org.apache.ws.security.handler.WSHandlerConstants Maven / Gradle / Ivy
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ws.security.handler;
import org.apache.ws.security.WSConstants;
import java.util.HashMap;
import java.util.Map;
/**
* This class defines the names, actions, and other string for the deployment
* data of the WS handler.
*
* @author Werner Dittmann ([email protected])
*/
public class WSHandlerConstants {
//
// Action configuration tags
//
/**
* The action parameter. The handlers use the value of this parameter to determine how
* to process the SOAP Envelope. It is a blank separated list of actions to perform.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
*
*/
public static final String ACTION = "action";
/**
* Perform no action.
*/
public static final String NO_SECURITY = "NoSecurity";
/**
* Perform a UsernameToken action.
*/
public static final String USERNAME_TOKEN = "UsernameToken";
/**
* Perform an unsigned SAML Token action.
*/
public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned";
/**
* Perform a signed SAML Token action.
*/
public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned";
/**
* Perform a Signature action. The signature specific parameters define how
* to sign, which keys to use, and so on.
*/
public static final String SIGNATURE = "Signature";
/**
* Perform an Encryption action. The encryption specific parameters define how
* to encrypt, which keys to use, and so on.
*/
public static final String ENCRYPT = "Encrypt";
/**
* Add a timestamp to the security header.
*/
public static final String TIMESTAMP = "Timestamp";
/**
* Use this to use a specific signature mechanism for .Net. This signature mechanism
* uses data from the username token and a well defined constant string and constructs
* a signature key. Please note that this action is NOT spec-compliant.
*/
public static final String SIGN_WITH_UT_KEY = "UsernameTokenSignature";
//
// User properties
//
/**
* The actor or role name of the wsse:Security header. If this parameter
* is omitted, the actor name is not set.
*
* The value of the actor or role has to match the receiver's setting
* or may contain standard values.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ACTOR, "ActorName");
*
*/
public static final String ACTOR = "actor";
/**
* The user's name. It is used differently by each of the WS-Security functions.
*
* - The UsernameToken function sets this name in the
*
UsernameToken.
*
* - The Signing function uses this name as the alias name
* in the keystore to get user's certificate and private key to
* perform signing if {@link #SIGNATURE_USER} is not used.
*
* - The encryption
* functions uses this parameter as fallback if {@link #ENCRYPTION_USER}
* is not used.
*
*
*/
public static final String USER = "user";
/**
* The user's name for encryption. The encryption functions use the public key of
* this user's certificate to encrypt the generated symmetric key.
*
* If this parameter is not set, then the encryption
* function falls back to the {@link #USER} parameter to get the
* certificate.
*
* If only encryption of the SOAP body data is requested,
* it is recommended to use this parameter to define the username.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENCRYPTION_USER, "encryptionUser");
*
*/
public static final String ENCRYPTION_USER = "encryptionUser";
/**
* The user's name for signature. This name is used as the alias name in the keystore
* to get user's certificate and private key to perform signing.
*
* If this parameter is not set, then the signature
* function falls back to the {@link #USER} parameter.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.SIGNATURE_USER, "signatureUser");
*
*/
public static final String SIGNATURE_USER = "signatureUser";
/**
* Specifying this name as {@link #ENCRYPTION_USER}
* triggers a special action to get the public key to use for encryption.
*
* The handler uses the public key of the sender's certificate. Using this
* way to define an encryption key simplifies certificate management to
* a large extend.
*/
public static final String USE_REQ_SIG_CERT = "useReqSigCert";
//
// Callback class and property file properties
//
/**
* This tag refers to the CallbackHandler implementation class used to obtain passwords.
* The value of this tag must be the class name of a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*
* The callback function
* {@link javax.security.auth.callback.CallbackHandler#handle(
* javax.security.auth.callback.Callback[])} gets an array of
* {@link org.apache.ws.security.WSPasswordCallback} objects. Only the first entry of the
* array is used. This object contains the username/keyname as identifier. The callback
* handler must set the password or key associated with this identifier before it returns.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
*
*/
public static final String PW_CALLBACK_CLASS = "passwordCallbackClass";
/**
* This tag refers to the CallbackHandler implementation object used to obtain
* passwords. The value of this tag must be a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*
* Refer to {@link #PW_CALLBACK_CLASS} for further information about password callback
* handling.
*/
public static final String PW_CALLBACK_REF = "passwordCallbackRef";
/**
* This tag refers to the SAML CallbackHandler implementation class used to construct
* SAML Assertions. The value of this tag must be the class name of a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*/
public static final String SAML_CALLBACK_CLASS = "samlCallbackClass";
/**
* This tag refers to the SAML CallbackHandler implementation object used to construct
* SAML Assertions. The value of this tag must be a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*/
public static final String SAML_CALLBACK_REF = "samlCallbackRef";
/**
* This tag refers to the CallbackHandler implementation class used to get the key
* associated with a key name. The value of this tag must be the class name of a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*/
public static final String ENC_CALLBACK_CLASS = "embeddedKeyCallbackClass";
/**
* This tag refers to the CallbackHandler implementation object used to get the key
* associated with a key name. The value of this tag must be a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*/
public static final String ENC_CALLBACK_REF = "embeddedKeyCallbackRef";
/**
* The path of the crypto property file to use for Signature. The classloader loads this
* file. Therefore it must be accessible via the classpath.
*
* To locate the implementation of the
* {@link org.apache.ws.security.components.crypto.Crypto Crypto}
* interface implementation the property file must contain the property
* org.apache.ws.security.crypto.provider. The value of
* this property is the classname of the implementation class.
*
* The following line defines the standard implementation:
*
* org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
*
* The other contents of the property file depend on the implementation
* of the {@link org.apache.ws.security.components.crypto.Crypto Crypto}
* interface. Please see the WSS4J website for more information on the Merlin property
* tags and values.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.SIG_PROP_FILE, "myCrypto.properties");
*
*/
public static final String SIG_PROP_FILE = "signaturePropFile";
/**
* The key that holds the reference of the java.util.Properties
* object holding complete information about the signature Crypto implementation.
* This should contain all information that would contain in an equivalent
* properties file which includes the Crypto implementation class name.
*
* Refer to documentation of {@link #SIG_PROP_FILE}.
*/
public final static String SIG_PROP_REF_ID = "signaturePropRefId";
/**
* The path of the crypto property file to use for Decryption. The classloader loads this
* file. Therefore it must be accessible via the classpath. Refer to documentation of
* {@link #SIG_PROP_FILE} for more information about the contents of the Properties file.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.DEC_PROP_FILE, "myCrypto.properties");
*
*/
public static final String DEC_PROP_FILE = "decryptionPropFile";
/**
* The key that hold the reference of the java.util.Properties
* object holding complete information about the decryption Crypto implementation.
* This should contain all information that would contain in an equivalent
* properties file which includes the Crypto implementation class name.
*
* Refer to documentation of {@link #DEC_PROP_FILE}.
*/
public final static String DEC_PROP_REF_ID = "decryptionPropRefId";
/**
* The path of the crypto property file to use for Encryption. The classloader loads this
* file. Therefore it must be accessible via the classpath. Refer to documentation of
* {@link #SIG_PROP_FILE} for more information about the contents of the Properties file.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENC_PROP_FILE, "myCrypto.properties");
*
*/
public static final String ENC_PROP_FILE = "encryptionPropFile";
/**
* The key that hold the reference of the java.util.Properties
* object holding complete information about the encryption Crypto implementation.
* This should contain all information that would contain in an equivalent
* properties file which includes the Crypto implementation class name.
*
* Refer to documentation of {@link #ENC_PROP_FILE}.
*/
public final static String ENC_PROP_REF_ID = "encryptionPropRefId";
/**
* The name of the SAML Issuer factory property file.
* The classloader loads this file. Therefore it must be accessible
* via the classpath.
*/
public static final String SAML_PROP_FILE = "samlPropFile";
//
// Boolean configuration tags, e.g. the value should be "true" or "false".
//
/**
* Whether to enable signatureConfirmation or not. The default value is "false".
*/
public static final String ENABLE_SIGNATURE_CONFIRMATION = "enableSignatureConfirmation";
/**
* Whether to set the mustUnderstand flag on an outbound message or not. The default
* setting is "true".
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.MUST_UNDERSTAND, "false");
*
*/
public static final String MUST_UNDERSTAND = "mustUnderstand";
/**
* Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The
* default value is "true".
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.IS_BSP_COMPLIANT, "false");
*
*/
public static final String IS_BSP_COMPLIANT = "isBSPCompliant";
/**
* This variable controls whether types other than PasswordDigest or PasswordText
* are allowed when processing UsernameTokens. The default value is "false".
*/
public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes";
/**
* Set the value of this parameter to true to enable strict Username Token password type
* handling. The default value is "false".
*
* If this parameter is set to true, it throws an exception if the password type of
* the Username Token does not match that of the configured PASSWORD_TYPE parameter.
*/
public static final String PASSWORD_TYPE_STRICT = "passwordTypeStrict";
/**
* This variable controls whether (wsse) namespace qualified password types are
* accepted when processing UsernameTokens. The default value is "false".
*/
public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES
= "allowNamespaceQualifiedPasswordTypes";
/**
* This variable controls whether to enable Certificate Revocation List (CRL) checking
* or not when verifying trust in a certificate. The default value is "false".
*/
public static final String ENABLE_REVOCATION = "enableRevocation";
/**
* Set the value of this parameter to true to treat passwords as binary values
* for Username Tokens. The default value is "false".
*
* This is needed to properly handle password equivalence for UsernameToken
* passwords. Binary passwords are Base64 encoded so they can be treated as
* strings in most places, but when the password digest is calculated or a key
* is derived from the password, the password will be Base64 decoded before
* being used. This is most useful for hashed passwords as password equivalents.
*/
public static final String USE_ENCODED_PASSWORDS = "useEncodedPasswords";
/**
* This parameter sets whether to use a single certificate or a whole certificate
* chain when constructing a BinarySecurityToken used for direct reference in
* signature. The default is "true", meaning that only a single certificate is used.
*/
public static final String USE_SINGLE_CERTIFICATE = "useSingleCertificate";
/**
* This parameter sets whether to use UsernameToken Key Derivation, as defined
* in the UsernameTokenProfile 1.1 specification. The default is "true". If false,
* then it falls back to the old behaviour of WSE derived key functionality.
*/
public static final String USE_DERIVED_KEY = "useDerivedKey";
/**
* This parameter sets whether to use the Username Token derived key for a MAC
* or not. The default is "true".
*/
public static final String USE_DERIVED_KEY_FOR_MAC = "useDerivedKeyForMAC";
/**
* Set whether Timestamps have precision in milliseconds. This applies to the
* creation of Timestamps only. The default value is "true".
*/
public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds";
/**
* Set the value of this parameter to true to enable strict timestamp
* handling. The default value is "true".
*
* Strict Timestamp handling: throw an exception if a Timestamp contains
* an Expires element and the semantics of the request are
* expired, i.e. the current time at the receiver is past the expires time.
*/
public static final String TIMESTAMP_STRICT = "timestampStrict";
/**
* Defines whether to encrypt the symmetric encryption key or not. If true
* (the default), the symmetric key used for encryption is encrypted in turn,
* and inserted into the security header in an "EncryptedKey" structure. If
* set to false, no EncryptedKey structure is constructed.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENC_SYM_ENC_KEY, "false");
*
*/
public static final String ENC_SYM_ENC_KEY = "encryptSymmetricEncryptionKey";
//
// (Non-boolean) Configuration parameters for the actions/processors
//
/**
* Text of the embedded key name to be sent in the KeyInfo for encryption.
*/
public static final String ENC_KEY_NAME = "embeddedKeyName";
/**
* Specific parameter for UsernameToken action to define the encoding
* of the password.
*
* The parameter can be set to either {@link WSConstants#PW_DIGEST}
* or to {@link WSConstants#PW_TEXT}.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST);
*
* The default setting is PW_DIGEST.
*/
public static final String PASSWORD_TYPE = "passwordType";
/**
* Parameter to generate additional elements (nonce and created) in a
* UsernameToken.
*
* The value of this parameter is a list of element names that are added
* to the UsernameToken. The names of the list a separated by spaces.
*
* The list may contain the names nonce and
* created only. Use this option if the password type is
* passwordText and the handler shall add the Nonce
* and/or Created elements.
*/
public static final String ADD_UT_ELEMENTS = "addUTElements";
/**
* Defines which key identifier type to use for signature. The WS-Security specifications
* recommends to use the identifier type IssuerSerial. For possible signature
* key identifier types refer to {@link #keyIdentifier}.
* For signature IssuerSerial and DirectReference are valid only.
* The default is IssuerSerial.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
*
*/
public static final String SIG_KEY_ID = "signatureKeyIdentifier";
/**
* Defines which signature algorithm to use. The default is set by the data in the
* certificate.
*
* The application may set this parameter using the following method:
*
* call.setProperty(
* WSHandlerConstants.SIG_ALGO,
* "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
* );
*
*/
public static final String SIG_ALGO = "signatureAlgorithm";
/**
* Defines which signature digest algorithm to use. The default is SHA-1.
*
* The application may set this parameter using the following method:
*
* call.setProperty(
* WSHandlerConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
* );
*
*/
public static final String SIG_DIGEST_ALGO = "signatureDigestAlgorithm";
/**
* Parameter to define which parts of the request shall be signed.
*
* Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
* the format of the value string.
*
* If this parameter is not specified the handler signs the SOAP Body
* by default, i.e.:
*
* <parameter name="signatureParts"
* value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
*
* To specify an element without a namespace use the string
* Null as the namespace name (this is a case sensitive
* string)
*
* If there is no other element in the request with a local name of
* Body then the SOAP namespace identifier can be empty
* ({}).
*/
public static final String SIGNATURE_PARTS = "signatureParts";
/**
* This parameter sets the length of the secret (derived) key to use for the
* WSE UT_SIGN functionality.
*
* The default value is 16 bytes.
*/
public static final String WSE_SECRET_KEY_LENGTH = "wseSecretKeyLength";
/**
* This parameter sets the number of iterations to use when deriving a key
* from a Username Token. The default is 1000.
*/
public static final String DERIVED_KEY_ITERATIONS = "derivedKeyIterations";
/**
* Defines which key identifier type to use for encryption. The WS-Security specifications
* recommends to use the identifier type IssuerSerial. For
* possible encryption key identifier types refer to
* {@link #keyIdentifier}. For encryption IssuerSerial,
* X509KeyIdentifier, DirectReference,
* Thumbprint, SKIKeyIdentifier, and
* EmbeddedKeyName are valid only.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENC_KEY_ID, "X509KeyIdentifier");
*
*/
public static final String ENC_KEY_ID = "encryptionKeyIdentifier";
/**
* Defines which symmetric encryption algorithm to use. WSS4J supports the
* following alorithms: {@link WSConstants#TRIPLE_DES},
* {@link WSConstants#AES_128}, {@link WSConstants#AES_256},
* and {@link WSConstants#AES_192}. Except for AES 192 all of these
* algorithms are required by the XML Encryption specification.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENC_SYM_ALGO, WSConstants.AES_256);
*
*/
public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm";
/**
* Defines which algorithm to use to encrypt the generated symmetric key.
* Currently WSS4J supports {@link WSConstants#KEYTRANSPORT_RSA15} only.
*
* The application may set this parameter using the following method:
*
* call.setProperty(WSHandlerConstants.ENC_KEY_TRANSPORT, "RSA15");
*
*/
public static final String ENC_KEY_TRANSPORT = "encryptionKeyTransportAlgorithm";
/**
* Parameter to define which parts of the request shall be encrypted.
*
* The value of this parameter is a list of semi-colon separated
* element names that identify the elements to encrypt. An encryption mode
* specifier and a namespace identification, each inside a pair of curly
* brackets, may preceed each element name.
*
* The encryption mode specifier is either {Content} or
* {Element}. Please refer to the W3C XML Encryption
* specification about the differences between Element and Content
* encryption. The encryption mode defaults to Content
* if it is omitted. Example of a list:
*
* <parameter name="encryptionParts"
* value="{Content}{http://example.org/paymentv2}CreditCard;
* {Element}{}UserName" />
*
* The the first entry of the list identifies the element
* CreditCard in the namespace
* http://example.org/paymentv2, and will encrypt its content.
* Be aware that the element name, the namespace identifier, and the
* encryption modifier are case sensitive.
*
* The encryption modifier and the namespace identifier can be ommited.
* In this case the encryption mode defaults to Content and
* the namespace is set to the SOAP namespace.
*
* An empty encryption mode defaults to Content, an empty
* namespace identifier defaults to the SOAP namespace.
* The second line of the example defines Element as
* encryption mode for an UserName element in the SOAP
* namespace.
*
* To specify an element without a namespace use the string
* Null as the namespace name (this is a case sensitive
* string)
*
* If no list is specified, the handler encrypts the SOAP Body in
* Content mode by default.
*/
public static final String ENCRYPTION_PARTS = "encryptionParts";
/**
* Time-To-Live is the time difference between creation and expiry time in
* seconds in the WSS Timestamp. After this time the SOAP request is
* invalid (at least the security data shall be treated this way).
*
* If this parameter is not defined, contains a value less or equal
* zero, or an illegal format the handlers use a default TTL of
* 300 seconds (5 minutes).
*/
public static final String TTL_TIMESTAMP = "timeToLive";
/**
* This configuration tag specifies the time in seconds in the future within which
* the Created time of an incoming Timestamp is valid. The default value is "60",
* to avoid problems where clocks are slightly askew. To reject all future-created
* Timestamps, set this value to "0".
*/
public static final String TTL_FUTURE_TIMESTAMP = "futureTimeToLive";
//
// Internal storage constants
//
/**
* The WSHandler stores a result List in this property.
*/
public static final String RECV_RESULTS = "RECV_RESULTS";
/**
* internally used property names to store values inside the message context
* that must have the same lifetime as a message (request/response model).
*/
public static final String SEND_SIGV = "_sendSignatureValues_";
/**
*
*/
public static final String SIG_CONF_DONE = "_sigConfDone_";
/**
* Define the parameter values to set the key identifier types. These are:
*
* DirectReference for {@link WSConstants#BST_DIRECT_REFERENCE}
* IssuerSerial for {@link WSConstants#ISSUER_SERIAL}
* X509KeyIdentifier for {@link WSConstants#X509_KEY_IDENTIFIER}
* SKIKeyIdentifier for {@link WSConstants#SKI_KEY_IDENTIFIER}
* EmbeddedKeyName for {@link WSConstants#EMBEDDED_KEYNAME}
* Thumbprint for {@link WSConstants#THUMBPRINT}
* EncryptedKeySHA1 for {@link WSConstants#ENCRYPTED_KEY_SHA1_IDENTIFIER}
*
* See {@link #SIG_KEY_ID} {@link #ENC_KEY_ID}.
*/
private static Map keyIdentifier = new HashMap();
static {
keyIdentifier.put("DirectReference",
new Integer(WSConstants.BST_DIRECT_REFERENCE));
keyIdentifier.put("IssuerSerial",
new Integer(WSConstants.ISSUER_SERIAL));
keyIdentifier.put("X509KeyIdentifier",
new Integer(WSConstants.X509_KEY_IDENTIFIER));
keyIdentifier.put("SKIKeyIdentifier",
new Integer(WSConstants.SKI_KEY_IDENTIFIER));
keyIdentifier.put("EmbeddedKeyName",
new Integer(WSConstants.EMBEDDED_KEYNAME));
keyIdentifier.put("Thumbprint",
new Integer(WSConstants.THUMBPRINT_IDENTIFIER));
keyIdentifier.put("EncryptedKeySHA1",
new Integer(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER));
}
/**
* Get the key identifier type corresponding to the parameter
* @param parameter
* @return the key identifier type corresponding to the parameter
*/
public static Integer getKeyIdentifier(String parameter) {
return keyIdentifier.get(parameter);
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy