All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.ws.security.handler.WSHandlerConstants Maven / Gradle / Ivy

Go to download

The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.

There is a newer version: 1.6.19
Show newest version
/*

 * Copyright  2003-2005 The Apache Software Foundation.
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 */

package org.apache.ws.security.handler;

import org.apache.ws.security.WSConstants;
import java.util.Hashtable;
import java.util.Map;

/**
 * This class defines the names, actions, and other string for the deployment
 * data of the WSS handler. Both the Axis handler as well as the JAX-RPC handler
 * use this class.
 *  
 * @author Werner Dittmann ([email protected])
 */

public class WSHandlerConstants {
    /**
     * The action parameter. The
     * handlers use the value of this parameter to determine how
     * to process the SOAP Envelope. For example in a Axis WSDD file:
     * 
     * <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
     * <parameter name="action" value="UsernameToken"/>
     * ...
     * 
* orders the handler to attach a UsernameToken to the SOAP * enevelope. It is a blank separated list of actions to perform. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting) */ public static final String ACTION = "action"; public static final String SEND = "send"; public static final String RECEIVE = "receive"; /** * Perform nothing. */ public static final String NO_SECURITY = "NoSecurity"; /** * Perform a UsernameToken identification only. */ public static final String USERNAME_TOKEN = "UsernameToken"; /** * Perform a SAML Token identification. */ public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned"; public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned"; /** * Perform Signature. * The signature specific parameters define how to sign, which keys * to use, and so on */ public static final String SIGNATURE = "Signature"; /** * Perform Encryption. * The encryption specific parameters define how to encrypt, which keys * to use, and so on. */ public static final String ENCRYPT = "Encrypt"; /** * Add a timestamp to the security header. */ public static final String TIMESTAMP = "Timestamp"; /** * Suppress the serialization of the SOAP message. *

* Usually the handler serializes the processed SOAP message into a string * and sets it into the Axis message context as new current message. To * suppress this action, define this action. In this case the handler * stores the processed SOAP message as Document in the * Axis message context with the property name SND_SECURITY. *

* A chained handler can retrieve the SOAP message and process it. The * last handler in the chain must set the processed SOAP message as * current message in Axis message context. */ public static final String NO_SERIALIZATION = "NoSerialization"; /** * Use this to use a specific signature mechanism for .Net. * This signature mechanism uses data from the username token and * a well defined constant string and constructs a signature * key. */ public static final String SIGN_WITH_UT_KEY = "UsernameTokenSignature"; /** * This is an interal property name to support handler chaining. * The Axis WSS4J handlers use this message context property to * hand over the SOAP partially processed envelope document to * the next WSS4J handler in the chain. */ public static final String SND_SECURITY = "SND_SECURITY"; /** * The actor name of the wsse:Security header. *

* If this parameter is omitted, the actor name is not set. Please * refer to {@link org.apache.axis.Constants#ATTR_ACTOR} and {@link org.apache.axis.Constants#ATTR_ROLE} * about the parameter names. They are set to "actor" * and "role" respectively. *

* The value of the actor or role has to match the receiver's setting * or may contain standard values. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.ACTOR, "ActorName");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). * * @see org.apache.axis.Constants#URI_SOAP11_NEXT_ACTOR * @see org.apache.axis.Constants#URI_SOAP12_NEXT_ROLE */ public static final String ACTOR = "actor"; /** * The role name of the wsse:Security header. * This is used for SOAP 1.2. Refer also to {@link #ACTOR}. */ public static final String ROLE = "role"; /** * Sets the mustUnderstand flag. *

* If the parameter has the value 1 * or true the mustUnderstand is set. * The values 0 or false supress the * flag. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.MUST_UNDERSTAND, "false");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). *

* The default setting is true *

* Please refer to {@link org.apache.axis.Constants#ATTR_MUST_UNDERSTAND} * about the parameter name ("mustUnderstand"). */ public static final String MUST_UNDERSTAND = "mustUnderstand"; /** * The user's name. It is used differently by the WS Security functions. *

    *
  • The UsernameToken function sets this name in the * UsernameToken. *
  • *
  • The Signing function uses this name as the alias name * in the keystore to get user's certificate and private key to * perform signing if {@link #SIGNATURE_USER} is not used. *
  • *
  • The encryption * functions uses this parameter as fallback if {@link #ENCRYPTION_USER} * is not used. *
  • *
* It is also possible to set the user's name and the according password * via the call function, for example: *
     * ...
     * call.setUsername("name");
     * call.setPassword("WSS4Java");
     * ...
     * 
* The user parameter in the deployment descritor (WSDD) file overwrites * the application's setting. *

* For an additional way to set the password refer to * {@link #PW_CALLBACK_CLASS} and {@link #PW_CALLBACK_REF}. *

* If the security functions uses the username from the message context, it * clears the username from the message context * after they copied it. This prevents sending of the username in the * HTTP header. *

* In this case the HTTP authentication mechansisms do not work * anymore. User authentication shall be done via the username token or * the certificate verification of the signature certificate. */ public static final String USER = "user"; /** * The Axis WSS4J handlers provide several ways to get the password required * to construct a username token or to sign a message. * In addition the callback class may check if a username/password * combination is valid. Refer to the documentation of * {@link org.apache.ws.security.WSPasswordCallback} for more information * about this feature. *

    *
  • A class that implements a callback interface (see below). The * handler loads this class and calls the callback method. This * class must have a public default constructor with not parameters. *
  • *
  • The application (or a preceeding handler) sets a reference to an * object that implements the callback interface *
  • *
  • The application sets the password directly using the * setPassword function of the Call. *
* The callback class or callback object shall implement specific password * getter methods, for example reading a database or directory. *

* The handler first checks if it can get a the password via a callback * class. If that fails it checks if it can get the password from the * object reference, if that also fails the handler tries the password * property. *

* The following parameter defines a class that implements a callback * handler interface. The handler loads the class and calls the callback * handler method to get the password. The callback * class needs to implement the * {@link javax.security.auth.callback.CallbackHandler} interface. *

* The callback function * {@link javax.security.auth.callback.CallbackHandler#handle(javax.security.auth.callback.Callback[])} * gets an array of {@link org.apache.ws.security.WSPasswordCallback} * objects. Only the first entry of the array is used. This object * contains the username/keyname as identifier. The callback handler must * set the password or key associated with this identifier before it returns. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). *

* Refer also to comment in {@link #USER} about HTTP authentication * functions. */ public static final String PW_CALLBACK_CLASS = "passwordCallbackClass"; /** * An application may set an object reference to an object that implements * the {@link javax.security.auth.callback.CallbackHandler} interface. * Only the application can set this property using: *

     * call.setProperty(WSHandlerConstants.PW_CALLBACK_REF, anPWCallbackObject);
     * 
* Refer to {@link #PW_CALLBACK_CLASS} for further information about * password callback handling and the priority of the different * methods. *

* Note: every handler that preceeds this handler in the chain can set * this property too. This may be useful on the server side. */ public static final String PW_CALLBACK_REF = "passwordCallbackRef"; /** * The user's name for encryption. *

* The encryption functions uses the public key of this user's certificate * to encrypt the generated symmetric key. *

* If this parameter is not set, then the encryption * function falls back to the {@link #USER} parameter to get the * certificate. *

* If only encryption of the SOAP body data is requested, * it is recommended to use this parameter to define the username. * The application can then use the standard user and password * functions (see example at {@link #USER} to enable HTTP authentication * functions. *

* Encryption only does not authenticate a user / sender, therefore it * does not need a password. *

* Placing the username of the encryption certificate in the WSDD is not * a security risk, because the public key of that certificate is used * only. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.ENCYRPTION_USER, "encryptionUser");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). */ public static final String ENCRYPTION_USER = "encryptionUser"; /** * The user's name for signature. *

* This name is used as the alias name in the keystore to get user's * certificate and private key to perform signing. *

* If this parameter is not set, then the signature * function falls back to the {@link #USER} parameter. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.SIGNATURE_USER, "signatureUser");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). */ public static final String SIGNATURE_USER = "signatureUser"; /** * Specifying this name as {@link #ENCRYPTION_USER} * triggers a special action to get the public key to use for encryption. *

* The handler uses the public key of the sender's certificate. Using this * way to define an encryption key simplifies certificate management to * a large extend. */ public static final String USE_REQ_SIG_CERT = "useReqSigCert"; /** * This parameter works in the same way as {@link #PW_CALLBACK_CLASS} but * the Axis WSS4J handler uses it to get the key associated with a key name. */ public static final String ENC_CALLBACK_CLASS = "EmbeddedKeyCallbackClass"; /** * This parameter works in the same way as {@link #PW_CALLBACK_REF} but * the Axis WSS4J handler uses it to get the key associated with a key name. */ public static final String ENC_CALLBACK_REF = "EmbeddedKeyCallbackRef"; /** * Text of the key name that needs to be sent */ public static final String ENC_KEY_NAME = "EmbeddedKeyName"; /** * The name of the crypto property file to use for SOAP Signature. *

* The classloader loads this file. Therefore it must be accessible * via the classpath. *

* To locate the implementation of the * {@link org.apache.ws.security.components.crypto.Crypto Crypto} * interface implementation the property file must contain the property * org.apache.ws.security.crypto.provider. The value of * this property is the classname of the implementation class. *

* The following line defines the standard implementation: *

     * org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
     * 
* The other contents of the property file depend on the implementation * of the {@link org.apache.ws.security.components.crypto.Crypto Crypto} * interface implementation. *

* The property file of the standard implementation * {@link org.apache.ws.security.components.crypto.Merlin} uses * the following properties: *

     * org.apache.ws.security.crypto.provider
     * org.apache.ws.security.crypto.merlin.file
     * org.apache.ws.security.crypto.merlin.keystore.type
     * org.apache.ws.security.crypto.merlin.keystore.provider
     * org.apache.ws.security.crypto.merlin.keystore.password
     * org.apache.ws.security.crypto.merlin.keystore.alias
     * org.apache.ws.security.crypto.merlin.cert.provider
     * 
* The entries are: *
    *
  • org.apache.ws.security.crypto.provider see * description above *
  • *
  • org.apache.ws.security.crypto.merlin.file * The path to the keystore file. At first the classloader tries to load * this file, if this fails the implementations performs a file system * lookup. *
  • *
  • org.apache.ws.security.crypto.merlin.keystore.type * The keystore type, for example JKS for the Java key store. * Other keystore type, such as pkcs12 are also possible but depend * on the actual Crypto implementation. *
  • *
  • org.apache.ws.security.crypto.merlin.keystore.password * The password to read the keystore. If this property is not set, then * the pwcallbackproperty must be defined. *
  • *
* The application may set this parameter using the following method: *
     * call.setProperty(WSHandlerConstants.SIG_PROP_FILE, "myCrypto.properties");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). *

* If a property file is not set and a signature is requested, * the handler throws an AxisFault. */ public static final String SIG_PROP_FILE = "signaturePropFile"; /** * The key that hold the refernce of the java.util.Properties * object holding complete info about signature Crypto implementation. * This should contain all information that would contain in an equivalent * .properties file which includes the Crypto implementation class name. * * Refer to documentation of {@link #SIG_PROP_FILE}. */ public final static String SIG_PROP_REF_ID = "SignaturePropRefId"; /** * The WSDoAllReceiver handler stores a result Vector * in this property. *

* The vector contains WSDoAllReceiverResult objects * for each chained WSDoAllReceiver handler. */ public static final String RECV_RESULTS = "RECV_RESULTS"; /** * The name of the crypto propterty file to use for SOAP Decryption. *

* Refer to documentation of {@link #SIG_PROP_FILE}. *

* Refer to {@link #SIG_PROP_FILE} for a detail description * about the format and how to use this property file. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.DEC_PROP_FILE, "myCrypto.properties");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). *

* If this parameter is not used, but the signature crypto property * file is defined (combined Encryption/Signature action), then the * encryption function uses that file. Otherwise the handler throws * an AxisFault. */ public static final String DEC_PROP_FILE = "decryptionPropFile"; /** * The key that hold the refernce of the java.util.Properties * object holding complete info about decryption Crypto implementation. This * should contain all information that would contain in an equivalent * .properties file which includes the Crypto implementation class name. * * Refer to documentation of {@link #DEC_PROP_FILE}. */ public final static String DEC_PROP_REF_ID = "decryptionPropRefId"; /** * Specific parameter for UsernameToken action to define the encoding * of the password. *

* The parameter can be set to either {@link WSConstants#PW_DIGEST} * or to {@link WSConstants#PW_TEXT}. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST);
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). *

* The default setting is PW_DIGEST. */ public static final String PASSWORD_TYPE = "passwordType"; /** * This variable controls whether types other than PasswordDigest or PasswordText * are allowed when processing UsernameTokens. * * By default this is set to false so that the user doesn't have to explicitly * reject custom token types in the callback handler. */ public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes"; /** * This variable controls whether (wsse) namespace qualified password types are * accepted when processing UsernameTokens. * * By default this is set to false. */ public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES = "allowNamespaceQualifiedPasswordTypes"; /** * Parameter to generate additional elements in UsernameToken. *

* The value of this parameter is a list of element names that are added * to the UsernameToken. The names of the list a separated by spaces. *

* The list may containe the names nonce and * created only. Use this option if the password type is * passwordText and the handler shall add the Nonce * and/or Created elements. */ public static final String ADD_UT_ELEMENTS = "addUTElements"; /** * Defines which key identifier type to use. The WS-Security specifications * recommends to use the identifier type IssuerSerial. For * possible signature key identifier types refer to * {@link #keyIdentifier}. For signature IssuerSerial * and DirectReference are valid only. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). */ public static final String SIG_KEY_ID = "signatureKeyIdentifier"; /** * Defines which signature algorithm to use. *

* The application may set this parameter using the following method: *

     * call.setProperty(
     *     WSHandlerConstants.SIG_ALGO, 
     *     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
     * );
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). */ public static final String SIG_ALGO = "signatureAlgorithm"; /** * Defines which signature digest algorithm to use. *

* The application may set this parameter using the following method: *

     * call.setProperty(
     *    WSHandlerConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
     * );
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). */ public static final String SIG_DIGEST_ALGO = "signatureDigestAlgorithm"; /** * Parameter to define which parts of the request shall be signed. *

* Refer to {@link #ENCRYPTION_PARTS} for a detailed description of * the format of the value string. *

* If this parameter is not specified the handler signs the SOAP Body * by default. *

* The WS Security specifications define several formats to transfer the * signature tokens (certificates) or references to these tokens. * Thus, the plain element name Token * signs the token and takes care of the different format. *

* To sign the SOAP body and the signature token the value of this * parameter must contain: *

     * <parameter name="signatureParts"
     *   value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body; Token" />
     * 
* To specify an element without a namespace use the string * Null as the namespace name (this is a case sensitive * string) *

* If there is no other element in the request with a local name of * Body then the SOAP namespace identifier can be empty * ({}). */ public static final String SIGNATURE_PARTS = "signatureParts"; /** * The name of the crypto propterty file to use for SOAP Encryption. *

* Refer to documentation of {@link #SIG_PROP_FILE}. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.ENC_PROP_FILE, "myCrypto.properties");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). *

* If this parameter is not used, but the signature crypto property * file is defined (combined Encryption/Signature action), then the * encryption function uses signature property file. Otherwise the * handler throws an AxisFault. */ public static final String ENC_PROP_FILE = "encryptionPropFile"; /** * The key that hold the refernce of the * java.util.Properties object holding complete info about * encryption Crypto implementation. This should contain all information * that would contain in an equivalent .properties file which includes the * Crypto implementation class name. * * Refer to documentation of {@link #DEC_PROP_FILE}. */ public final static String ENC_PROP_REF_ID = "encryptionPropRefId"; /** * Defines which key identifier type to use. The WS-Security specifications * recommends to use the identifier type IssuerSerial. For * possible encryption key identifier types refer to * {@link #keyIdentifier}. For encryption IssuerSerial, * X509KeyIdentifier, DirectReference, * Thumbprint, SKIKeyIdentifier, and * EmbeddedKeyName are valid only. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.ENC_KEY_ID, "X509KeyIdentifier");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). */ public static final String ENC_KEY_ID = "encryptionKeyIdentifier"; /** * Defines which symmetric encryption algorithm to use. WSS4J supports the * following alorithms: {@link WSConstants#TRIPLE_DES}, * {@link WSConstants#AES_128}, {@link WSConstants#AES_256}, * and {@link WSConstants#AES_192}. Except for AES 192 all of these * algorithms are required by the XML Encryption specification. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.ENC_SYM_ALGO, WSConstants.AES_256);
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). */ public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm"; /** * Defines which algorithm to use to encrypt the generated symmetric key. * Currently WSS4J supports {@link WSConstants#KEYTRANSPORT_RSA15} only. *

* The application may set this parameter using the following method: *

     * call.setProperty(WSHandlerConstants.ENC_KEY_TRANSPORT, "RSA15");
     * 
* However, the parameter in the WSDD deployment file overwrites the * property setting (deployment setting overwrites application setting). */ public static final String ENC_KEY_TRANSPORT = "encryptionKeyTransportAlgorithm"; /** * Parameter to define which parts of the request shall be encrypted. *

* The value of this parameter is a list of semi-colon separated * element names that identify the elements to encrypt. An encryption mode * specifier and a namespace identification, each inside a pair of curly * brackets, may preceed each element name. *

* The encryption mode specifier is either {Content} or * {Element}. Please refer to the W3C XML Encryption * specification about the differences between Element and Content * encryption. The encryption mode defaults to Content * if it is omitted. Example of a list: *

     * <parameter name="encryptionParts"
     *   value="{Content}{http://example.org/paymentv2}CreditCard;
     *             {Element}{}UserName" />
     * 
* The the first entry of the list identifies the element * CreditCard in the namespace * http://example.org/paymentv2, and will encrypt its content. * Be aware that the element name, the namespace identifier, and the * encryption modifier are case sensitive. *

* The encryption modifier and the namespace identifier can be ommited. * In this case the encryption mode defaults to Content and * the namespace is set to the SOAP namespace. *

* An empty encryption mode defaults to Content, an empty * namespace identifier defaults to the SOAP namespace. * The second line of the example defines Element as * encryption mode for an UserName element in the SOAP * namespace. *

* To specify an element without a namespace use the string * Null as the namespace name (this is a case sensitive * string) *

* If no list is specified, the handler encrypts the SOAP Body in * Content mode by default. */ public static final String ENCRYPTION_PARTS = "encryptionParts"; /** * The name of the SAML Issuer factory property file. * The classloader loads this file. Therefore it must be accessible * via the classpath. */ public static final String SAML_PROP_FILE = "samlPropFile"; /** * Time-To-Live is the time difference between creation and expiry time in * the WSS Timestamp. * The time-to-live in seconds. After this time the SOAP request is * invalid (at least the security data shall be treated this way). *

* If this parameter is not defined, contains a value less or equal * zero, or an illegal format the handlers use a default TTL of * 300 seconds (5 minutes). */ public static final String TTL_TIMESTAMP = "timeToLive"; /** * Whether to enable signatureConfirmation or not * By default signatureConfirmation is enabled */ public static final String ENABLE_SIGNATURE_CONFIRMATION = "enableSignatureConfirmation"; /** * Should timestamps have precision in milliseconds */ public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds"; /** * Set the value of this parameter to true to enable strict timestamp * handling. * * Strict Timestamp handling: throw an exception if a Timestamp contains * an Expires element and the semantics of the request are * expired, i.e. the current time at the receiver is past the expires time. */ public static final String TIMESTAMP_STRICT = "timestampStrict"; /** * Define the parameter values to set the key identifier types. These are: *

    *
  • DirectReference for {@link WSConstants#BST_DIRECT_REFERENCE} *
  • *
  • IssuerSerial for {@link WSConstants#ISSUER_SERIAL} *
  • *
  • X509KeyIdentifier for {@link WSConstants#X509_KEY_IDENTIFIER} *
  • *
  • SKIKeyIdentifier for {@link WSConstants#SKI_KEY_IDENTIFIER} *
  • *
  • EmbeddedKeyName for {@link WSConstants#EMBEDDED_KEYNAME} *
  • *
  • Thumbprint for {@link WSConstants#THUMBPRINT} *
  • *




© 2015 - 2024 Weber Informatics LLC | Privacy Policy