SecurityConstants (Apache CXF JavaDoc 3.5.0 API)

java.lang.Object
- org.apache.cxf.rt.security.SecurityConstants

Direct Known Subclasses:

SecurityConstants
```
public class SecurityConstants
extends Object
```
This class contains some configuration tags that can be used to configure various security properties. These tags are shared between the SOAP stack (WS-SecurityPolicy configuration), as well as the REST stack (JAX-RS XML Security). The configuration tags largely relate to properties for signing, encryption as well as SAML tokens. Most of the signing/encryption tags refer to Apache WSS4J "Crypto" objects, which are used by both stacks to control how certificates/keys are retrieved, etc. More specific configuration tags for WS-SecurityPolicy are configured in the SecurityConstants class in the cxf-rt-ws-security module, which extends this class.

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`AUDIENCE_RESTRICTION_VALIDATION` Enable SAML AudienceRestriction validation.
`static String`	`AUDIENCE_RESTRICTIONS` This property contains a comma separated String corresponding to a list of audience restriction URIs.
`static String`	`CACHE_ISSUED_TOKEN_IN_ENDPOINT` Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider.
`static String`	`CALLBACK_HANDLER` The CallbackHandler implementation class used to obtain passwords, for both outbound and inbound requests.
`static String`	`CERT_CONSTRAINTS_SEPARATOR` The separator that is used to parse certificate constraints configured in the SUBJECT_CERT_CONSTRAINTS tag.
`static Set<String>`	`COMMON_PROPERTIES`
`static String`	`DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS` Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info.
`static String`	`ENABLE_REVOCATION` Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate.
`static String`	`ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL` Whether to allow unsigned saml assertions as SecurityContext Principals.
`static String`	`ENABLE_UT_NOPASSWORD_PRINCIPAL` Whether to allow UsernameTokens with no password to be used as SecurityContext Principals.
`static String`	`ENCRYPT_CERT` A message property for prepared X509 certificate to be used for encryption.
`static String`	`ENCRYPT_CRYPTO` A Crypto object to be used for encryption.
`static String`	`ENCRYPT_PROPERTIES` The Crypto property configuration to use for encryption, if `ENCRYPT_CRYPTO` is not set instead.
`static String`	`ENCRYPT_USERNAME` The user's name for encryption.
`static String`	`PASSWORD` The user's password when a `CALLBACK_HANDLER` is not defined.
`static String`	`PREFER_WSMEX_OVER_STS_CLIENT_CONFIG` Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties when making an STS RequestSecurityToken call.
`static String`	`SAML_CALLBACK_HANDLER` The SAML CallbackHandler implementation class used to construct SAML Assertions.
`static String`	`SAML_ROLE_ATTRIBUTENAME` The attribute URI of the SAML AttributeStatement where the role information is stored.
`static String`	`SC_FROM_JAAS_SUBJECT` Set this to "false" if security context must not be created from JAAS Subject.
`static String`	`SIGNATURE_CRYPTO` A Crypto object to be used for signature.
`static String`	`SIGNATURE_PASSWORD` The user's password for signature when a `CALLBACK_HANDLER` is not defined.
`static String`	`SIGNATURE_PROPERTIES` The Crypto property configuration to use for signature, if `SIGNATURE_CRYPTO` is not set instead.
`static String`	`SIGNATURE_USERNAME` The user's name for signature.
`static String`	`STS_APPLIES_TO` The "AppliesTo" address to send to the STS.
`static String`	`STS_CHECK_FOR_RECURSIVE_CALL` Check that we are not invoking on the STS using its own IssuedToken policy - in which case we will end up with a recursive loop.
`static String`	`STS_CLIENT` A reference to the STSClient class used to communicate with the STS.
`static String`	`STS_CLIENT_SOAP12_BINDING` Switch STS client to send Soap 1.2 messages
`static String`	`STS_ISSUE_AFTER_FAILED_RENEW` Whether to fall back to calling "issue" after failing to renew an expired token.
`static String`	`STS_TOKEN_ACT_AS` The token to be sent to the STS in an "ActAs" field.
`static String`	`STS_TOKEN_CACHER_IMPL` An implementation of the STSTokenCacher interface, if you want to plug in custom caching behaviour for STS clients.
`static String`	`STS_TOKEN_CRYPTO` A Crypto object to be used for the STS.
`static String`	`STS_TOKEN_DO_CANCEL` Whether to cancel a token when using SecureConversation after successful invocation.
`static String`	`STS_TOKEN_IMMINENT_EXPIRY_VALUE` This is the value in seconds within which a token is considered to be expired by the client.
`static String`	`STS_TOKEN_ON_BEHALF_OF` The token to be sent to the STS in an "OnBehalfOf" field.
`static String`	`STS_TOKEN_PROPERTIES` The Crypto property configuration to use for the STS, if `STS_TOKEN_CRYPTO` is not set instead.
`static String`	`STS_TOKEN_USE_CERT_FOR_KEYINFO` Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure.
`static String`	`STS_TOKEN_USERNAME` The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case.
`static String`	`SUBJECT_CERT_CONSTRAINTS` A String of regular expressions (separated by the value specified for CERT_CONSTRAINTS_SEPARATOR) which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.
`static String`	`USERNAME` The user's name.
`static String`	`VALIDATE_SAML_SUBJECT_CONFIRMATION` Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key).

Constructor Summary

Constructors
Modifier Constructor and Description

protected SecurityConstants()

Constructors
Modifier	Constructor and Description
`protected`	`SecurityConstants()`

Method Summary
- Methods inherited from class java.lang.Object
  clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - USERNAME
```
public static final String USERNAME
```
    The user's name. It is used as follows: a) As the name in the UsernameToken for WS-Security. b) As the alias name in the keystore to get the user's cert and private key for signature if SIGNATURE_USERNAME is not set. c) As the alias name in the keystore to get the user's public key for encryption if ENCRYPT_USERNAME is not set.
    
    See Also:
    
    Constant Field Values
  - PASSWORD
```
public static final String PASSWORD
```
    The user's password when a CALLBACK_HANDLER is not defined. This is only used for the password in a WS-Security UsernameToken.
    
    See Also:
    
    Constant Field Values
  - SIGNATURE_USERNAME
```
public static final String SIGNATURE_USERNAME
```
    The user's name for signature. It is used as the alias name in the keystore to get the user's cert and private key for signature. If this is not defined, then USERNAME is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by SIGNATURE_PROPERTIES. If that's also not set, and the keystore only contains a single key, that key will be used.
    
    See Also:
    
    Constant Field Values
  - SIGNATURE_PASSWORD
```
public static final String SIGNATURE_PASSWORD
```
    The user's password for signature when a CALLBACK_HANDLER is not defined.
    
    See Also:
    
    Constant Field Values
  - ENCRYPT_USERNAME
```
public static final String ENCRYPT_USERNAME
```
    The user's name for encryption. It is used as the alias name in the keystore to get the user's public key for encryption. If this is not defined, then USERNAME is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by ENCRYPT_PROPERTIES. If that's also not set, and the keystore only contains a single key, that key will be used. For the WS-Security web service provider, the "useReqSigCert" keyword can be used to accept (encrypt to) any client whose public key is in the service's truststore (defined in ENCRYPT_PROPERTIES).
    
    See Also:
    
    Constant Field Values
  - CALLBACK_HANDLER
```
public static final String CALLBACK_HANDLER
```
    The CallbackHandler implementation class used to obtain passwords, for both outbound and inbound requests. The value of this tag must be either: a) The class name of a CallbackHandler instance, which must be accessible via the classpath. b) A CallbackHandler instance.
    
    See Also:
    
    Constant Field Values
  - SAML_CALLBACK_HANDLER
```
public static final String SAML_CALLBACK_HANDLER
```
    The SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this tag must be either: a) The class name of a CallbackHandler instance, which must be accessible via the classpath. b) A CallbackHandler instance.
    
    See Also:
    
    Constant Field Values
  - SIGNATURE_PROPERTIES
```
public static final String SIGNATURE_PROPERTIES
```
    The Crypto property configuration to use for signature, if SIGNATURE_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.
    
    See Also:
    
    Constant Field Values
  - ENCRYPT_PROPERTIES
```
public static final String ENCRYPT_PROPERTIES
```
    The Crypto property configuration to use for encryption, if ENCRYPT_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.
    
    See Also:
    
    Constant Field Values
  - SIGNATURE_CRYPTO
```
public static final String SIGNATURE_CRYPTO
```
    A Crypto object to be used for signature. If this is not defined then the SIGNATURE_PROPERTIES is used instead.
    
    See Also:
    
    Constant Field Values
  - ENCRYPT_CRYPTO
```
public static final String ENCRYPT_CRYPTO
```
    A Crypto object to be used for encryption. If this is not defined then the ENCRYPT_PROPERTIES is used instead.
    
    See Also:
    
    Constant Field Values
  - ENCRYPT_CERT
```
public static final String ENCRYPT_CERT
```
    A message property for prepared X509 certificate to be used for encryption. If this is not defined, then the certificate will be either loaded from the keystore ENCRYPT_PROPERTIES or extracted from request (when WS-Security is used and if ENCRYPT_USERNAME has value "useReqSigCert").
    
    See Also:
    
    Constant Field Values
  - ENABLE_REVOCATION
```
public static final String ENABLE_REVOCATION
```
    Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false".
    
    See Also:
    
    Constant Field Values
  - ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
```
public static final String ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
```
    Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false. Note that "unsigned" refers to an internal signature. Even if the token is signed by an external signature (as per the "sender-vouches" requirement), this boolean must still be configured if you want to use the token to set up the security context.
    
    See Also:
    
    Constant Field Values
  - ENABLE_UT_NOPASSWORD_PRINCIPAL
```
public static final String ENABLE_UT_NOPASSWORD_PRINCIPAL
```
    Whether to allow UsernameTokens with no password to be used as SecurityContext Principals. The default is false.
    
    See Also:
    
    Constant Field Values
  - VALIDATE_SAML_SUBJECT_CONFIRMATION
```
public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION
```
    Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key). The default is true.
    
    See Also:
    
    Constant Field Values
  - SC_FROM_JAAS_SUBJECT
```
public static final String SC_FROM_JAAS_SUBJECT
```
    Set this to "false" if security context must not be created from JAAS Subject. The default value is "true".
    
    See Also:
    
    Constant Field Values
  - AUDIENCE_RESTRICTION_VALIDATION
```
public static final String AUDIENCE_RESTRICTION_VALIDATION
```
    Enable SAML AudienceRestriction validation. If this is set to "true", then IF the SAML Token contains Audience Restriction URIs, one of them must match one of the values of the AUDIENCE_RESTRICTIONS property. The default is "true" for SOAP services, "false" for REST services.
    
    See Also:
    
    Constant Field Values
  - SAML_ROLE_ATTRIBUTENAME
```
public static final String SAML_ROLE_ATTRIBUTENAME
```
    The attribute URI of the SAML AttributeStatement where the role information is stored. The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
    
    See Also:
    
    Constant Field Values
  - SUBJECT_CERT_CONSTRAINTS
```
public static final String SUBJECT_CERT_CONSTRAINTS
```
    A String of regular expressions (separated by the value specified for CERT_CONSTRAINTS_SEPARATOR) which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.
    
    See Also:
    
    Constant Field Values
  - CERT_CONSTRAINTS_SEPARATOR
```
public static final String CERT_CONSTRAINTS_SEPARATOR
```
    The separator that is used to parse certificate constraints configured in the SUBJECT_CERT_CONSTRAINTS tag. By default it is a comma - ",".
    
    See Also:
    
    Constant Field Values
  - STS_CLIENT
```
public static final String STS_CLIENT
```
    A reference to the STSClient class used to communicate with the STS.
    
    See Also:
    
    Constant Field Values
  - STS_APPLIES_TO
```
public static final String STS_APPLIES_TO
```
    The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider.
    
    See Also:
    
    Constant Field Values
  - STS_TOKEN_USE_CERT_FOR_KEYINFO
```
public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO
```
    Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure. The default value is "false".
    
    See Also:
    
    Constant Field Values
  - STS_TOKEN_DO_CANCEL
```
public static final String STS_TOKEN_DO_CANCEL
```
    Whether to cancel a token when using SecureConversation after successful invocation. The default is "false".
    
    See Also:
    
    Constant Field Values
  - STS_ISSUE_AFTER_FAILED_RENEW
```
public static final String STS_ISSUE_AFTER_FAILED_RENEW
```
    Whether to fall back to calling "issue" after failing to renew an expired token. Some STSs do not support the renew binding, and so we should just issue a new token after expiry. The default is true.
    
    See Also:
    
    Constant Field Values
  - CACHE_ISSUED_TOKEN_IN_ENDPOINT
```
public static final String CACHE_ISSUED_TOKEN_IN_ENDPOINT
```
    Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true".
    
    See Also:
    
    Constant Field Values
  - DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
```
public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
```
    Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false".
    
    See Also:
    
    Constant Field Values
  - PREFER_WSMEX_OVER_STS_CLIENT_CONFIG
```
public static final String PREFER_WSMEX_OVER_STS_CLIENT_CONFIG
```
    Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties when making an STS RequestSecurityToken call. This can be set to true for the scenario of making a WS-MEX call to an initial STS, and using the returned token to make another call to an STS (which is configured using the STSClient configuration). Default is "false".
    
    See Also:
    
    Constant Field Values
  - STS_CLIENT_SOAP12_BINDING
```
public static final String STS_CLIENT_SOAP12_BINDING
```
    Switch STS client to send Soap 1.2 messages
    
    See Also:
    
    Constant Field Values
  - STS_TOKEN_CRYPTO
```
public static final String STS_TOKEN_CRYPTO
```
    A Crypto object to be used for the STS. If this is not defined then the STS_TOKEN_PROPERTIES is used instead. WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO the full security on the message. These properties control the way the STS client will decrypt the EncryptedData elements in the response. These are also used by the STSClient to send/process any RSA/DSAKeyValue tokens used if the KeyType is "PublicKey"
    
    See Also:
    
    Constant Field Values
  - STS_TOKEN_PROPERTIES
```
public static final String STS_TOKEN_PROPERTIES
```
    The Crypto property configuration to use for the STS, if STS_TOKEN_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.
    
    See Also:
    
    Constant Field Values
  - STS_TOKEN_USERNAME
```
public static final String STS_TOKEN_USERNAME
```
    The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case.
    
    See Also:
    
    Constant Field Values
  - STS_TOKEN_ACT_AS
```
public static final String STS_TOKEN_ACT_AS
```
    The token to be sent to the STS in an "ActAs" field. It can be either: a) A String (which must be an XML statement like "...") b) A DOM Element c) A CallbackHandler object to use to obtain the token In the case of a CallbackHandler, it must be able to handle a org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a reference to the current Message. The CallbackHandler implementation is required to set the token Element to be sent in the request on the Callback. Some examples that can be reused are: org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
    
    See Also:
    
    Constant Field Values
  - STS_TOKEN_ON_BEHALF_OF
```
public static final String STS_TOKEN_ON_BEHALF_OF
```
    The token to be sent to the STS in an "OnBehalfOf" field. It can be either: a) A String (which must be an XML statement like "...") b) A DOM Element c) A CallbackHandler object to use to obtain the token In the case of a CallbackHandler, it must be able to handle a org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a reference to the current Message. The CallbackHandler implementation is required to set the token Element to be sent in the request on the Callback. Some examples that can be reused are: org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
    
    See Also:
    
    Constant Field Values
  - STS_TOKEN_IMMINENT_EXPIRY_VALUE
```
public static final String STS_TOKEN_IMMINENT_EXPIRY_VALUE
```
    This is the value in seconds within which a token is considered to be expired by the client. When a cached token (from a STS) is retrieved by the client, it is considered to be expired if it will expire in a time less than the value specified by this tag. This prevents token expiry when the message is en route / being processed by the service. When the token is found to be expired then it will be renewed via the STS. The default value is 10 (seconds). Specify 0 to avoid this check.
    
    See Also:
    
    Constant Field Values
  - STS_TOKEN_CACHER_IMPL
```
public static final String STS_TOKEN_CACHER_IMPL
```
    An implementation of the STSTokenCacher interface, if you want to plug in custom caching behaviour for STS clients. The default value is the DefaultSTSTokenCacher.
    
    See Also:
    
    Constant Field Values
  - STS_CHECK_FOR_RECURSIVE_CALL
```
public static final String STS_CHECK_FOR_RECURSIVE_CALL
```
    Check that we are not invoking on the STS using its own IssuedToken policy - in which case we will end up with a recursive loop. This check might be a problem in the unlikely scenario that the remote endpoint has the same service / port QName as the STS, so this configuration flag allows to disable this check for that scenario. The default is "true".
    
    See Also:
    
    Constant Field Values
  - AUDIENCE_RESTRICTIONS
```
public static final String AUDIENCE_RESTRICTIONS
```
    This property contains a comma separated String corresponding to a list of audience restriction URIs. The default value for this property contains the request URL and the Service QName. If the AUDIENCE_RESTRICTION_VALIDATION property is "true", and if a received SAML Token contains audience restriction URIs, then one of them must match one of the values specified in this property.
    
    See Also:
    
    Constant Field Values
  - COMMON_PROPERTIES
```
public static final Set<String> COMMON_PROPERTIES
```
- Constructor Detail
  - SecurityConstants
```
protected SecurityConstants()
```

Class SecurityConstants

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

USERNAME

PASSWORD

SIGNATURE_USERNAME

SIGNATURE_PASSWORD

ENCRYPT_USERNAME

CALLBACK_HANDLER

SAML_CALLBACK_HANDLER

SIGNATURE_PROPERTIES

ENCRYPT_PROPERTIES

SIGNATURE_CRYPTO

ENCRYPT_CRYPTO

ENCRYPT_CERT

ENABLE_REVOCATION

ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL

ENABLE_UT_NOPASSWORD_PRINCIPAL

VALIDATE_SAML_SUBJECT_CONFIRMATION

SC_FROM_JAAS_SUBJECT

AUDIENCE_RESTRICTION_VALIDATION

SAML_ROLE_ATTRIBUTENAME

SUBJECT_CERT_CONSTRAINTS

CERT_CONSTRAINTS_SEPARATOR

STS_CLIENT

STS_APPLIES_TO

STS_TOKEN_USE_CERT_FOR_KEYINFO

STS_TOKEN_DO_CANCEL

STS_ISSUE_AFTER_FAILED_RENEW

CACHE_ISSUED_TOKEN_IN_ENDPOINT

DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS

PREFER_WSMEX_OVER_STS_CLIENT_CONFIG

STS_CLIENT_SOAP12_BINDING

STS_TOKEN_CRYPTO

STS_TOKEN_PROPERTIES

STS_TOKEN_USERNAME

STS_TOKEN_ACT_AS

STS_TOKEN_ON_BEHALF_OF

STS_TOKEN_IMMINENT_EXPIRY_VALUE

STS_TOKEN_CACHER_IMPL

STS_CHECK_FOR_RECURSIVE_CALL

AUDIENCE_RESTRICTIONS

COMMON_PROPERTIES

Constructor Detail

SecurityConstants