Package org.apache.wss4j.common

Class ConfigurationConstants

java.lang.Object
org.apache.wss4j.common.ConfigurationConstants
public class ConfigurationConstants extends Object
This class defines Configuration Constants that are shared between the DOM + StAX code. This allows a user to configure both layers in the same way (e.g. via a Map).

  • Field Details

    • ACTION

      public static final String ACTION
      The action parameter. It is a blank separated list of actions to perform.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN);
      See Also:

    • USERNAME_TOKEN

      public static final String USERNAME_TOKEN
      Perform a UsernameToken action.
      See Also:

    • USERNAME_TOKEN_SIGNATURE

      public static final String USERNAME_TOKEN_SIGNATURE
      Perform a UsernameTokenSignature action.
      See Also:

    • USERNAME_TOKEN_NO_PASSWORD

      public static final String USERNAME_TOKEN_NO_PASSWORD
      Perform a UsernameToken action with no password.
      See Also:

    • SAML_TOKEN_UNSIGNED

      public static final String SAML_TOKEN_UNSIGNED
      Perform an unsigned SAML Token action.
      See Also:

    • SAML_TOKEN_SIGNED

      public static final String SAML_TOKEN_SIGNED
      Perform a signed SAML Token action.
      See Also:

    • SIGNATURE

      public static final String SIGNATURE
      Perform a Signature action. The signature specific parameters define how to sign, which keys to use, and so on.
      See Also:

    • ENCRYPT

      @Deprecated public static final String ENCRYPT
      Deprecated.
      Perform an Encryption action. The encryption specific parameters define how to encrypt, which keys to use, and so on.
      See Also:

    • ENCRYPTION

      public static final String ENCRYPTION
      Perform an Encryption action. The encryption specific parameters define how to encrypt, which keys to use, and so on.
      See Also:

    • TIMESTAMP

      public static final String TIMESTAMP
      Add a timestamp to the security header.
      See Also:

    • SIGNATURE_DERIVED

      public static final String SIGNATURE_DERIVED
      Perform a Signature action with derived keys. The signature specific parameters define how to sign, which keys to use, and so on.
      See Also:

    • ENCRYPT_DERIVED

      @Deprecated public static final String ENCRYPT_DERIVED
      Deprecated.
      Perform an Encryption action with derived keys. The encryption specific parameters define how to encrypt, which keys to use, and so on.
      See Also:

    • ENCRYPTION_DERIVED

      public static final String ENCRYPTION_DERIVED
      Perform an Encryption action with derived keys. The encryption specific parameters define how to encrypt, which keys to use, and so on.
      See Also:

    • SIGNATURE_WITH_KERBEROS_TOKEN

      public static final String SIGNATURE_WITH_KERBEROS_TOKEN
      Perform a Signature action with a kerberos token. The signature specific parameters define how to sign, which keys to use, and so on.
      See Also:

    • ENCRYPT_WITH_KERBEROS_TOKEN

      @Deprecated public static final String ENCRYPT_WITH_KERBEROS_TOKEN
      Deprecated.
      Perform a Encryption action with a kerberos token. The signature specific parameters define how to encrypt, which keys to use, and so on.
      See Also:

    • ENCRYPTION_WITH_KERBEROS_TOKEN

      public static final String ENCRYPTION_WITH_KERBEROS_TOKEN
      Perform a Encryption action with a kerberos token. The signature specific parameters define how to encrypt, which keys to use, and so on.
      See Also:

    • KERBEROS_TOKEN

      public static final String KERBEROS_TOKEN
      Add a kerberos token.
      See Also:

    • CUSTOM_TOKEN

      public static final String CUSTOM_TOKEN
      Add a "Custom" token. This token will be retrieved from a CallbackHandler via WSPasswordCallback.Usage.CUSTOM_TOKEN and written out as is in the security header.
      See Also:

    • ACTOR

      public static final String ACTOR
      The actor or role name of the wsse:Security header. If this parameter is omitted, the actor name is not set.

      The value of the actor or role has to match the receiver's setting or may contain standard values.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.ACTOR, "ActorName");
      See Also:

    • USER

      public static final String USER
      The user's name. It is used differently by each of the WS-Security functions.
      • The UsernameToken function sets this name in the UsernameToken.
      • The Signing function uses this name as the alias name in the keystore to get user's certificate and private key to perform signing if SIGNATURE_USER is not used.
      • The encryption functions uses this parameter as fallback if ENCRYPTION_USER is not used.
      See Also:

    • ENCRYPTION_USER

      public static final String ENCRYPTION_USER
      The user's name for encryption. The encryption functions use the public key of this user's certificate to encrypt the generated symmetric key.

      If this parameter is not set, then the encryption function falls back to the USER parameter to get the certificate.

      If only encryption of the SOAP body data is requested, it is recommended to use this parameter to define the username.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.ENCRYPTION_USER, "encryptionUser");
      See Also:

    • SIGNATURE_USER

      public static final String SIGNATURE_USER
      The user's name for signature. This name is used as the alias name in the keystore to get user's certificate and private key to perform signing.

      If this parameter is not set, then the signature function falls back to the USER parameter.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.SIGNATURE_USER, "signatureUser");
      See Also:

    • USE_REQ_SIG_CERT

      public static final String USE_REQ_SIG_CERT
      Specifying this name as ENCRYPTION_USER triggers a special action to get the public key to use for encryption.

      The handler uses the public key of the sender's certificate. Using this way to define an encryption key simplifies certificate management to a large extent.

      See Also:

    • PW_CALLBACK_CLASS

      public static final String PW_CALLBACK_CLASS
      This tag refers to the CallbackHandler implementation class used to obtain passwords. The value of this tag must be the class name of a CallbackHandler instance.

      The callback function CallbackHandler.handle(javax.security.auth.callback.Callback[]) gets an array of WSPasswordCallback objects. Only the first entry of the array is used. This object contains the username/keyname as identifier. The callback handler must set the password or key associated with this identifier before it returns.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
      See Also:

    • PW_CALLBACK_REF

      public static final String PW_CALLBACK_REF
      This tag refers to the CallbackHandler implementation object used to obtain passwords. The value of this tag must be a CallbackHandler instance.

      Refer to PW_CALLBACK_CLASS for further information about password callback handling.
      See Also:

    • SAML_CALLBACK_CLASS

      public static final String SAML_CALLBACK_CLASS
      This tag refers to the SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this tag must be the class name of a CallbackHandler instance.
      See Also:

    • SAML_CALLBACK_REF

      public static final String SAML_CALLBACK_REF
      This tag refers to the SAML CallbackHandler implementation object used to construct SAML Assertions. The value of this tag must be a CallbackHandler instance.
      See Also:

    • SIG_PROP_FILE

      public static final String SIG_PROP_FILE
      The path of the crypto property file to use for Signature creation. The classloader loads this file. Therefore it must be accessible via the classpath.

      To locate the implementation of the Crypto interface implementation the property file must contain the property org.apache.wss4j.crypto.provider. The value of this property is the classname of the implementation class.

      The following line defines the standard implementation: 

       org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
      The other contents of the property file depend on the implementation of the Crypto interface. Please see the WSS4J website for more information on the Merlin property tags and values.

      The application may set this parameter using the following method: 
       call.setProperty(ConfigurationConstants.SIG_PROP_FILE, "myCrypto.properties");
      See Also:

    • SIG_PROP_REF_ID

      public static final String SIG_PROP_REF_ID
      The key that holds a reference to the object holding complete information about the signature Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of SIG_PROP_FILE.
      See Also:

    • SIG_VER_PROP_FILE

      public static final String SIG_VER_PROP_FILE
      The path of the crypto property file to use for Signature verification. The classloader loads this file. Therefore it must be accessible via the classpath.

      Refer to documentation of SIG_PROP_FILE.

      See Also:

    • SIG_VER_PROP_REF_ID

      public static final String SIG_VER_PROP_REF_ID
      The key that holds a reference to the object holding complete information about the signature verification Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of SIG_VER_PROP_FILE.
      See Also:

    • DEC_PROP_FILE

      public static final String DEC_PROP_FILE
      The path of the crypto property file to use for Decryption. The classloader loads this file. Therefore it must be accessible via the classpath. Refer to documentation of SIG_PROP_FILE for more information about the contents of the Properties file.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.DEC_PROP_FILE, "myCrypto.properties");
      See Also:

    • DEC_PROP_REF_ID

      public static final String DEC_PROP_REF_ID
      The key that holds a reference to the object holding complete information about the decryption Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of DEC_PROP_FILE.
      See Also:

    • ENC_PROP_FILE

      public static final String ENC_PROP_FILE
      The path of the crypto property file to use for Encryption. The classloader loads this file. Therefore it must be accessible via the classpath. Refer to documentation of SIG_PROP_FILE for more information about the contents of the Properties file.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.ENC_PROP_FILE, "myCrypto.properties");
      See Also:

    • ENC_PROP_REF_ID

      public static final String ENC_PROP_REF_ID
      The key that holds a reference to the object holding complete information about the encryption Crypto implementation. This object can either be a Crypto instance or a java.util.Properties file, which should contain all information that would contain in an equivalent properties file which includes the Crypto implementation class name. Refer to documentation of ENC_PROP_FILE.
      See Also:

    • ENABLE_SIGNATURE_CONFIRMATION

      public static final String ENABLE_SIGNATURE_CONFIRMATION
      Whether to enable signatureConfirmation or not. The default value is "false".
      See Also:

    • MUST_UNDERSTAND

      public static final String MUST_UNDERSTAND
      Whether to set the mustUnderstand flag on an outbound message or not. The default setting is "true".

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.MUST_UNDERSTAND, "false");
      See Also:

    • IS_BSP_COMPLIANT

      public static final String IS_BSP_COMPLIANT
      Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true".

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.IS_BSP_COMPLIANT, "false");
      See Also:

    • ADD_INCLUSIVE_PREFIXES

      public static final String ADD_INCLUSIVE_PREFIXES
      Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. The default is true.
      See Also:

    • ADD_USERNAMETOKEN_NONCE

      public static final String ADD_USERNAMETOKEN_NONCE
      Whether to add a Nonce Element to a UsernameToken. This only applies when the password type is of type "text". A Nonce is automatically added for the "digest" case. The default is false.
      See Also:

    • ADD_USERNAMETOKEN_CREATED

      public static final String ADD_USERNAMETOKEN_CREATED
      Whether to add a Created Element to a UsernameToken. This only applies when the password type is of type "text". A Created is automatically added for the "digest" case. The default is false.
      See Also:

    • HANDLE_CUSTOM_PASSWORD_TYPES

      public static final String HANDLE_CUSTOM_PASSWORD_TYPES
      This variable controls whether types other than PasswordDigest or PasswordText are allowed when processing UsernameTokens. The default value is "false".
      See Also:

    • ALLOW_USERNAMETOKEN_NOPASSWORD

      public static final String ALLOW_USERNAMETOKEN_NOPASSWORD
      This variable controls whether a UsernameToken with no password element is allowed. The default value is "false". Set it to "true" to allow deriving keys from UsernameTokens or to support UsernameTokens for purposes other than authentication.
      See Also:

    • ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES

      public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES
      This variable controls whether (wsse) namespace qualified password types are accepted when processing UsernameTokens. The default value is "false".
      See Also:

    • ENABLE_REVOCATION

      public static final String ENABLE_REVOCATION
      This variable controls whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false".
      See Also:

    • USE_SINGLE_CERTIFICATE

      public static final String USE_SINGLE_CERTIFICATE
      This parameter sets whether to use a single certificate or a whole certificate chain when constructing a BinarySecurityToken used for direct reference in signature. The default is "true", meaning that only a single certificate is used.
      See Also:

    • USE_DERIVED_KEY_FOR_MAC

      public static final String USE_DERIVED_KEY_FOR_MAC
      This parameter sets whether to use the Username Token derived key for a MAC or not. The default is "true".
      See Also:

    • TIMESTAMP_PRECISION

      public static final String TIMESTAMP_PRECISION
      Set whether Timestamps have precision in milliseconds. This applies to the creation of Timestamps only. The default value is "true".
      See Also:

    • TIMESTAMP_STRICT

      public static final String TIMESTAMP_STRICT
      Set the value of this parameter to true to enable strict timestamp handling. The default value is "true". Strict Timestamp handling: throw an exception if a Timestamp contains an Expires element and the semantics of the request are expired, i.e. the current time at the receiver is past the expires time.
      See Also:

    • REQUIRE_TIMESTAMP_EXPIRES

      public static final String REQUIRE_TIMESTAMP_EXPIRES
      Set the value of this parameter to true to require that a Timestamp must have an "Expires" Element. The default is "false".
      See Also:

    • ENC_SYM_ENC_KEY

      public static final String ENC_SYM_ENC_KEY
      Defines whether to encrypt the symmetric encryption key or not. If true (the default), the symmetric key used for encryption is encrypted in turn, and inserted into the security header in an "EncryptedKey" structure. If set to false, no EncryptedKey structure is constructed.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.ENC_SYM_ENC_KEY, "false");
      See Also:

    • REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS

      public static final String REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS
      Whether the engine needs to enforce EncryptedData elements are in a signed subtree of the document. This can be used to prevent some wrapping based attacks when encrypt-before-sign token protection is selected.
      See Also:

    • ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM

      public static final String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM
      Whether to allow the RSA v1.5 Key Transport Algorithm or not. Use of this algorithm is discouraged, and so the default is "false".
      See Also:

    • VALIDATE_SAML_SUBJECT_CONFIRMATION

      public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION
      Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key). The default is true.
      See Also:

    • INCLUDE_SIGNATURE_TOKEN

      public static final String INCLUDE_SIGNATURE_TOKEN
      Whether to include the Signature Token in the security header as well or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false.
      See Also:

    • INCLUDE_ENCRYPTION_TOKEN

      public static final String INCLUDE_ENCRYPTION_TOKEN
      Whether to include the Encryption token (BinarySecurityToken) in the security header as well or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false.
      See Also:

    • USE_2005_12_NAMESPACE

      public static final String USE_2005_12_NAMESPACE
      Whether to use the "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" namespace for SecureConversation + Derived Keys. If set to "false", it will use the namespace "http://schemas.xmlsoap.org/ws/2005/02/sc". The default is true.
      See Also:

    • GET_SECRET_KEY_FROM_CALLBACK_HANDLER

      public static final String GET_SECRET_KEY_FROM_CALLBACK_HANDLER
      Whether to get a secret key from a CallbackHandler or not for encryption only. The default is false. If set to true WSS4J attempts to get the secret key from the CallbackHandler instead of generating a random key internally. This allows the user more control over the symmetric key if required.
      See Also:

    • STORE_BYTES_IN_ATTACHMENT

      public static final String STORE_BYTES_IN_ATTACHMENT
      Whether to store bytes (CipherData or BinarySecurityToken) in an attachment. The default is false, meaning that bytes are BASE-64 encoded and "inlined" in the message. Setting this to true is more efficient, as it means that the BASE-64 encoding step can be skipped. For this to work, a CallbackHandler must be set on RequestData that can handle attachments.
      See Also:

    • EXPAND_XOP_INCLUDE_FOR_SIGNATURE

      @Deprecated public static final String EXPAND_XOP_INCLUDE_FOR_SIGNATURE
      Deprecated.
      Whether to expand xop:Include Elements encountered when verifying a Signature. The default is true, meaning that the relevant attachment bytes are BASE-64 encoded and inserted into the Element. This ensures that the actual bytes are signed, and not just the reference. This configuration tag has been deprecated in favour of EXPAND_XOP_INCLUDE.
      See Also:

    • EXPAND_XOP_INCLUDE

      public static final String EXPAND_XOP_INCLUDE
      Whether to search for and expand xop:Include Elements for encryption and signature (on the outbound side) or for signature verification (on the inbound side). The default is false on the outbound side and true on the inbound side. What this means on the inbound side, is that the relevant attachment bytes are BASE-64 encoded and inserted into the Element. This ensures that the actual bytes are signed, and not just the reference.
      See Also:

    • PASSWORD_TYPE

      public static final String PASSWORD_TYPE
      Specific parameter for UsernameTokens to define the encoding of the password. It can be used on either the outbound or inbound side. The valid values are: - PasswordDigest - PasswordText - PasswordNone On the Outbound side, the default value is PW_DIGEST. There is no default value on the inbound side. If a value is specified on the inbound side, the password type of the received UsernameToken must match the specified type, or an exception will be thrown.
      See Also:

    • SIG_KEY_ID

      public static final String SIG_KEY_ID
      Defines which key identifier type to use for signature. The WS-Security specifications recommends to use the identifier type IssuerSerial. For signature IssuerSerial, DirectReference, X509KeyIdentifier, Thumbprint, SKIKeyIdentifier and KeyValue are valid only.

      The default is IssuerSerial.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
      See Also:

    • SIG_ALGO

      public static final String SIG_ALGO
      Defines which signature algorithm to use. The default is set by the data in the certificate, i.e. one of the following: "http://www.w3.org/2000/09/xmldsig#rsa-sha1" "http://www.w3.org/2000/09/xmldsig#dsa-sha1"

      The application may set this parameter using the following method: 

       call.setProperty(
     ConfigurationConstants.SIG_ALGO,
     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
 );
      See Also:

    • SIG_DIGEST_ALGO

      public static final String SIG_DIGEST_ALGO
      Defines which signature digest algorithm to use. The default is: "http://www.w3.org/2000/09/xmldsig#sha1"

      The application may set this parameter using the following method: 

       call.setProperty(
    ConfigurationConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
 );
      See Also:

    • SIG_C14N_ALGO

      public static final String SIG_C14N_ALGO
      Defines which signature c14n (canonicalization) algorithm to use. The default is: "http://www.w3.org/2001/10/xml-exc-c14n#"
      See Also:

    • SIGNATURE_PARTS

      public static final String SIGNATURE_PARTS
      Parameter to define which parts of the request shall be signed.

      Refer to ENCRYPTION_PARTS for a detailed description of the format of the value string.

      If this parameter is not specified the handler signs the SOAP Body by default, i.e.: 

       <parameter name="signatureParts"
   value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
      To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

      If there is no other element in the request with a local name of Body then the SOAP namespace identifier can be empty ({}).

      See Also:

    • OPTIONAL_SIGNATURE_PARTS

      public static final String OPTIONAL_SIGNATURE_PARTS
      Parameter to define which parts of the request shall be signed, if they exist in the request. If they do not, then no error is thrown. This contrasts with the SIGNATURE_PARTS Identifier, which specifies elements that must be signed in the request.

      Refer to ENCRYPTION_PARTS for a detailed description of the format of the value string.

      See Also:

    • DERIVED_KEY_ITERATIONS

      public static final String DERIVED_KEY_ITERATIONS
      This parameter sets the number of iterations to use when deriving a key from a Username Token. The default is 1000.
      See Also:

    • ENC_KEY_ID

      public static final String ENC_KEY_ID
      Defines which key identifier type to use for encryption. The WS-Security specifications recommends to use the identifier type IssuerSerial. For encryption IssuerSerial, DirectReference, X509KeyIdentifier, Thumbprint, SKIKeyIdentifier, EncryptedKeySHA1 and EmbeddedKeyName are valid only.

      The default is IssuerSerial.

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.ENC_KEY_ID, "X509KeyIdentifier");
      See Also:

    • ENC_SYM_ALGO

      public static final String ENC_SYM_ALGO
      Defines which symmetric encryption algorithm to use. WSS4J supports the following algorithms: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; "http://www.w3.org/2001/04/xmlenc#aes256-cbc"; "http://www.w3.org/2001/04/xmlenc#aes192-cbc"; Except for AES 192 all of these algorithms are required by the XML Encryption specification. The default algorithm is: "http://www.w3.org/2001/04/xmlenc#aes128-cbc"

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.ENC_SYM_ALGO, WSConstants.AES_256);
      See Also:

    • ENC_KEY_TRANSPORT

      public static final String ENC_KEY_TRANSPORT
      Defines which algorithm to use to encrypt the generated symmetric key. The default algorithm is: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"

      The application may set this parameter using the following method: 

       call.setProperty(ConfigurationConstants.ENC_KEY_TRANSPORT, WSConstants.KEYTRANSPORT_RSA15);
      See Also:

    • ENCRYPTION_PARTS

      public static final String ENCRYPTION_PARTS
      Parameter to define which parts of the request shall be encrypted.

      The value of this parameter is a list of semi-colon separated element names that identify the elements to encrypt. An encryption mode specifier and a namespace identification, each inside a pair of curly brackets, may preceed each element name.

      The encryption mode specifier is either {Content} or {Element}. Please refer to the W3C XML Encryption specification about the differences between Element and Content encryption. The encryption mode defaults to Content if it is omitted. Example of a list: 

       <parameter name="encryptionParts"
   value="{Content}{http://example.org/paymentv2}CreditCard;
             {Element}{}UserName" />
      The the first entry of the list identifies the element CreditCard in the namespace http://example.org/paymentv2, and will encrypt its content. Be aware that the element name, the namespace identifier, and the encryption modifier are case sensitive.

      The encryption modifier and the namespace identifier can be ommited. In this case the encryption mode defaults to Content and the namespace is set to the SOAP namespace.

      An empty encryption mode defaults to Content, an empty namespace identifier defaults to the SOAP namespace. The second line of the example defines Element as encryption mode for an UserName element in the SOAP namespace.

      Note that the special value "{}cid:Attachments;" means that all of the message attachments should be encrypted.

      To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

      If no list is specified, the handler encrypts the SOAP Body in Content mode by default.

      See Also:

    • OPTIONAL_ENCRYPTION_PARTS

      public static final String OPTIONAL_ENCRYPTION_PARTS
      Parameter to define which parts of the request shall be encrypted, if they exist in the request. If they do not, then no error is thrown. This contrasts with the ENCRYPTION_PARTS Identifier, which specifies elements that must be encrypted in the request.

      Refer to ENCRYPTION_PARTS for a detailed description of the format of the value string.

      See Also:

    • ENC_DIGEST_ALGO

      public static final String ENC_DIGEST_ALGO
      Defines which encryption digest algorithm to use with the RSA OAEP Key Transport algorithm for encryption. The default is SHA-1.

      The application may set this parameter using the following method: 

       call.setProperty(
    ConfigurationConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
 );
      See Also:

    • ENC_MGF_ALGO

      public static final String ENC_MGF_ALGO
      Defines which encryption mgf algorithm to use with the RSA OAEP Key Transport algorithm for encryption. The default is mgfsha1.

      The application may set this parameter using the following method: 

       call.setProperty(
    ConfigurationConstants.ENC_MGF_ALGO, "http://www.w3.org/2009/xmlenc11#mgf1sha256"
 );
      See Also:

    • TTL_USERNAMETOKEN

      public static final String TTL_USERNAMETOKEN
      Time-To-Live is the time difference between creation and expiry time in seconds of the UsernameToken Created value. After this time the SOAP request is invalid (at least the security data shall be treated this way).

      If this parameter is not defined, contains a value less or equal zero, or an illegal format the handlers use a default TTL of 300 seconds (5 minutes).

      See Also:

    • TTL_FUTURE_USERNAMETOKEN

      public static final String TTL_FUTURE_USERNAMETOKEN
      This configuration tag specifies the time in seconds in the future within which the Created time of an incoming UsernameToken is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created UsernameTokens, set this value to "0".
      See Also:

    • SIG_SUBJECT_CERT_CONSTRAINTS

      public static final String SIG_SUBJECT_CERT_CONSTRAINTS
      This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR) of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.
      See Also:

    • SIG_ISSUER_CERT_CONSTRAINTS

      public static final String SIG_ISSUER_CERT_CONSTRAINTS
      This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR) of regular expressions which will be applied to the issuer DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.
      See Also:

    • SIG_CERT_CONSTRAINTS_SEPARATOR

      public static final String SIG_CERT_CONSTRAINTS_SEPARATOR
      This configuration tag refers to the separator that is used to parse certificate constraints configured in the SIG_SUBJECT_CERT_CONSTRAINTS and SIG_ISSUER_CERT_CONSTRAINTS configuration tags. By default it is a comma - ",".
      See Also:

    • TTL_TIMESTAMP

      public static final String TTL_TIMESTAMP
      Time-To-Live is the time difference between creation and expiry time in seconds in the WSS Timestamp. After this time the SOAP request is invalid (at least the security data shall be treated this way).

      If this parameter is not defined, contains a value less or equal zero, or an illegal format the handlers use a default TTL of 300 seconds (5 minutes).

      See Also:

    • TTL_FUTURE_TIMESTAMP

      public static final String TTL_FUTURE_TIMESTAMP
      This configuration tag specifies the time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default value is "60", to avoid problems where clocks are slightly askew. To reject all future-created Timestamps, set this value to "0".
      See Also:

    • VALIDATOR_MAP

      public static final String VALIDATOR_MAP
      This tag refers to a Map of QName, Object (Validator) instances to be used to validate tokens identified by their QName. For the DOM layer, the Object should be a org.apache.wss4j.dom.validate.Validator instance. For the StAX layer, it should be a org.apache.wss4j.stax.validate.Validator instance.
      See Also:

    • NONCE_CACHE_INSTANCE

      public static final String NONCE_CACHE_INSTANCE
      This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The default instance that is used is the EHCacheReplayCache.
      See Also:

    • TIMESTAMP_CACHE_INSTANCE

      public static final String TIMESTAMP_CACHE_INSTANCE
      This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The default instance that is used is the EHCacheReplayCache.
      See Also:

    • SAML_ONE_TIME_USE_CACHE_INSTANCE

      public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE
      This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifier Strings (if the token contains a OneTimeUse Condition). The default instance that is used is the EHCacheReplayCache.
      See Also:

    • PASSWORD_ENCRYPTOR_INSTANCE

      public static final String PASSWORD_ENCRYPTOR_INSTANCE
      This holds a reference to a PasswordEncryptor instance, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations). By default, WSS4J uses the JasyptPasswordEncryptor, which must be instantiated with a password to use to decrypt keystore passwords in the Merlin Crypto properties file. This password is obtained via the CallbackHandler defined via PW_CALLBACK_CLASS or PW_CALLBACK_REF. The encrypted passwords must be stored in the format "ENC(encoded encrypted password)".
      See Also:

    • DERIVED_TOKEN_REFERENCE

      public static final String DERIVED_TOKEN_REFERENCE
      This controls the deriving token from which DerivedKeyTokens derive keys from. Valid values are: - DirectReference: A reference to a BinarySecurityToken - EncryptedKey: A reference to an EncryptedKey - SecurityContextToken: A reference to a SecurityContextToken
      See Also:

    • DERIVED_TOKEN_KEY_ID

      public static final String DERIVED_TOKEN_KEY_ID
      This controls the key identifier of Derived Tokens, i.e. how they reference the deriving key.
      See Also:

    • DERIVED_SIGNATURE_KEY_LENGTH

      public static final String DERIVED_SIGNATURE_KEY_LENGTH
      The length to use (in bytes) when deriving a key for Signature. If this is not specified, it defaults to a value based on the signature algorithm.
      See Also:

    • DERIVED_ENCRYPTION_KEY_LENGTH

      public static final String DERIVED_ENCRYPTION_KEY_LENGTH
      The length to use (in bytes) when deriving a key for Encryption. If this is not specified, it defaults to a value based on the encryption algorithm.
      See Also:

  • Constructor Details

    • ConfigurationConstants

      protected ConfigurationConstants()