Package org.apache.wss4j.common

Class ConfigurationConstants

  • Direct Known Subclasses:
    WSHandlerConstants
    public class ConfigurationConstants
extends Object
    This class defines Configuration Constants that are shared between the DOM + StAX code. This allows a user to configure both layers in the same way (e.g. via a Map).

    • Field Detail

      • ACTION

        public static final String ACTION
        The action parameter. It is a blank separated list of actions to perform.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN);
        See Also:
        Constant Field Values

      • USERNAME_TOKEN_SIGNATURE

        public static final String USERNAME_TOKEN_SIGNATURE
        Perform a UsernameTokenSignature action.
        See Also:
        Constant Field Values

      • USERNAME_TOKEN_NO_PASSWORD

        public static final String USERNAME_TOKEN_NO_PASSWORD
        Perform a UsernameToken action with no password.
        See Also:
        Constant Field Values

      • SAML_TOKEN_UNSIGNED

        public static final String SAML_TOKEN_UNSIGNED
        Perform an unsigned SAML Token action.
        See Also:
        Constant Field Values

      • SIGNATURE

        public static final String SIGNATURE
        Perform a Signature action. The signature specific parameters define how to sign, which keys to use, and so on.
        See Also:
        Constant Field Values

      • ENCRYPT

        @Deprecated
public static final String ENCRYPT
        Deprecated.
        Perform an Encryption action. The encryption specific parameters define how to encrypt, which keys to use, and so on.
        See Also:
        Constant Field Values

      • ENCRYPTION

        public static final String ENCRYPTION
        Perform an Encryption action. The encryption specific parameters define how to encrypt, which keys to use, and so on.
        See Also:
        Constant Field Values

      • SIGNATURE_DERIVED

        public static final String SIGNATURE_DERIVED
        Perform a Signature action with derived keys. The signature specific parameters define how to sign, which keys to use, and so on.
        See Also:
        Constant Field Values

      • ENCRYPT_DERIVED

        @Deprecated
public static final String ENCRYPT_DERIVED
        Deprecated.
        Perform an Encryption action with derived keys. The encryption specific parameters define how to encrypt, which keys to use, and so on.
        See Also:
        Constant Field Values

      • ENCRYPTION_DERIVED

        public static final String ENCRYPTION_DERIVED
        Perform an Encryption action with derived keys. The encryption specific parameters define how to encrypt, which keys to use, and so on.
        See Also:
        Constant Field Values

      • SIGNATURE_WITH_KERBEROS_TOKEN

        public static final String SIGNATURE_WITH_KERBEROS_TOKEN
        Perform a Signature action with a kerberos token. The signature specific parameters define how to sign, which keys to use, and so on.
        See Also:
        Constant Field Values

      • ENCRYPT_WITH_KERBEROS_TOKEN

        @Deprecated
public static final String ENCRYPT_WITH_KERBEROS_TOKEN
        Deprecated.
        Perform a Encryption action with a kerberos token. The signature specific parameters define how to encrypt, which keys to use, and so on.
        See Also:
        Constant Field Values

      • ENCRYPTION_WITH_KERBEROS_TOKEN

        public static final String ENCRYPTION_WITH_KERBEROS_TOKEN
        Perform a Encryption action with a kerberos token. The signature specific parameters define how to encrypt, which keys to use, and so on.
        See Also:
        Constant Field Values

      • CUSTOM_TOKEN

        public static final String CUSTOM_TOKEN
        Add a "Custom" token. This token will be retrieved from a CallbackHandler via WSPasswordCallback.Usage.CUSTOM_TOKEN and written out as is in the security header.
        See Also:
        Constant Field Values

      • ACTOR

        public static final String ACTOR
        The actor or role name of the wsse:Security header. If this parameter is omitted, the actor name is not set.

        The value of the actor or role has to match the receiver's setting or may contain standard values.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.ACTOR, "ActorName");
        See Also:
        Constant Field Values

      • USER

        public static final String USER
        The user's name. It is used differently by each of the WS-Security functions.
        • The UsernameToken function sets this name in the UsernameToken.
        • The Signing function uses this name as the alias name in the keystore to get user's certificate and private key to perform signing if SIGNATURE_USER is not used.
        • The encryption functions uses this parameter as fallback if ENCRYPTION_USER is not used.
        See Also:
        Constant Field Values

      • ENCRYPTION_USER

        public static final String ENCRYPTION_USER
        The user's name for encryption. The encryption functions use the public key of this user's certificate to encrypt the generated symmetric key.

        If this parameter is not set, then the encryption function falls back to the USER parameter to get the certificate.

        If only encryption of the SOAP body data is requested, it is recommended to use this parameter to define the username.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.ENCRYPTION_USER, "encryptionUser");
        See Also:
        Constant Field Values

      • SIGNATURE_USER

        public static final String SIGNATURE_USER
        The user's name for signature. This name is used as the alias name in the keystore to get user's certificate and private key to perform signing.

        If this parameter is not set, then the signature function falls back to the USER parameter.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.SIGNATURE_USER, "signatureUser");
        See Also:
        Constant Field Values

      • USE_REQ_SIG_CERT

        public static final String USE_REQ_SIG_CERT
        Specifying this name as ENCRYPTION_USER triggers a special action to get the public key to use for encryption.

        The handler uses the public key of the sender's certificate. Using this way to define an encryption key simplifies certificate management to a large extent.

        See Also:
        Constant Field Values

      • PW_CALLBACK_CLASS

        public static final String PW_CALLBACK_CLASS
        This tag refers to the CallbackHandler implementation class used to obtain passwords. The value of this tag must be the class name of a CallbackHandler instance.

        The callback function CallbackHandler.handle( javax.security.auth.callback.Callback[]) gets an array of WSPasswordCallback objects. Only the first entry of the array is used. This object contains the username/keyname as identifier. The callback handler must set the password or key associated with this identifier before it returns.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
        See Also:
        Constant Field Values

      • PW_CALLBACK_REF

        public static final String PW_CALLBACK_REF
        This tag refers to the CallbackHandler implementation object used to obtain passwords. The value of this tag must be a CallbackHandler instance.

        Refer to PW_CALLBACK_CLASS for further information about password callback handling.
        See Also:
        Constant Field Values

      • SAML_CALLBACK_CLASS

        public static final String SAML_CALLBACK_CLASS
        This tag refers to the SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this tag must be the class name of a CallbackHandler instance.
        See Also:
        Constant Field Values

      • SAML_CALLBACK_REF

        public static final String SAML_CALLBACK_REF
        This tag refers to the SAML CallbackHandler implementation object used to construct SAML Assertions. The value of this tag must be a CallbackHandler instance.
        See Also:
        Constant Field Values

      • SIG_PROP_FILE

        public static final String SIG_PROP_FILE
        The path of the crypto property file to use for Signature creation. The classloader loads this file. Therefore it must be accessible via the classpath.

        To locate the implementation of the Crypto interface implementation the property file must contain the property org.apache.wss4j.crypto.provider. The value of this property is the classname of the implementation class.

        The following line defines the standard implementation: 

         org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
        The other contents of the property file depend on the implementation of the Crypto interface. Please see the WSS4J website for more information on the Merlin property tags and values.

        The application may set this parameter using the following method: 
         call.setProperty(ConfigurationConstants.SIG_PROP_FILE, "myCrypto.properties");
        See Also:
        Constant Field Values

      • SIG_PROP_REF_ID

        public static final String SIG_PROP_REF_ID
        The key that holds a reference to the object holding complete information about the signature Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of SIG_PROP_FILE.
        See Also:
        Constant Field Values

      • SIG_VER_PROP_FILE

        public static final String SIG_VER_PROP_FILE
        The path of the crypto property file to use for Signature verification. The classloader loads this file. Therefore it must be accessible via the classpath.

        Refer to documentation of SIG_PROP_FILE.

        See Also:
        Constant Field Values

      • SIG_VER_PROP_REF_ID

        public static final String SIG_VER_PROP_REF_ID
        The key that holds a reference to the object holding complete information about the signature verification Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of SIG_VER_PROP_FILE.
        See Also:
        Constant Field Values

      • DEC_PROP_FILE

        public static final String DEC_PROP_FILE
        The path of the crypto property file to use for Decryption. The classloader loads this file. Therefore it must be accessible via the classpath. Refer to documentation of SIG_PROP_FILE for more information about the contents of the Properties file.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.DEC_PROP_FILE, "myCrypto.properties");
        See Also:
        Constant Field Values

      • DEC_PROP_REF_ID

        public static final String DEC_PROP_REF_ID
        The key that holds a reference to the object holding complete information about the decryption Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of DEC_PROP_FILE.
        See Also:
        Constant Field Values

      • ENC_PROP_FILE

        public static final String ENC_PROP_FILE
        The path of the crypto property file to use for Encryption. The classloader loads this file. Therefore it must be accessible via the classpath. Refer to documentation of SIG_PROP_FILE for more information about the contents of the Properties file.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.ENC_PROP_FILE, "myCrypto.properties");
        See Also:
        Constant Field Values

      • ENC_PROP_REF_ID

        public static final String ENC_PROP_REF_ID
        The key that holds a reference to the object holding complete information about the encryption Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of ENC_PROP_FILE.
        See Also:
        Constant Field Values

      • ENABLE_SIGNATURE_CONFIRMATION

        public static final String ENABLE_SIGNATURE_CONFIRMATION
        Whether to enable signatureConfirmation or not. The default value is "false".
        See Also:
        Constant Field Values

      • MUST_UNDERSTAND

        public static final String MUST_UNDERSTAND
        Whether to set the mustUnderstand flag on an outbound message or not. The default setting is "true".

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.MUST_UNDERSTAND, "false");
        See Also:
        Constant Field Values

      • IS_BSP_COMPLIANT

        public static final String IS_BSP_COMPLIANT
        Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true".

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.IS_BSP_COMPLIANT, "false");
        See Also:
        Constant Field Values

      • ADD_INCLUSIVE_PREFIXES

        public static final String ADD_INCLUSIVE_PREFIXES
        Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. The default is true.
        See Also:
        Constant Field Values

      • ADD_USERNAMETOKEN_NONCE

        public static final String ADD_USERNAMETOKEN_NONCE
        Whether to add a Nonce Element to a UsernameToken. This only applies when the password type is of type "text". A Nonce is automatically added for the "digest" case. The default is false.
        See Also:
        Constant Field Values

      • ADD_USERNAMETOKEN_CREATED

        public static final String ADD_USERNAMETOKEN_CREATED
        Whether to add a Created Element to a UsernameToken. This only applies when the password type is of type "text". A Created is automatically added for the "digest" case. The default is false.
        See Also:
        Constant Field Values

      • HANDLE_CUSTOM_PASSWORD_TYPES

        public static final String HANDLE_CUSTOM_PASSWORD_TYPES
        This variable controls whether types other than PasswordDigest or PasswordText are allowed when processing UsernameTokens. The default value is "false".
        See Also:
        Constant Field Values

      • ALLOW_USERNAMETOKEN_NOPASSWORD

        public static final String ALLOW_USERNAMETOKEN_NOPASSWORD
        This variable controls whether a UsernameToken with no password element is allowed. The default value is "false". Set it to "true" to allow deriving keys from UsernameTokens or to support UsernameTokens for purposes other than authentication.
        See Also:
        Constant Field Values

      • ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES

        public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES
        This variable controls whether (wsse) namespace qualified password types are accepted when processing UsernameTokens. The default value is "false".
        See Also:
        Constant Field Values

      • ENABLE_REVOCATION

        public static final String ENABLE_REVOCATION
        This variable controls whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false".
        See Also:
        Constant Field Values

      • USE_SINGLE_CERTIFICATE

        public static final String USE_SINGLE_CERTIFICATE
        This parameter sets whether to use a single certificate or a whole certificate chain when constructing a BinarySecurityToken used for direct reference in signature. The default is "true", meaning that only a single certificate is used.
        See Also:
        Constant Field Values

      • USE_DERIVED_KEY_FOR_MAC

        public static final String USE_DERIVED_KEY_FOR_MAC
        This parameter sets whether to use the Username Token derived key for a MAC or not. The default is "true".
        See Also:
        Constant Field Values

      • TIMESTAMP_PRECISION

        public static final String TIMESTAMP_PRECISION
        Set whether Timestamps have precision in milliseconds. This applies to the creation of Timestamps only. The default value is "true".
        See Also:
        Constant Field Values

      • TIMESTAMP_STRICT

        public static final String TIMESTAMP_STRICT
        Set the value of this parameter to true to enable strict timestamp handling. The default value is "true". Strict Timestamp handling: throw an exception if a Timestamp contains an Expires element and the semantics of the request are expired, i.e. the current time at the receiver is past the expires time.
        See Also:
        Constant Field Values

      • REQUIRE_TIMESTAMP_EXPIRES

        public static final String REQUIRE_TIMESTAMP_EXPIRES
        Set the value of this parameter to true to require that a Timestamp must have an "Expires" Element. The default is "false".
        See Also:
        Constant Field Values

      • ENC_SYM_ENC_KEY

        public static final String ENC_SYM_ENC_KEY
        Defines whether to encrypt the symmetric encryption key or not. If true (the default), the symmetric key used for encryption is encrypted in turn, and inserted into the security header in an "EncryptedKey" structure. If set to false, no EncryptedKey structure is constructed.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.ENC_SYM_ENC_KEY, "false");
        See Also:
        Constant Field Values

      • REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS

        public static final String REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS
        Whether the engine needs to enforce EncryptedData elements are in a signed subtree of the document. This can be used to prevent some wrapping based attacks when encrypt-before-sign token protection is selected.
        See Also:
        Constant Field Values

      • ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM

        public static final String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM
        Whether to allow the RSA v1.5 Key Transport Algorithm or not. Use of this algorithm is discouraged, and so the default is "false".
        See Also:
        Constant Field Values

      • VALIDATE_SAML_SUBJECT_CONFIRMATION

        public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION
        Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key). The default is true.
        See Also:
        Constant Field Values

      • INCLUDE_SIGNATURE_TOKEN

        public static final String INCLUDE_SIGNATURE_TOKEN
        Whether to include the Signature Token in the security header as well or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false.
        See Also:
        Constant Field Values

      • INCLUDE_ENCRYPTION_TOKEN

        public static final String INCLUDE_ENCRYPTION_TOKEN
        Whether to include the Encryption token (BinarySecurityToken) in the security header as well or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false.
        See Also:
        Constant Field Values

      • USE_2005_12_NAMESPACE

        public static final String USE_2005_12_NAMESPACE
        Whether to use the "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" namespace for SecureConversation + Derived Keys. If set to "false", it will use the namespace "http://schemas.xmlsoap.org/ws/2005/02/sc". The default is true.
        See Also:
        Constant Field Values

      • GET_SECRET_KEY_FROM_CALLBACK_HANDLER

        public static final String GET_SECRET_KEY_FROM_CALLBACK_HANDLER
        Whether to get a secret key from a CallbackHandler or not for encryption only. The default is false. If set to true WSS4J attempts to get the secret key from the CallbackHandler instead of generating a random key internally. This allows the user more control over the symmetric key if required.
        See Also:
        Constant Field Values

      • STORE_BYTES_IN_ATTACHMENT

        public static final String STORE_BYTES_IN_ATTACHMENT
        Whether to store bytes (CipherData or BinarySecurityToken) in an attachment. The default is false, meaning that bytes are BASE-64 encoded and "inlined" in the message. Setting this to true is more efficient, as it means that the BASE-64 encoding step can be skipped. For this to work, a CallbackHandler must be set on RequestData that can handle attachments.
        See Also:
        Constant Field Values

      • EXPAND_XOP_INCLUDE_FOR_SIGNATURE

        @Deprecated
public static final String EXPAND_XOP_INCLUDE_FOR_SIGNATURE
        Deprecated.
        Whether to expand xop:Include Elements encountered when verifying a Signature. The default is true, meaning that the relevant attachment bytes are BASE-64 encoded and inserted into the Element. This ensures that the actual bytes are signed, and not just the reference. This configuration tag has been deprecated in favour of EXPAND_XOP_INCLUDE.
        See Also:
        Constant Field Values

      • EXPAND_XOP_INCLUDE

        public static final String EXPAND_XOP_INCLUDE
        Whether to search for and expand xop:Include Elements for encryption and signature (on the outbound side) or for signature verification (on the inbound side). The default is false on the outbound side and true on the inbound side. What this means on the inbound side, is that the relevant attachment bytes are BASE-64 encoded and inserted into the Element. This ensures that the actual bytes are signed, and not just the reference.
        See Also:
        Constant Field Values

      • PASSWORD_TYPE

        public static final String PASSWORD_TYPE
        Specific parameter for UsernameTokens to define the encoding of the password. It can be used on either the outbound or inbound side. The valid values are: - PasswordDigest - PasswordText - PasswordNone On the Outbound side, the default value is PW_DIGEST. There is no default value on the inbound side. If a value is specified on the inbound side, the password type of the received UsernameToken must match the specified type, or an exception will be thrown.
        See Also:
        Constant Field Values

      • SIG_KEY_ID

        public static final String SIG_KEY_ID
        Defines which key identifier type to use for signature. The WS-Security specifications recommends to use the identifier type IssuerSerial. For signature IssuerSerial, DirectReference, X509KeyIdentifier, Thumbprint, SKIKeyIdentifier and KeyValue are valid only.

        The default is IssuerSerial.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
        See Also:
        Constant Field Values

      • SIG_ALGO

        public static final String SIG_ALGO
        Defines which signature algorithm to use. The default is set by the data in the certificate, i.e. one of the following: "http://www.w3.org/2000/09/xmldsig#rsa-sha1" "http://www.w3.org/2000/09/xmldsig#dsa-sha1"

        The application may set this parameter using the following method: 

         call.setProperty(
     ConfigurationConstants.SIG_ALGO,
     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
 );
        See Also:
        Constant Field Values

      • SIG_DIGEST_ALGO

        public static final String SIG_DIGEST_ALGO
        Defines which signature digest algorithm to use. The default is: "http://www.w3.org/2000/09/xmldsig#sha1"

        The application may set this parameter using the following method: 

         call.setProperty(
    ConfigurationConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
 );
        See Also:
        Constant Field Values

      • SIG_C14N_ALGO

        public static final String SIG_C14N_ALGO
        Defines which signature c14n (canonicalization) algorithm to use. The default is: "http://www.w3.org/2001/10/xml-exc-c14n#"
        See Also:
        Constant Field Values

      • SIGNATURE_PARTS

        public static final String SIGNATURE_PARTS
        Parameter to define which parts of the request shall be signed.

        Refer to ENCRYPTION_PARTS for a detailed description of the format of the value string.

        If this parameter is not specified the handler signs the SOAP Body by default, i.e.: 

         <parameter name="signatureParts"
   value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
        To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

        If there is no other element in the request with a local name of Body then the SOAP namespace identifier can be empty ({}).

        See Also:
        Constant Field Values

      • OPTIONAL_SIGNATURE_PARTS

        public static final String OPTIONAL_SIGNATURE_PARTS
        Parameter to define which parts of the request shall be signed, if they exist in the request. If they do not, then no error is thrown. This contrasts with the SIGNATURE_PARTS Identifier, which specifies elements that must be signed in the request.

        Refer to ENCRYPTION_PARTS for a detailed description of the format of the value string.

        See Also:
        Constant Field Values

      • DERIVED_KEY_ITERATIONS

        public static final String DERIVED_KEY_ITERATIONS
        This parameter sets the number of iterations to use when deriving a key from a Username Token. The default is 1000.
        See Also:
        Constant Field Values

      • ENC_KEY_ID

        public static final String ENC_KEY_ID
        Defines which key identifier type to use for encryption. The WS-Security specifications recommends to use the identifier type IssuerSerial. For encryption IssuerSerial, DirectReference, X509KeyIdentifier, Thumbprint, SKIKeyIdentifier, EncryptedKeySHA1 and EmbeddedKeyName are valid only.

        The default is IssuerSerial.

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.ENC_KEY_ID, "X509KeyIdentifier");
        See Also:
        Constant Field Values

      • ENC_SYM_ALGO

        public static final String ENC_SYM_ALGO
        Defines which symmetric encryption algorithm to use. WSS4J supports the following algorithms: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; "http://www.w3.org/2001/04/xmlenc#aes256-cbc"; "http://www.w3.org/2001/04/xmlenc#aes192-cbc"; Except for AES 192 all of these algorithms are required by the XML Encryption specification. The default algorithm is: "http://www.w3.org/2001/04/xmlenc#aes128-cbc"

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.ENC_SYM_ALGO, WSConstants.AES_256);
        See Also:
        Constant Field Values

      • ENC_KEY_TRANSPORT

        public static final String ENC_KEY_TRANSPORT
        Defines which algorithm to use to encrypt the generated symmetric key. The default algorithm is: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"

        The application may set this parameter using the following method: 

         call.setProperty(ConfigurationConstants.ENC_KEY_TRANSPORT, WSConstants.KEYTRANSPORT_RSA15);
        See Also:
        Constant Field Values

      • ENCRYPTION_PARTS

        public static final String ENCRYPTION_PARTS
        Parameter to define which parts of the request shall be encrypted.

        The value of this parameter is a list of semi-colon separated element names that identify the elements to encrypt. An encryption mode specifier and a namespace identification, each inside a pair of curly brackets, may preceed each element name.

        The encryption mode specifier is either {Content} or {Element}. Please refer to the W3C XML Encryption specification about the differences between Element and Content encryption. The encryption mode defaults to Content if it is omitted. Example of a list: 

         <parameter name="encryptionParts"
   value="{Content}{http://example.org/paymentv2}CreditCard;
             {Element}{}UserName" />
        The the first entry of the list identifies the element CreditCard in the namespace http://example.org/paymentv2, and will encrypt its content. Be aware that the element name, the namespace identifier, and the encryption modifier are case sensitive.

        The encryption modifier and the namespace identifier can be ommited. In this case the encryption mode defaults to Content and the namespace is set to the SOAP namespace.

        An empty encryption mode defaults to Content, an empty namespace identifier defaults to the SOAP namespace. The second line of the example defines Element as encryption mode for an UserName element in the SOAP namespace.

        Note that the special value "{}cid:Attachments;" means that all of the message attachments should be encrypted.

        To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

        If no list is specified, the handler encrypts the SOAP Body in Content mode by default.

        See Also:
        Constant Field Values

      • OPTIONAL_ENCRYPTION_PARTS

        public static final String OPTIONAL_ENCRYPTION_PARTS
        Parameter to define which parts of the request shall be encrypted, if they exist in the request. If they do not, then no error is thrown. This contrasts with the ENCRYPTION_PARTS Identifier, which specifies elements that must be encrypted in the request.

        Refer to ENCRYPTION_PARTS for a detailed description of the format of the value string.

        See Also:
        Constant Field Values

      • ENC_DIGEST_ALGO

        public static final String ENC_DIGEST_ALGO
        Defines which encryption digest algorithm to use with the RSA OAEP Key Transport algorithm for encryption. The default is SHA-1.

        The application may set this parameter using the following method: 

         call.setProperty(
    ConfigurationConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
 );
        See Also:
        Constant Field Values

      • ENC_MGF_ALGO

        public static final String ENC_MGF_ALGO
        Defines which encryption mgf algorithm to use with the RSA OAEP Key Transport algorithm for encryption. The default is mgfsha1.

        The application may set this parameter using the following method: 

         call.setProperty(
    ConfigurationConstants.ENC_MGF_ALGO, "http://www.w3.org/2009/xmlenc11#mgf1sha256"
 );
        See Also:
        Constant Field Values

      • TTL_USERNAMETOKEN

        public static final String TTL_USERNAMETOKEN
        Time-To-Live is the time difference between creation and expiry time in seconds of the UsernameToken Created value. After this time the SOAP request is invalid (at least the security data shall be treated this way).

        If this parameter is not defined, contains a value less or equal zero, or an illegal format the handlers use a default TTL of 300 seconds (5 minutes).

        See Also:
        Constant Field Values

      • TTL_FUTURE_USERNAMETOKEN

        public static final String TTL_FUTURE_USERNAMETOKEN
        This configuration tag specifies the time in seconds in the future within which the Created time of an incoming UsernameToken is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created UsernameTokens, set this value to "0".
        See Also:
        Constant Field Values

      • SIG_SUBJECT_CERT_CONSTRAINTS

        public static final String SIG_SUBJECT_CERT_CONSTRAINTS
        This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR) of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.
        See Also:
        Constant Field Values

      • SIG_ISSUER_CERT_CONSTRAINTS

        public static final String SIG_ISSUER_CERT_CONSTRAINTS
        This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR) of regular expressions which will be applied to the issuer DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.
        See Also:
        Constant Field Values

      • SIG_CERT_CONSTRAINTS_SEPARATOR

        public static final String SIG_CERT_CONSTRAINTS_SEPARATOR
        This configuration tag refers to the separator that is used to parse certificate constraints configured in the SIG_SUBJECT_CERT_CONSTRAINTS and SIG_ISSUER_CERT_CONSTRAINTS configuration tags. By default it is a comma - ",".
        See Also:
        Constant Field Values

      • TTL_TIMESTAMP

        public static final String TTL_TIMESTAMP
        Time-To-Live is the time difference between creation and expiry time in seconds in the WSS Timestamp. After this time the SOAP request is invalid (at least the security data shall be treated this way).

        If this parameter is not defined, contains a value less or equal zero, or an illegal format the handlers use a default TTL of 300 seconds (5 minutes).

        See Also:
        Constant Field Values

      • TTL_FUTURE_TIMESTAMP

        public static final String TTL_FUTURE_TIMESTAMP
        This configuration tag specifies the time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created Timestamps, set this value to "0".
        See Also:
        Constant Field Values

      • VALIDATOR_MAP

        public static final String VALIDATOR_MAP
        This tag refers to a Map of QName, Object (Validator) instances to be used to validate tokens identified by their QName. For the DOM layer, the Object should be a org.apache.wss4j.dom.validate.Validator instance. For the StAX layer, it should be a org.apache.wss4j.stax.validate.Validator instance.
        See Also:
        Constant Field Values

      • NONCE_CACHE_INSTANCE

        public static final String NONCE_CACHE_INSTANCE
        This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The default instance that is used is the EHCacheReplayCache.
        See Also:
        Constant Field Values

      • TIMESTAMP_CACHE_INSTANCE

        public static final String TIMESTAMP_CACHE_INSTANCE
        This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The default instance that is used is the EHCacheReplayCache.
        See Also:
        Constant Field Values

      • SAML_ONE_TIME_USE_CACHE_INSTANCE

        public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE
        This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifier Strings (if the token contains a OneTimeUse Condition). The default instance that is used is the EHCacheReplayCache.
        See Also:
        Constant Field Values

      • PASSWORD_ENCRYPTOR_INSTANCE

        public static final String PASSWORD_ENCRYPTOR_INSTANCE
        This holds a reference to a PasswordEncryptor instance, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations). By default, WSS4J uses the JasyptPasswordEncryptor, which must be instantiated with a password to use to decrypt keystore passwords in the Merlin Crypto properties file. This password is obtained via the CallbackHandler defined via PW_CALLBACK_CLASS or PW_CALLBACK_REF. The encrypted passwords must be stored in the format "ENC(encoded encrypted password)".
        See Also:
        Constant Field Values

      • DERIVED_TOKEN_REFERENCE

        public static final String DERIVED_TOKEN_REFERENCE
        This controls the deriving token from which DerivedKeyTokens derive keys from. Valid values are: - DirectReference: A reference to a BinarySecurityToken - EncryptedKey: A reference to an EncryptedKey - SecurityContextToken: A reference to a SecurityContextToken
        See Also:
        Constant Field Values

      • DERIVED_TOKEN_KEY_ID

        public static final String DERIVED_TOKEN_KEY_ID
        This controls the key identifier of Derived Tokens, i.e. how they reference the deriving key.
        See Also:
        Constant Field Values

      • DERIVED_SIGNATURE_KEY_LENGTH

        public static final String DERIVED_SIGNATURE_KEY_LENGTH
        The length to use (in bytes) when deriving a key for Signature. If this is not specified, it defaults to a value based on the signature algorithm.
        See Also:
        Constant Field Values

      • DERIVED_ENCRYPTION_KEY_LENGTH

        public static final String DERIVED_ENCRYPTION_KEY_LENGTH
        The length to use (in bytes) when deriving a key for Encryption. If this is not specified, it defaults to a value based on the encryption algorithm.
        See Also:
        Constant Field Values

    • Constructor Detail

      • ConfigurationConstants

        protected ConfigurationConstants()