is "prefix".
    
    See Also:
    Constant Field Values
  - ASYMMETRIC_SIGNATURE_ALGORITHM
```
public static final String ASYMMETRIC_SIGNATURE_ALGORITHM
```
    This configuration tag allows the user to override the default Asymmetric Signature algorithm (RSA-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification does not allow the use of other algorithms at present.
    
    See Also:
    Constant Field Values
  - PASSWORD_ENCRYPTOR_INSTANCE
```
public static final String PASSWORD_ENCRYPTOR_INSTANCE
```
    This holds a reference to a PasswordEncryptor instance, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations). By default, WSS4J uses the JasyptPasswordEncryptor, which must be instantiated with a master password to use to decrypt keystore passwords in the Merlin Crypto properties file. This master password is obtained via the CallbackHandler defined via PW_CALLBACK_CLASS or PW_CALLBACK_REF. The encrypted passwords must be stored in the format "ENC(encoded encrypted password)".
    
    See Also:
    Constant Field Values
  - DELEGATED_CREDENTIAL
```
public static final String DELEGATED_CREDENTIAL
```
    A delegated credential to use for WS-Security. Currently only a Kerberos GSSCredential Object is supported. This is used to retrieve a service ticket instead of using the client credentials.
    
    See Also:
    Constant Field Values
  - USERNAME_TOKEN_VALIDATOR
```
public static final String USERNAME_TOKEN_VALIDATOR
```
    The WSS4J Validator instance to use to validate UsernameTokens. The default value is the UsernameTokenValidator.
    
    See Also:
    Constant Field Values
  - SAML1_TOKEN_VALIDATOR
```
public static final String SAML1_TOKEN_VALIDATOR
```
    The WSS4J Validator instance to use to validate SAML 1.1 Tokens. The default value is the SamlAssertionValidator.
    
    See Also:
    Constant Field Values
  - SAML2_TOKEN_VALIDATOR
```
public static final String SAML2_TOKEN_VALIDATOR
```
    The WSS4J Validator instance to use to validate SAML 2.0 Tokens. The default value is the SamlAssertionValidator.
    
    See Also:
    Constant Field Values
  - TIMESTAMP_TOKEN_VALIDATOR
```
public static final String TIMESTAMP_TOKEN_VALIDATOR
```
    The WSS4J Validator instance to use to validate Timestamps. The default value is the TimestampValidator.
    
    See Also:
    Constant Field Values
  - SIGNATURE_TOKEN_VALIDATOR
```
public static final String SIGNATURE_TOKEN_VALIDATOR
```
    The WSS4J Validator instance to use to validate trust in credentials used in Signature verification. The default value is the SignatureTrustValidator.
    
    See Also:
    Constant Field Values
  - BST_TOKEN_VALIDATOR
```
public static final String BST_TOKEN_VALIDATOR
```
    The WSS4J Validator instance to use to validate BinarySecurityTokens. The default value is the NoOpValidator.
    
    See Also:
    Constant Field Values
  - SCT_TOKEN_VALIDATOR
```
public static final String SCT_TOKEN_VALIDATOR
```
    The WSS4J Validator instance to use to validate SecurityContextTokens. The default value is the NoOpValidator.
    
    See Also:
    Constant Field Values
  - POLICY_VALIDATOR_MAP
```
public static final String POLICY_VALIDATOR_MAP
```
    This refers to a Map of QName, SecurityPolicyValidator, which retrieves a SecurityPolicyValidator implementation to validate a particular security policy, based on the QName of the policy. Any SecurityPolicyValidator implementation defined in this map will override the default value used internally for the corresponding QName.
    
    See Also:
    Constant Field Values
  - STS_CLIENT
```
public static final String STS_CLIENT
```
    A reference to the STSClient class used to communicate with the STS.
    
    See Also:
    Constant Field Values
  - STS_APPLIES_TO
```
public static final String STS_APPLIES_TO
```
    The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider.
    
    See Also:
    Constant Field Values
  - STS_TOKEN_USE_CERT_FOR_KEYINFO
```
public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO
```
    Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure. The default value is "false".
    
    See Also:
    Constant Field Values
  - STS_TOKEN_DO_CANCEL
```
public static final String STS_TOKEN_DO_CANCEL
```
    Whether to cancel a token when using SecureConversation after successful invocation. The default is "false".
    
    See Also:
    Constant Field Values
  - STS_ISSUE_AFTER_FAILED_RENEW
```
public static final String STS_ISSUE_AFTER_FAILED_RENEW
```
    Whether to fall back to calling "issue" after failing to renew an expired token. Some STSs do not support the renew binding, and so we should just issue a new token after expiry. The default is true.
    
    See Also:
    Constant Field Values
  - CACHE_ISSUED_TOKEN_IN_ENDPOINT
```
public static final String CACHE_ISSUED_TOKEN_IN_ENDPOINT
```
    Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true".
    
    See Also:
    Constant Field Values
  - DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
```
public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
```
    Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false".
    
    See Also:
    Constant Field Values
  - PREFER_WSMEX_OVER_STS_CLIENT_CONFIG
```
public static final String PREFER_WSMEX_OVER_STS_CLIENT_CONFIG
```
    Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties when making an STS RequestSecurityToken call. This can be set to true for the scenario of making a WS-MEX call to an initial STS, and using the returned token to make another call to an STS (which is configured using the STSClient configuration). Default is "false".
    
    See Also:
    Constant Field Values
  - STS_CLIENT_SOAP12_BINDING
```
public static final String STS_CLIENT_SOAP12_BINDING
```
    Switch STS client to send Soap 1.2 messages
    
    See Also:
    Constant Field Values
  - STS_TOKEN_CRYPTO
```
public static final String STS_TOKEN_CRYPTO
```
    A Crypto object to be used for the STS. If this is not defined then the STS_TOKEN_PROPERTIES is used instead. WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO the full security on the message. These properties control the way the STS client will decrypt the EncryptedData elements in the response. These are also used by the STSClient to send/process any RSA/DSAKeyValue tokens used if the KeyType is "PublicKey"
    
    See Also:
    Constant Field Values
  - STS_TOKEN_PROPERTIES
```
public static final String STS_TOKEN_PROPERTIES
```
    The Crypto property configuration to use for the STS, if STS_TOKEN_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.
    
    See Also:
    Constant Field Values
  - STS_TOKEN_USERNAME
```
public static final String STS_TOKEN_USERNAME
```
    The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case.
    
    See Also:
    Constant Field Values
  - STS_TOKEN_ACT_AS
```
public static final String STS_TOKEN_ACT_AS
```
    The token to be sent to the STS in an "ActAs" field. It can be either: a) A String (which must be an XML statement like "...") b) A DOM Element c) A CallbackHandler object to use to obtain the token In the case of a CallbackHandler, it must be able to handle a org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a reference to the current Message. The CallbackHandler implementation is required to set the token Element to be sent in the request on the Callback. Some examples that can be reused are: org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
    
    See Also:
    Constant Field Values
  - STS_TOKEN_ON_BEHALF_OF
```
public static final String STS_TOKEN_ON_BEHALF_OF
```
    The token to be sent to the STS in an "OnBehalfOf" field. It can be either: a) A String (which must be an XML statement like "...") b) A DOM Element c) A CallbackHandler object to use to obtain the token In the case of a CallbackHandler, it must be able to handle a org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a reference to the current Message. The CallbackHandler implementation is required to set the token Element to be sent in the request on the Callback. Some examples that can be reused are: org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
    
    See Also:
    Constant Field Values
  - STS_TOKEN_IMMINENT_EXPIRY_VALUE
```
public static final String STS_TOKEN_IMMINENT_EXPIRY_VALUE
```
    This is the value in seconds within which a token is considered to be expired by the client. When a cached token (from a STS) is retrieved by the client, it is considered to be expired if it will expire in a time less than the value specified by this tag. This prevents token expiry when the message is en route / being processed by the service. When the token is found to be expired then it will be renewed via the STS. The default value is 10 (seconds). Specify 0 to avoid this check.
    
    See Also:
    Constant Field Values
  - KERBEROS_REQUEST_CREDENTIAL_DELEGATION
```
public static final String KERBEROS_REQUEST_CREDENTIAL_DELEGATION
```
    Whether to request credential delegation or not in the KerberosClient. If this is set to "true", then it tries to get a kerberos service ticket that can be used for delegation. The default is "false".
    
    See Also:
    Constant Field Values
  - KERBEROS_USE_CREDENTIAL_DELEGATION
```
public static final String KERBEROS_USE_CREDENTIAL_DELEGATION
```
    Whether to use credential delegation or not in the KerberosClient. If this is set to "true", then it tries to get a GSSCredential Object from the Message Context using the DELEGATED_CREDENTIAL configuration tag below, and then use this to obtain a service ticket. The default is "false".
    
    See Also:
    Constant Field Values
  - KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM
```
public static final String KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM
```
    Whether the Kerberos username is in servicename form or not. The default is "false".
    
    See Also:
    Constant Field Values
  - KERBEROS_JAAS_CONTEXT_NAME
```
public static final String KERBEROS_JAAS_CONTEXT_NAME
```
    The JAAS Context name to use for Kerberos.
    
    See Also:
    Constant Field Values
  - KERBEROS_SPN
```
public static final String KERBEROS_SPN
```
    The Kerberos Service Provider Name (spn) to use.
    
    See Also:
    Constant Field Values
  - KERBEROS_CLIENT
```
public static final String KERBEROS_CLIENT
```
    A reference to the KerberosClient class used to obtain a service ticket.
    
    See Also:
    Constant Field Values
  - TOKEN
```
public static final String TOKEN
```
    See Also:
    Constant Field Values
  - TOKEN_ID
```
public static final String TOKEN_ID
```
    See Also:
    Constant Field Values
  - ALL_PROPERTIES
```
public static final Set<String> ALL_PROPERTIES
```

Class SecurityConstants

Field Summary

Fields inherited from class org.apache.cxf.rt.security.SecurityConstants

Method Summary

Methods inherited from class java.lang.Object

Field Detail

ACTOR

VALIDATE_TOKEN

ALWAYS_ENCRYPT_UT

IS_BSP_COMPLIANT

ENABLE_NONCE_CACHE

ENABLE_TIMESTAMP_CACHE

ENABLE_STREAMING_SECURITY

RETURN_SECURITY_ERROR

MUST_UNDERSTAND

ENABLE_SAML_ONE_TIME_USE_CACHE

TIMESTAMP_TTL

TIMESTAMP_FUTURE_TTL

USERNAMETOKEN_TTL

USERNAMETOKEN_FUTURE_TTL

SPNEGO_CLIENT_ACTION

NONCE_CACHE_INSTANCE

TIMESTAMP_CACHE_INSTANCE

SAML_ONE_TIME_USE_CACHE_INSTANCE

CACHE_CONFIG_FILE

TOKEN_STORE_CACHE_INSTANCE

CACHE_IDENTIFIER

SUBJECT_ROLE_CLASSIFIER

SUBJECT_ROLE_CLASSIFIER_TYPE

ASYMMETRIC_SIGNATURE_ALGORITHM

PASSWORD_ENCRYPTOR_INSTANCE

DELEGATED_CREDENTIAL

USERNAME_TOKEN_VALIDATOR

SAML1_TOKEN_VALIDATOR

SAML2_TOKEN_VALIDATOR

TIMESTAMP_TOKEN_VALIDATOR

SIGNATURE_TOKEN_VALIDATOR

BST_TOKEN_VALIDATOR

SCT_TOKEN_VALIDATOR

POLICY_VALIDATOR_MAP

STS_CLIENT

STS_APPLIES_TO

STS_TOKEN_USE_CERT_FOR_KEYINFO

STS_TOKEN_DO_CANCEL

STS_ISSUE_AFTER_FAILED_RENEW

CACHE_ISSUED_TOKEN_IN_ENDPOINT

DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS

PREFER_WSMEX_OVER_STS_CLIENT_CONFIG

STS_CLIENT_SOAP12_BINDING

STS_TOKEN_CRYPTO

STS_TOKEN_PROPERTIES

STS_TOKEN_USERNAME

STS_TOKEN_ACT_AS

STS_TOKEN_ON_BEHALF_OF

STS_TOKEN_IMMINENT_EXPIRY_VALUE

KERBEROS_REQUEST_CREDENTIAL_DELEGATION

KERBEROS_USE_CREDENTIAL_DELEGATION

KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM

KERBEROS_JAAS_CONTEXT_NAME

KERBEROS_SPN

KERBEROS_CLIENT

TOKEN

TOKEN_ID

ALL_PROPERTIES