Package org.apache.cxf.rt.security

Class SecurityConstants

  • Direct Known Subclasses:
    SecurityConstants
    public class SecurityConstants
extends Object
    This class contains some configuration tags that can be used to configure various security properties. These tags are shared between the SOAP stack (WS-SecurityPolicy configuration), as well as the REST stack (JAX-RS XML Security). The configuration tags largely relate to properties for signing, encryption as well as SAML tokens. Most of the signing/encryption tags refer to Apache WSS4J "Crypto" objects, which are used by both stacks to control how certificates/keys are retrieved, etc. More specific configuration tags for WS-SecurityPolicy are configured in the SecurityConstants class in the cxf-rt-ws-security module, which extends this class.

    • Field Detail

      • USERNAME

        public static final String USERNAME
        The user's name. It is used as follows: a) As the name in the UsernameToken for WS-Security. b) As the alias name in the keystore to get the user's cert and private key for signature if SIGNATURE_USERNAME is not set. c) As the alias name in the keystore to get the user's public key for encryption if ENCRYPT_USERNAME is not set.
        See Also:
        Constant Field Values

      • SIGNATURE_USERNAME

        public static final String SIGNATURE_USERNAME
        The user's name for signature. It is used as the alias name in the keystore to get the user's cert and private key for signature. If this is not defined, then USERNAME is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by SIGNATURE_PROPERTIES. If that's also not set, and the keystore only contains a single key, that key will be used.
        See Also:
        Constant Field Values

      • ENCRYPT_USERNAME

        public static final String ENCRYPT_USERNAME
        The user's name for encryption. It is used as the alias name in the keystore to get the user's public key for encryption. If this is not defined, then USERNAME is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by ENCRYPT_PROPERTIES. If that's also not set, and the keystore only contains a single key, that key will be used. For the WS-Security web service provider, the "useReqSigCert" keyword can be used to accept (encrypt to) any client whose public key is in the service's truststore (defined in ENCRYPT_PROPERTIES).
        See Also:
        Constant Field Values

      • CALLBACK_HANDLER

        public static final String CALLBACK_HANDLER
        The CallbackHandler implementation class used to obtain passwords, for both outbound and inbound requests. The value of this tag must be either: a) The class name of a CallbackHandler instance, which must be accessible via the classpath. b) A CallbackHandler instance.
        See Also:
        Constant Field Values

      • SAML_CALLBACK_HANDLER

        public static final String SAML_CALLBACK_HANDLER
        The SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this tag must be either: a) The class name of a CallbackHandler instance, which must be accessible via the classpath. b) A CallbackHandler instance.
        See Also:
        Constant Field Values

      • SIGNATURE_PROPERTIES

        public static final String SIGNATURE_PROPERTIES
        The Crypto property configuration to use for signature, if SIGNATURE_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.
        See Also:
        Constant Field Values

      • ENCRYPT_PROPERTIES

        public static final String ENCRYPT_PROPERTIES
        The Crypto property configuration to use for encryption, if ENCRYPT_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.
        See Also:
        Constant Field Values

      • ENCRYPT_CERT

        public static final String ENCRYPT_CERT
        A message property for prepared X509 certificate to be used for encryption. If this is not defined, then the certificate will be either loaded from the keystore ENCRYPT_PROPERTIES or extracted from request (when WS-Security is used and if ENCRYPT_USERNAME has value "useReqSigCert").
        See Also:
        Constant Field Values

      • ENABLE_REVOCATION

        public static final String ENABLE_REVOCATION
        Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false".
        See Also:
        Constant Field Values

      • ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL

        public static final String ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
        Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false. Note that "unsigned" refers to an internal signature. Even if the token is signed by an external signature (as per the "sender-vouches" requirement), this boolean must still be configured if you want to use the token to set up the security context.
        See Also:
        Constant Field Values

      • ENABLE_UT_NOPASSWORD_PRINCIPAL

        public static final String ENABLE_UT_NOPASSWORD_PRINCIPAL
        Whether to allow UsernameTokens with no password to be used as SecurityContext Principals. The default is false.
        See Also:
        Constant Field Values

      • VALIDATE_SAML_SUBJECT_CONFIRMATION

        public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION
        Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key). The default is true.
        See Also:
        Constant Field Values

      • SC_FROM_JAAS_SUBJECT

        public static final String SC_FROM_JAAS_SUBJECT
        Set this to "false" if security context must not be created from JAAS Subject. The default value is "true".
        See Also:
        Constant Field Values

      • AUDIENCE_RESTRICTION_VALIDATION

        public static final String AUDIENCE_RESTRICTION_VALIDATION
        Enable SAML AudienceRestriction validation. If this is set to "true", then IF the SAML Token contains Audience Restriction URIs, one of them must match one of the values of the AUDIENCE_RESTRICTIONS property. The default is "true" for SOAP services, "false" for REST services.
        See Also:
        Constant Field Values

      • SAML_ROLE_ATTRIBUTENAME

        public static final String SAML_ROLE_ATTRIBUTENAME
        The attribute URI of the SAML AttributeStatement where the role information is stored. The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
        See Also:
        Constant Field Values

      • SUBJECT_CERT_CONSTRAINTS

        public static final String SUBJECT_CERT_CONSTRAINTS
        A String of regular expressions (separated by the value specified for CERT_CONSTRAINTS_SEPARATOR) which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.
        See Also:
        Constant Field Values

      • CERT_CONSTRAINTS_SEPARATOR

        public static final String CERT_CONSTRAINTS_SEPARATOR
        The separator that is used to parse certificate constraints configured in the SUBJECT_CERT_CONSTRAINTS tag. By default it is a comma - ",".
        See Also:
        Constant Field Values

      • STS_CLIENT

        public static final String STS_CLIENT
        A reference to the STSClient class used to communicate with the STS.
        See Also:
        Constant Field Values

      • STS_APPLIES_TO

        public static final String STS_APPLIES_TO
        The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider.
        See Also:
        Constant Field Values

      • STS_TOKEN_USE_CERT_FOR_KEYINFO

        public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO
        Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure. The default value is "false".
        See Also:
        Constant Field Values

      • STS_TOKEN_DO_CANCEL

        public static final String STS_TOKEN_DO_CANCEL
        Whether to cancel a token when using SecureConversation after successful invocation. The default is "false".
        See Also:
        Constant Field Values

      • STS_ISSUE_AFTER_FAILED_RENEW

        public static final String STS_ISSUE_AFTER_FAILED_RENEW
        Whether to fall back to calling "issue" after failing to renew an expired token. Some STSs do not support the renew binding, and so we should just issue a new token after expiry. The default is true.
        See Also:
        Constant Field Values

      • CACHE_ISSUED_TOKEN_IN_ENDPOINT

        public static final String CACHE_ISSUED_TOKEN_IN_ENDPOINT
        Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true".
        See Also:
        Constant Field Values

      • DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS

        public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
        Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false".
        See Also:
        Constant Field Values

      • PREFER_WSMEX_OVER_STS_CLIENT_CONFIG

        public static final String PREFER_WSMEX_OVER_STS_CLIENT_CONFIG
        Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties when making an STS RequestSecurityToken call. This can be set to true for the scenario of making a WS-MEX call to an initial STS, and using the returned token to make another call to an STS (which is configured using the STSClient configuration). Default is "false".
        See Also:
        Constant Field Values

      • STS_CLIENT_SOAP12_BINDING

        public static final String STS_CLIENT_SOAP12_BINDING
        Switch STS client to send Soap 1.2 messages
        See Also:
        Constant Field Values

      • STS_TOKEN_CRYPTO

        public static final String STS_TOKEN_CRYPTO
        A Crypto object to be used for the STS. If this is not defined then the STS_TOKEN_PROPERTIES is used instead. WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO the full security on the message. These properties control the way the STS client will decrypt the EncryptedData elements in the response. These are also used by the STSClient to send/process any RSA/DSAKeyValue tokens used if the KeyType is "PublicKey"
        See Also:
        Constant Field Values

      • STS_TOKEN_PROPERTIES

        public static final String STS_TOKEN_PROPERTIES
        The Crypto property configuration to use for the STS, if STS_TOKEN_CRYPTO is not set instead. The value of this tag must be either: a) A Java Properties object that contains the Crypto configuration. b) The path of the Crypto property file that contains the Crypto configuration. c) A URL that points to the Crypto property file that contains the Crypto configuration.
        See Also:
        Constant Field Values

      • STS_TOKEN_USERNAME

        public static final String STS_TOKEN_USERNAME
        The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case.
        See Also:
        Constant Field Values

      • STS_TOKEN_ACT_AS

        public static final String STS_TOKEN_ACT_AS
        The token to be sent to the STS in an "ActAs" field. It can be either: a) A String (which must be an XML statement like "...") b) A DOM Element c) A CallbackHandler object to use to obtain the token In the case of a CallbackHandler, it must be able to handle a org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a reference to the current Message. The CallbackHandler implementation is required to set the token Element to be sent in the request on the Callback. Some examples that can be reused are: org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
        See Also:
        Constant Field Values

      • STS_TOKEN_ON_BEHALF_OF

        public static final String STS_TOKEN_ON_BEHALF_OF
        The token to be sent to the STS in an "OnBehalfOf" field. It can be either: a) A String (which must be an XML statement like "...") b) A DOM Element c) A CallbackHandler object to use to obtain the token In the case of a CallbackHandler, it must be able to handle a org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains a reference to the current Message. The CallbackHandler implementation is required to set the token Element to be sent in the request on the Callback. Some examples that can be reused are: org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
        See Also:
        Constant Field Values

      • STS_TOKEN_IMMINENT_EXPIRY_VALUE

        public static final String STS_TOKEN_IMMINENT_EXPIRY_VALUE
        This is the value in seconds within which a token is considered to be expired by the client. When a cached token (from a STS) is retrieved by the client, it is considered to be expired if it will expire in a time less than the value specified by this tag. This prevents token expiry when the message is en route / being processed by the service. When the token is found to be expired then it will be renewed via the STS. The default value is 10 (seconds). Specify 0 to avoid this check.
        See Also:
        Constant Field Values

      • STS_TOKEN_CACHER_IMPL

        public static final String STS_TOKEN_CACHER_IMPL
        An implementation of the STSTokenCacher interface, if you want to plug in custom caching behaviour for STS clients. The default value is the DefaultSTSTokenCacher.
        See Also:
        Constant Field Values

      • STS_CHECK_FOR_RECURSIVE_CALL

        public static final String STS_CHECK_FOR_RECURSIVE_CALL
        Check that we are not invoking on the STS using its own IssuedToken policy - in which case we will end up with a recursive loop. This check might be a problem in the unlikely scenario that the remote endpoint has the same service / port QName as the STS, so this configuration flag allows to disable this check for that scenario. The default is "true".
        See Also:
        Constant Field Values

      • AUDIENCE_RESTRICTIONS

        public static final String AUDIENCE_RESTRICTIONS
        This property contains a comma separated String corresponding to a list of audience restriction URIs. The default value for this property contains the request URL and the Service QName. If the AUDIENCE_RESTRICTION_VALIDATION property is "true", and if a received SAML Token contains audience restriction URIs, then one of them must match one of the values specified in this property.
        See Also:
        Constant Field Values

      • COMMON_PROPERTIES

        public static final Set<String> COMMON_PROPERTIES

    • Constructor Detail

      • SecurityConstants

        protected SecurityConstants()