org.apache.ws.security.handler.WSHandlerConstants Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of wss4j Show documentation
Show all versions of wss4j Show documentation
The Apache WSS4J project provides a Java implementation of the primary security standards
for Web Services, namely the OASIS Web Services Security (WS-Security) specifications
from the OASIS Web Services Security TC.
/*
* Copyright 2003-2005 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.apache.ws.security.handler;
import org.apache.ws.security.WSConstants;
import java.util.Hashtable;
import java.util.Map;
/**
* This class defines the names, actions, and other string for the deployment
* data of the WSS handler. Both the Axis handler as well as the JAX-RPC handler
* use this class.
*
* @author Werner Dittmann ([email protected])
*/
public class WSHandlerConstants {
/**
* The action parameter. The
* handlers use the value of this parameter to determine how
* to process the SOAP Envelope. For example in a Axis WSDD file:
*
* <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
* <parameter name="action" value="UsernameToken"/>
* ...
*
* orders the handler to attach a UsernameToken to the SOAP
* enevelope. It is a blank separated list of actions to perform.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting)
*/
public static final String ACTION = "action";
public static final String SEND = "send";
public static final String RECEIVE = "receive";
/**
* Perform nothing.
*/
public static final String NO_SECURITY = "NoSecurity";
/**
* Perform a UsernameToken identification only.
*/
public static final String USERNAME_TOKEN = "UsernameToken";
/**
* Perform a SAML Token identification.
*/
public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned";
public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned";
/**
* Perform Signature.
* The signature specific parameters define how to sign, which keys
* to use, and so on
*/
public static final String SIGNATURE = "Signature";
/**
* Perform Encryption.
* The encryption specific parameters define how to encrypt, which keys
* to use, and so on.
*/
public static final String ENCRYPT = "Encrypt";
/**
* Add a timestamp to the security header.
*/
public static final String TIMESTAMP = "Timestamp";
/**
* Supress the serialization of the SOAP message.
*
* Usually the handler serializes the processed SOAP message into a string
* and sets it into the Axis message context as new current message. To
* supress this action, define this action. In this case the handler
* stores the processed SOAP message as Document in the
* Axis message context with the property name SND_SECURITY.
*
* A chained handler can retrieve the SOAP message and process it. The
* last handler in the chain must set the processed SOAP message as
* current message in Axis message context.
*/
public static final String NO_SERIALIZATION = "NoSerialization";
/**
* Use this to use a specific signature mechanism for .Net.
* This signature mechanism uses data from the username token and
* a well defined constant string and constructs a signature
* key.
*/
public static final String SIGN_WITH_UT_KEY = "UsernameTokenSignature";
/**
* This is an interal property name to support handler chaining.
* The Axis WSS4J handlers use this message context property to
* hand over the SOAP partially processed envelope document to
* the next WSS4J handler in the chain.
*/
public static final String SND_SECURITY = "SND_SECURITY";
/**
* The actor name of the wsse:Security header.
*
* If this parameter is omitted, the actor name is not set. Please
* refer to {@link org.apache.axis.Constants#ATTR_ACTOR} and {@link org.apache.axis.Constants#ATTR_ROLE}
* about the parameter names. They are set to "actor"
* and "role" respectively.
*
* The value of the actor or role has to match the receiver's setting
* or may contain standard values.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ACTOR, "ActorName");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*
* @see org.apache.axis.Constants#URI_SOAP11_NEXT_ACTOR
* @see org.apache.axis.Constants#URI_SOAP12_NEXT_ROLE
*/
public static final String ACTOR = "actor";
/**
* The role name of the wsse:Security header.
* This is used for SOAP 1.2. Refer also to {@link #ACTOR}.
*/
public static final String ROLE = "role";
/**
* Sets the mustUnderstand flag.
*
* If the parameter has the value 1
* or true the mustUnderstand is set.
* The values 0 or false supress the
* flag.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.MUST_UNDERSTAND, "false");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*
* The default setting is true
*
* Please refer to {@link org.apache.axis.Constants#ATTR_MUST_UNDERSTAND}
* about the parameter name ("mustUnderstand").
*/
public static final String MUST_UNDERSTAND = "mustUnderstand";
/**
* The user's name. It is used differently by the WS Security functions.
*
* - The UsernameToken function sets this name in the
*
UsernameToken.
*
* - The Signing function uses this name as the alias name
* in the keystore to get user's certificate and private key to
* perform signing.
*
* - The encryption
* functions uses this parameter as fallback if {@link #ENCRYPTION_USER}
* is not used.
*
*
* It is also possible to set the user's name and the according password
* via the call function, for example:
*
* ...
* call.setUsername("name");
* call.setPassword("WSS4Java");
* ...
*
* The user parameter in the deployment descritor (WSDD) file overwrites
* the application's setting.
*
* For an additional way to set the password refer to
* {@link #PW_CALLBACK_CLASS} and {@link #PW_CALLBACK_REF}.
*
* If the security functions uses the username from the message context, it
* clears the username from the message context
* after they copied it. This prevents sending of the username in the
* HTTP header.
*
* In this case the HTTP authentication mechansisms do not work
* anymore. User authentication shall be done via the username token or
* the certificate verification of the signature certificate.
*/
public static final String USER = "user";
/**
* The Axis WSS4J handlers provide several ways to get the password required
* to construct a username token or to sign a message.
* In addition the callback class may check if a username/password
* combination is valid. Refer to the documentation of
* {@link org.apache.ws.security.WSPasswordCallback} for more information
* about this feature.
*
* - A class that implements a callback interface (see below). The
* handler loads this class and calls the callback method. This
* class must have a public default constructor with not parameters.
*
* - The application (or a preceeding handler) sets a reference to an
* object that implements the callback interface
*
* - The application sets the password directly using the
*
setPassword function of the Call.
*
* The callback class or callback object shall implement specific password
* getter methods, for example reading a database or directory.
*
* The handler first checks if it can get a the password via a callback
* class. If that fails it checks if it can get the password from the
* object reference, if that also fails the handler tries the password
* property.
*
* The following parameter defines a class that implements a callback
* handler interface. The handler loads the class and calls the callback
* handler method to get the password. The callback
* class needs to implement the
* {@link javax.security.auth.callback.CallbackHandler} interface.
*
* The callback function
* {@link javax.security.auth.callback.CallbackHandler#handle(javax.security.auth.callback.Callback[])}
* gets an array of {@link org.apache.ws.security.WSPasswordCallback}
* objects. Only the first entry of the array is used. This object
* contains the username/keyname as identifier. The callback handler must
* set the password or key associated with this identifier before it returns.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*
* Refer also to comment in {@link #USER} about HTTP authentication
* functions.
*/
public static final String PW_CALLBACK_CLASS = "passwordCallbackClass";
/**
* An application may set an object reference to an object that implements
* the {@link javax.security.auth.callback.CallbackHandler} interface.
* Only the application can set this property using:
*
* call.setProperty(WSHandlerConstants.PW_CALLBACK_REF, anPWCallbackObject);
*
* Refer to {@link #PW_CALLBACK_CLASS} for further information about
* password callback handling and the priority of the different
* methods.
*
* Note: every handler that preceeds this handler in the chain can set
* this property too. This may be useful on the server side.
*/
public static final String PW_CALLBACK_REF = "passwordCallbackRef";
/**
* The user's name for encryption.
*
* The encryption functions uses the public key of this user's certificate
* to encrypt the generated symmetric key.
*
* If this parameter is not set, then the encryption
* function falls back to the {@link #USER} parameter to get the
* certificate.
*
* If only encryption of the SOAP body data is requested,
* it is recommended to use this parameter to define the username.
* The application can then use the standard user and password
* functions (see example at {@link #USER} to enable HTTP authentication
* functions.
*
* Encryption only does not authenticate a user / sender, therefore it
* does not need a password.
*
* Placing the username of the encryption certficate in the WSDD is not
* a security risk, because the public key of that certificate is used
* only.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENCYRPTION_USER, "encryptionuser");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*/
public static final String ENCRYPTION_USER = "encryptionUser";
/**
* Specifying this name as {@link #ENCRYPTION_USER}
* triggers a special action to get the public key to use for encryption.
*
* The handler uses the public key of the sender's certificate. Using this
* way to define an encryption key simplifies certificate management to
* a large extend.
*/
public static final String USE_REQ_SIG_CERT = "useReqSigCert";
/**
* This parameter works in the same way as {@link #PW_CALLBACK_CLASS} but
* the Axis WSS4J handler uses it to get the key associated with a key name.
*/
public static final String ENC_CALLBACK_CLASS = "EmbeddedKeyCallbackClass";
/**
* This parameter works in the same way as {@link #PW_CALLBACK_REF} but
* the Axis WSS4J handler uses it to get the key associated with a key name.
*/
public static final String ENC_CALLBACK_REF = "EmbeddedKeyCallbackRef";
/**
* Text of the key name that needs to be sent
*/
public static final String ENC_KEY_NAME = "EmbeddedKeyName";
/**
* The name of the crypto property file to use for SOAP Signature.
*
* The classloader loads this file. Therefore it must be accessible
* via the classpath.
*
* To locate the implementation of the
* {@link org.apache.ws.security.components.crypto.Crypto Crypto}
* interface implementation the property file must contain the property
* org.apache.ws.security.crypto.provider. The value of
* this property is the classname of the implementation class.
*
* The following line defines the standard implementation:
*
* org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
*
* The other contents of the property file depend on the implementation
* of the {@link org.apache.ws.security.components.crypto.Crypto Crypto}
* interface implementation.
*
* The property file of the standard implementation
* {@link org.apache.ws.security.components.crypto.Merlin} uses
* the following properties:
*
* org.apache.ws.security.crypto.provider
* org.apache.ws.security.crypto.merlin.file
* org.apache.ws.security.crypto.merlin.keystore.type
* org.apache.ws.security.crypto.merlin.keystore.provider
* org.apache.ws.security.crypto.merlin.keystore.password
* org.apache.ws.security.crypto.merlin.keystore.alias
* org.apache.ws.security.crypto.merlin.cert.provider
*
* The entries are:
*
* -
org.apache.ws.security.crypto.provider see
* description above
*
* org.apache.ws.security.crypto.merlin.file
* The path to the keystore file. At first the classloader tries to load
* this file, if this fails the implementations performs a file system
* lookup.
* org.apache.ws.security.crypto.merlin.keystore.type
* The keystore type, for example JKS for the Java key store.
* Other keystore type, such as pkcs12 are also possible but depend
* on the actual Crypto implementation.
* org.apache.ws.security.crypto.merlin.keystore.password
* The password to read the keystore. If this property is not set, then
* the pwcallbackproperty must be defined.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.SIG_PROP_FILE, "myCrypto.properties");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*
* If a property file is not set and a signature is requested,
* the handler throws an AxisFault.
*/
public static final String SIG_PROP_FILE = "signaturePropFile";
/**
* The key that hold the refernce of the java.util.Properties
* object holding complete info about signature Crypto implementation.
* This should contain all information that would contain in an equivalent
* .properties file which includes the Crypto implementation class name.
*
* Refer to documentation of {@link #SIG_PROP_FILE}.
*/
public final static String SIG_PROP_REF_ID = "SignaturePropRefId";
/**
* The WSDoAllReceiver handler stores a result Vector
* in this property.
*
* The vector contains WSDoAllReceiverResult objects
* for each chained WSDoAllReceiver handler.
*/
public static final String RECV_RESULTS = "RECV_RESULTS";
/**
* The name of the crypto propterty file to use for SOAP Decryption.
*
* Refer to documentation of {@link #SIG_PROP_FILE}.
*
* Refer to {@link #SIG_PROP_FILE} for a detail description
* about the format and how to use this property file.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.DEC_PROP_FILE, "myCrypto.properties");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*
* If this parameter is not used, but the signature crypto property
* file is defined (combined Encryption/Signature action), then the
* encryption function uses that file. Otherwise the handler throws
* an AxisFault.
*/
public static final String DEC_PROP_FILE = "decryptionPropFile";
/**
* The key that hold the refernce of the java.util.Properties
* object holding complete info about decryption Crypto implementation. This
* should contain all information that would contain in an equivalent
* .properties file which includes the Crypto implementation class name.
*
* Refer to documentation of {@link #DEC_PROP_FILE}.
*/
public final static String DEC_PROP_REF_ID = "decryptionPropRefId";
/**
* Specific parameter for UsernameToken action to define the encoding
* of the password.
*
* The parameter can be set to either {@link WSConstants#PW_DIGEST}
* or to {@link WSConstants#PW_TEXT}.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST);
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*
* The default setting is PW_DIGEST.
*/
public static final String PASSWORD_TYPE = "passwordType";
/**
* This variable controls whether types other than PasswordDigest or PasswordText
* are allowed when processing UsernameTokens.
*
* By default this is set to false so that the user doesn't have to explicitly
* reject custom token types in the callback handler.
*/
public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes";
/**
* Parameter to generate additional elements in UsernameToken.
*
* The value of this parameter is a list of element names that are added
* to the UsernameToken. The names of the list a separated by spaces.
*
* The list may containe the names nonce and
* created only. Use this option if the password type is
* passwordText and the handler shall add the Nonce
* and/or Created elements.
*/
public static final String ADD_UT_ELEMENTS = "addUTElements";
/**
* Defines which key identifier type to use. The WS-Security specifications
* recommends to use the identifier type IssuerSerial. For
* possible signature key identifier types refer to
* {@link #keyIdentifier}. For signature IssuerSerial
* and DirectReference are valid only.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*/
public static final String SIG_KEY_ID = "signatureKeyIdentifier";
/**
* Defines which signature algorithm to use. Currently this
* parameter is ignored - SHA1RSA is the only supported algorithm,
* will be enhanced soon.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.SIG_ALGO, "SHA1RSA");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*/
public static final String SIG_ALGO = "signatureAlgorithm";
/**
* Parameter to define which parts of the request shall be signed.
*
* Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
* the format of the value string.
*
* If this parameter is not specified the handler signs the SOAP Body
* by default.
*
* The WS Security specifications define several formats to transfer the
* signature tokens (certificates) or references to these tokens.
* Thus, the plain element name Token
* signs the token and takes care of the different format.
*
* To sign the SOAP body and the signature token the value of this
* parameter must contain:
*
* <parameter name="signatureParts"
* value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body; Token" />
*
* To specify an element without a namespace use the string
* Null as the namespace name (this is a case sensitive
* string)
*
* If there is no other element in the request with a local name of
* Body then the SOAP namespace identifier can be empty
* ({}).
*/
public static final String SIGNATURE_PARTS = "signatureParts";
/**
* The name of the crypto propterty file to use for SOAP Encryption.
*
* Refer to documentation of {@link #SIG_PROP_FILE}.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENC_PROP_FILE, "myCrypto.properties");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*
* If this parameter is not used, but the signature crypto property
* file is defined (combined Encryption/Signature action), then the
* encryption function uses signature property file. Otherwise the
* handler throws an AxisFault.
*/
public static final String ENC_PROP_FILE = "encryptionPropFile";
/**
* The key that hold the refernce of the
* java.util.Properties object holding complete info about
* encryption Crypto implementation. This should contain all information
* that would contain in an equivalent .properties file which includes the
* Crypto implementation class name.
*
* Refer to documentation of {@link #DEC_PROP_FILE}.
*/
public final static String ENC_PROP_REF_ID = "encryptionPropRefId";
/**
* Defines which key identifier type to use. The WS-Security specifications
* recommends to use the identifier type IssuerSerial. For
* possible encryption key identifier types refer to
* {@link #keyIdentifier}. For encryption IssuerSerial,
* X509KeyIdentifier, DirectReference,
* Thumbprint, SKIKeyIdentifier, and
* EmbeddedKeyName are valid only.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENC_KEY_ID, "X509KeyIdentifier");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*/
public static final String ENC_KEY_ID = "encryptionKeyIdentifier";
/**
* Defines which symmetric encryption algorithm to use. WSS4J supports the
* following alorithms: {@link WSConstants#TRIPLE_DES},
* {@link WSConstants#AES_128}, {@link WSConstants#AES_256},
* and {@link WSConstants#AES_192}. Except for AES 192 all of these
* algorithms are required by the XML Encryption specification.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENC_SYM_ALGO, WSConstants.AES_256);
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*/
public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm";
/**
* Defines which algorithm to use to encrypt the generated symmetric key.
* Currently WSS4J supports {@link WSConstants#KEYTRANSPORT_RSA15} only.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENC_KEY_TRANSPORT, "RSA15");
*
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*/
public static final String ENC_KEY_TRANSPORT =
"encryptionKeyTransportAlgorithm";
/**
* Parameter to define which parts of the request shall be encrypted.
*
* The value of this parameter is a list of semi-colon separated
* element names that identify the elements to encrypt. An encryption mode
* specifier and a namespace identification, each inside a pair of curly
* brackets, may preceed each element name.
*
* The encryption mode specifier is either {Content} or
* {Element}. Please refer to the W3C XML Encryption
* specification about the differences between Element and Content
* encryption. The encryption mode defaults to Content
* if it is omitted. Example of a list:
*
* <parameter name="encryptionParts"
* value="{Content}{http://example.org/paymentv2}CreditCard;
* {Element}{}UserName" />
*
* The the first entry of the list identifies the element
* CreditCard in the namespace
* http://example.org/paymentv2, and will encrypt its content.
* Be aware that the element name, the namespace identifier, and the
* encryption modifier are case sensitive.
*
* The encryption modifier and the namespace identifier can be ommited.
* In this case the encryption mode defaults to Content and
* the namespace is set to the SOAP namespace.
*
* An empty encryption mode defaults to Content, an empty
* namespace identifier defaults to the SOAP namespace.
* The second line of the example defines Element as
* encryption mode for an UserName element in the SOAP
* namespace.
*
* To specify an element without a namespace use the string
* Null as the namespace name (this is a case sensitive
* string)
*
* If no list is specified, the handler encrypts the SOAP Body in
* Content mode by default.
*/
public static final String ENCRYPTION_PARTS = "encryptionParts";
/**
* The name of the SAML Issuer factory property file.
* The classloader loads this file. Therefore it must be accessible
* via the classpath.
*/
public static final String SAML_PROP_FILE = "samlPropFile";
/**
* Time-To-Live is the time difference between creation and expiry time in
* the WSS Timestamp.
* The time-to-live in seconds. After this time the SOAP request is
* invalid (at least the security data shall be treated this way).
*
* If this parameter is not defined, contains a value less or equal
* zero, or an illegal format the handlers use a default TTL of
* 300 seconds (5 minutes).
*/
public static final String TTL_TIMESTAMP = "timeToLive";
/**
* Whether to enable signatureConfirmation or not
* By default signatureConfirmation is enabled
*/
public static final String ENABLE_SIGNATURE_CONFIRMATION = "enableSignatureConfirmation";
/**
* Should timestamps have precision in milliseconds
*/
public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds";
/**
* Set the value of this parameter to true to enable strict timestamp
* handling.
*
* Strict Timestamp handling: throw an exception if a Timestamp contains
* an Expires element and the semantics of the request are
* expired, i.e. the current time at the receiver is past the expires time.
*/
public static final String TIMESTAMP_STRICT = "timestampStrict";
/**
* Define the parameter values to set the key identifier types. These are:
*
* DirectReference for {@link WSConstants#BST_DIRECT_REFERENCE}
* IssuerSerial for {@link WSConstants#ISSUER_SERIAL}
* X509KeyIdentifier for {@link WSConstants#X509_KEY_IDENTIFIER}
* SKIKeyIdentifier for {@link WSConstants#SKI_KEY_IDENTIFIER}
* EmbeddedKeyName for {@link WSConstants#EMBEDDED_KEYNAME}
* Thumbprint for {@link WSConstants#THUMBPRINT}
*