org.apache.wss4j.common.ConfigurationConstants Maven / Gradle / Ivy
The newest version!
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.wss4j.common;
/**
* This class defines Configuration Constants that are shared between the DOM + StAX code. This
* allows a user to configure both layers in the same way (e.g. via a Map).
*/
public class ConfigurationConstants {
protected ConfigurationConstants() {
// complete
}
//
// Action configuration tags
//
/**
* The action parameter. It is a blank separated list of actions to perform.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN);
*
*/
public static final String ACTION = "action";
/**
* Perform a UsernameToken action.
*/
public static final String USERNAME_TOKEN = "UsernameToken";
/**
* Perform a UsernameTokenSignature action.
*/
public static final String USERNAME_TOKEN_SIGNATURE = "UsernameTokenSignature";
/**
* Perform a UsernameToken action with no password.
*/
public static final String USERNAME_TOKEN_NO_PASSWORD = "UsernameTokenNoPassword";
/**
* Perform an unsigned SAML Token action.
*/
public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned";
/**
* Perform a signed SAML Token action.
*/
public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned";
/**
* Perform a Signature action. The signature specific parameters define how
* to sign, which keys to use, and so on.
*/
public static final String SIGNATURE = "Signature";
/**
* Perform an Encryption action. The encryption specific parameters define how
* to encrypt, which keys to use, and so on.
*/
@Deprecated
public static final String ENCRYPT = "Encrypt";
/**
* Perform an Encryption action. The encryption specific parameters define how
* to encrypt, which keys to use, and so on.
*/
public static final String ENCRYPTION = "Encryption";
/**
* Add a timestamp to the security header.
*/
public static final String TIMESTAMP = "Timestamp";
/**
* Perform a Signature action with derived keys. The signature specific parameters define how
* to sign, which keys to use, and so on.
*/
public static final String SIGNATURE_DERIVED = "SignatureDerived";
/**
* Perform an Encryption action with derived keys. The encryption specific parameters define how
* to encrypt, which keys to use, and so on.
*/
@Deprecated
public static final String ENCRYPT_DERIVED = "EncryptDerived";
/**
* Perform an Encryption action with derived keys. The encryption specific parameters define how
* to encrypt, which keys to use, and so on.
*/
public static final String ENCRYPTION_DERIVED = "EncryptionDerived";
/**
* Perform a Signature action with a kerberos token. The signature specific parameters define how
* to sign, which keys to use, and so on.
*/
public static final String SIGNATURE_WITH_KERBEROS_TOKEN = "SignatureWithKerberosToken";
/**
* Perform a Encryption action with a kerberos token. The signature specific parameters define how
* to encrypt, which keys to use, and so on.
*/
@Deprecated
public static final String ENCRYPT_WITH_KERBEROS_TOKEN = "EncryptWithKerberosToken";
/**
* Perform a Encryption action with a kerberos token. The signature specific parameters define how
* to encrypt, which keys to use, and so on.
*/
public static final String ENCRYPTION_WITH_KERBEROS_TOKEN = "EncryptionWithKerberosToken";
/**
* Add a kerberos token.
*/
public static final String KERBEROS_TOKEN = "KerberosToken";
/**
* Add a "Custom" token. This token will be retrieved from a CallbackHandler via
* WSPasswordCallback.Usage.CUSTOM_TOKEN and written out as is in the security header.
*/
public static final String CUSTOM_TOKEN = "CustomToken";
//
// User properties
//
/**
* The actor or role name of the wsse:Security
header. If this parameter
* is omitted, the actor name is not set.
*
* The value of the actor or role has to match the receiver's setting
* or may contain standard values.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ACTOR, "ActorName");
*
*/
public static final String ACTOR = "actor";
/**
* The user's name. It is used differently by each of the WS-Security functions.
*
* - The UsernameToken function sets this name in the
*
UsernameToken
.
*
* - The Signing function uses this name as the alias name
* in the keystore to get user's certificate and private key to
* perform signing if {@link #SIGNATURE_USER} is not used.
*
* - The encryption
* functions uses this parameter as fallback if {@link #ENCRYPTION_USER}
* is not used.
*
*
*/
public static final String USER = "user";
/**
* The user's name for encryption. The encryption functions use the public key of
* this user's certificate to encrypt the generated symmetric key.
*
* If this parameter is not set, then the encryption
* function falls back to the {@link #USER} parameter to get the
* certificate.
*
* If only encryption of the SOAP body data is requested,
* it is recommended to use this parameter to define the username.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ENCRYPTION_USER, "encryptionUser");
*
*/
public static final String ENCRYPTION_USER = "encryptionUser";
/**
* The user's name for signature. This name is used as the alias name in the keystore
* to get user's certificate and private key to perform signing.
*
* If this parameter is not set, then the signature
* function falls back to the {@link #USER} parameter.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.SIGNATURE_USER, "signatureUser");
*
*/
public static final String SIGNATURE_USER = "signatureUser";
/**
* Specifying this name as {@link #ENCRYPTION_USER}
* triggers a special action to get the public key to use for encryption.
*
* The handler uses the public key of the sender's certificate. Using this
* way to define an encryption key simplifies certificate management to
* a large extent.
*/
public static final String USE_REQ_SIG_CERT = "useReqSigCert";
//
// Callback class and property file properties
//
/**
* This tag refers to the CallbackHandler implementation class used to obtain passwords.
* The value of this tag must be the class name of a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*
* The callback function
* {@link javax.security.auth.callback.CallbackHandler#handle(
* javax.security.auth.callback.Callback[])} gets an array of
* {@link org.apache.wss4j.common.ext.WSPasswordCallback} objects. Only the first entry of the
* array is used. This object contains the username/keyname as identifier. The callback
* handler must set the password or key associated with this identifier before it returns.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
*
*/
public static final String PW_CALLBACK_CLASS = "passwordCallbackClass";
/**
* This tag refers to the CallbackHandler implementation object used to obtain
* passwords. The value of this tag must be a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*
* Refer to {@link #PW_CALLBACK_CLASS} for further information about password callback
* handling.
*/
public static final String PW_CALLBACK_REF = "passwordCallbackRef";
/**
* This tag refers to the SAML CallbackHandler implementation class used to construct
* SAML Assertions. The value of this tag must be the class name of a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*/
public static final String SAML_CALLBACK_CLASS = "samlCallbackClass";
/**
* This tag refers to the SAML CallbackHandler implementation object used to construct
* SAML Assertions. The value of this tag must be a
* {@link javax.security.auth.callback.CallbackHandler} instance.
*/
public static final String SAML_CALLBACK_REF = "samlCallbackRef";
/**
* The path of the crypto property file to use for Signature creation. The classloader
* loads this file. Therefore it must be accessible via the classpath.
*
* To locate the implementation of the
* {@link org.apache.wss4j.common.crypto.Crypto Crypto}
* interface implementation the property file must contain the property
* org.apache.wss4j.crypto.provider
. The value of
* this property is the classname of the implementation class.
*
* The following line defines the standard implementation:
*
* org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
*
* The other contents of the property file depend on the implementation
* of the {@link org.apache.wss4j.common.crypto.Crypto Crypto}
* interface. Please see the WSS4J website for more information on the Merlin property
* tags and values.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.SIG_PROP_FILE, "myCrypto.properties");
*
*/
public static final String SIG_PROP_FILE = "signaturePropFile";
/**
* The key that holds a reference to the object holding complete information about
* the signature Crypto implementation. This object can either be a Crypto instance or a
* java.util.Properties
file, which should contain all information that
* would contain in an equivalent properties file which includes the Crypto implementation
* class name.
*
* Refer to documentation of {@link #SIG_PROP_FILE}.
*/
public static final String SIG_PROP_REF_ID = "signaturePropRefId";
/**
* The path of the crypto property file to use for Signature verification. The
* classloader loads this file. Therefore it must be accessible via the classpath.
*
* Refer to documentation of {@link #SIG_PROP_FILE}.
*/
public static final String SIG_VER_PROP_FILE = "signatureVerificationPropFile";
/**
* The key that holds a reference to the object holding complete information about
* the signature verification Crypto implementation. This object can either be a Crypto
* instance or a java.util.Properties
file, which should contain all
* information that would contain in an equivalent properties file which includes the
* Crypto implementation class name.
*
* Refer to documentation of {@link #SIG_VER_PROP_FILE}.
*/
public static final String SIG_VER_PROP_REF_ID = "signatureVerificationPropRefId";
/**
* The path of the crypto property file to use for Decryption. The classloader loads this
* file. Therefore it must be accessible via the classpath. Refer to documentation of
* {@link #SIG_PROP_FILE} for more information about the contents of the Properties file.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.DEC_PROP_FILE, "myCrypto.properties");
*
*/
public static final String DEC_PROP_FILE = "decryptionPropFile";
/**
* The key that holds a reference to the object holding complete information about
* the decryption Crypto implementation. This object can either be a Crypto instance or a
* java.util.Properties
file, which should contain all information that
* would contain in an equivalent properties file which includes the Crypto implementation
* class name.
*
* Refer to documentation of {@link #DEC_PROP_FILE}.
*/
public static final String DEC_PROP_REF_ID = "decryptionPropRefId";
/**
* The path of the crypto property file to use for Encryption. The classloader loads this
* file. Therefore it must be accessible via the classpath. Refer to documentation of
* {@link #SIG_PROP_FILE} for more information about the contents of the Properties file.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ENC_PROP_FILE, "myCrypto.properties");
*
*/
public static final String ENC_PROP_FILE = "encryptionPropFile";
/**
* The key that holds a reference to the object holding complete information about
* the encryption Crypto implementation. This object can either be a Crypto instance or a
* java.util.Properties
file, which should contain all information that
* would contain in an equivalent properties file which includes the Crypto implementation
* class name.
*
* Refer to documentation of {@link #ENC_PROP_FILE}.
*/
public static final String ENC_PROP_REF_ID = "encryptionPropRefId";
//
// Boolean configuration tags, e.g. the value should be "true" or "false".
//
/**
* Whether to enable signatureConfirmation or not. The default value is "false".
*/
public static final String ENABLE_SIGNATURE_CONFIRMATION = "enableSignatureConfirmation";
/**
* Whether to set the mustUnderstand flag on an outbound message or not. The default
* setting is "true".
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.MUST_UNDERSTAND, "false");
*
*/
public static final String MUST_UNDERSTAND = "mustUnderstand";
/**
* Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The
* default value is "true".
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.IS_BSP_COMPLIANT, "false");
*
*/
public static final String IS_BSP_COMPLIANT = "isBSPCompliant";
/**
* Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod
* child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS.
* The default is true.
*/
public static final String ADD_INCLUSIVE_PREFIXES = "addInclusivePrefixes";
/**
* Whether to add a Nonce Element to a UsernameToken. This only applies when the
* password type is of type "text". A Nonce is automatically added for the "digest"
* case. The default is false.
*/
public static final String ADD_USERNAMETOKEN_NONCE = "addUsernameTokenNonce";
/**
* Whether to add a Created Element to a UsernameToken. This only applies when the
* password type is of type "text". A Created is automatically added for the "digest"
* case. The default is false.
*/
public static final String ADD_USERNAMETOKEN_CREATED = "addUsernameTokenCreated";
/**
* This variable controls whether types other than PasswordDigest or PasswordText
* are allowed when processing UsernameTokens. The default value is "false".
*/
public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes";
/**
* This variable controls whether a UsernameToken with no password element is allowed.
* The default value is "false". Set it to "true" to allow deriving keys from UsernameTokens
* or to support UsernameTokens for purposes other than authentication.
*/
public static final String ALLOW_USERNAMETOKEN_NOPASSWORD = "allowUsernameTokenNoPassword";
/**
* This variable controls whether (wsse) namespace qualified password types are
* accepted when processing UsernameTokens. The default value is "false".
*/
public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES
= "allowNamespaceQualifiedPasswordTypes";
/**
* This variable controls whether to enable Certificate Revocation List (CRL) checking
* or not when verifying trust in a certificate. The default value is "false".
*/
public static final String ENABLE_REVOCATION = "enableRevocation";
/**
* This parameter sets whether to use a single certificate or a whole certificate
* chain when constructing a BinarySecurityToken used for direct reference in
* signature. The default is "true", meaning that only a single certificate is used.
*/
public static final String USE_SINGLE_CERTIFICATE = "useSingleCertificate";
/**
* This parameter sets whether to use the Username Token derived key for a MAC
* or not. The default is "true".
*/
public static final String USE_DERIVED_KEY_FOR_MAC = "useDerivedKeyForMAC";
/**
* Set whether Timestamps have precision in milliseconds. This applies to the
* creation of Timestamps only. The default value is "true".
*/
public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds";
/**
* Set the value of this parameter to true to enable strict timestamp
* handling. The default value is "true".
*
* Strict Timestamp handling: throw an exception if a Timestamp contains
* an Expires
element and the semantics of the request are
* expired, i.e. the current time at the receiver is past the expires time.
*/
public static final String TIMESTAMP_STRICT = "timestampStrict";
/**
* Set the value of this parameter to true to require that a Timestamp must have
* an "Expires" Element. The default is "false".
*/
public static final String REQUIRE_TIMESTAMP_EXPIRES = "requireTimestampExpires";
/**
* Defines whether to encrypt the symmetric encryption key or not. If true
* (the default), the symmetric key used for encryption is encrypted in turn,
* and inserted into the security header in an "EncryptedKey" structure. If
* set to false, no EncryptedKey structure is constructed.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ENC_SYM_ENC_KEY, "false");
*
*/
public static final String ENC_SYM_ENC_KEY = "encryptSymmetricEncryptionKey";
/**
* Whether the engine needs to enforce EncryptedData elements are
* in a signed subtree of the document. This can be used to prevent
* some wrapping based attacks when encrypt-before-sign token
* protection is selected.
*/
public static final String REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS = "requireSignedEncryptedDataElements";
/**
* Whether to allow the RSA v1.5 Key Transport Algorithm or not. Use of this algorithm
* is discouraged, and so the default is "false".
*/
public static final String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM = "allowRSA15KeyTransportAlgorithm";
/**
* Whether to validate the SubjectConfirmation requirements of a received SAML Token
* (sender-vouches or holder-of-key). The default is true.
*/
public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION =
"validateSamlSubjectConfirmation";
/**
* Whether to include the Signature Token in the security header as well or not. This is only
* applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false.
*/
public static final String INCLUDE_SIGNATURE_TOKEN = "includeSignatureToken";
/**
* Whether to include the Encryption token (BinarySecurityToken) in the security header as well
* or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases.
* The default is false.
*/
public static final String INCLUDE_ENCRYPTION_TOKEN = "includeEncryptionToken";
/**
* Whether to use the "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
* namespace for SecureConversation + Derived Keys. If set to "false", it will use the
* namespace "http://schemas.xmlsoap.org/ws/2005/02/sc".
*
* The default is true.
*/
public static final String USE_2005_12_NAMESPACE = "use200512Namespace";
/**
* Whether to get a secret key from a CallbackHandler or not for encryption only. The default is
* false. If set to true WSS4J attempts to get the secret key from the CallbackHandler instead of
* generating a random key internally. This allows the user more control over the symmetric key
* if required.
*/
public static final String GET_SECRET_KEY_FROM_CALLBACK_HANDLER = "getSecretKeyFromCallbackHandler";
/**
* Whether to store bytes (CipherData or BinarySecurityToken) in an attachment. The default is false,
* meaning that bytes are BASE-64 encoded and "inlined" in the message. Setting this to true is more
* efficient, as it means that the BASE-64 encoding step can be skipped. For this to work, a
* CallbackHandler must be set on RequestData that can handle attachments.
*/
public static final String STORE_BYTES_IN_ATTACHMENT = "storeBytesInAttachment";
/**
* Whether to expand xop:Include Elements encountered when verifying a Signature. The default is true,
* meaning that the relevant attachment bytes are BASE-64 encoded and inserted into the Element. This
* ensures that the actual bytes are signed, and not just the reference. This configuration tag has
* been deprecated in favour of EXPAND_XOP_INCLUDE.
*/
@Deprecated
public static final String EXPAND_XOP_INCLUDE_FOR_SIGNATURE = "expandXOPIncludeForSignature";
/**
* Whether to search for and expand xop:Include Elements for encryption and signature (on the outbound
* side) or for signature verification (on the inbound side). The default is false on the outbound
* side and true on the inbound side. What this means on the inbound side, is that the relevant attachment
* bytes are BASE-64 encoded and inserted into the Element. This ensures that the actual bytes are signed,
* and not just the reference.
*/
public static final String EXPAND_XOP_INCLUDE = "expandXOPInclude";
//
// (Non-boolean) Configuration parameters for the actions/processors
//
/**
* Specific parameter for UsernameTokens to define the encoding of the password. It can
* be used on either the outbound or inbound side. The valid values are:
*
* - PasswordDigest
* - PasswordText
* - PasswordNone
*
* On the Outbound side, the default value is PW_DIGEST. There is no default value on
* the inbound side. If a value is specified on the inbound side, the password type of
* the received UsernameToken must match the specified type, or an exception will be
* thrown.
*/
public static final String PASSWORD_TYPE = "passwordType";
/**
* Defines which key identifier type to use for signature. The WS-Security specifications
* recommends to use the identifier type IssuerSerial
.
*
* For signature IssuerSerial
, DirectReference
,
* X509KeyIdentifier
, Thumbprint
, SKIKeyIdentifier
* and KeyValue
are valid only.
*
* The default is IssuerSerial
.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
*
*/
public static final String SIG_KEY_ID = "signatureKeyIdentifier";
/**
* Defines which signature algorithm to use. The default is set by the data in the
* certificate, i.e. one of the following:
*
* "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
* "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
*
*
* The application may set this parameter using the following method:
*
* call.setProperty(
* ConfigurationConstants.SIG_ALGO,
* "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
* );
*
*/
public static final String SIG_ALGO = "signatureAlgorithm";
/**
* Defines which signature digest algorithm to use. The default is:
*
* "http://www.w3.org/2000/09/xmldsig#sha1"
*
*
* The application may set this parameter using the following method:
*
* call.setProperty(
* ConfigurationConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
* );
*
*/
public static final String SIG_DIGEST_ALGO = "signatureDigestAlgorithm";
/**
* Defines which signature c14n (canonicalization) algorithm to use. The default is:
* "http://www.w3.org/2001/10/xml-exc-c14n#"
*/
public static final String SIG_C14N_ALGO = "signatureC14nAlgorithm";
/**
* Parameter to define which parts of the request shall be signed.
*
* Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
* the format of the value string.
*
* If this parameter is not specified the handler signs the SOAP Body
* by default, i.e.:
*
* <parameter name="signatureParts"
* value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
*
* To specify an element without a namespace use the string
* Null
as the namespace name (this is a case sensitive
* string)
*
* If there is no other element in the request with a local name of
* Body
then the SOAP namespace identifier can be empty
* ({}
).
*/
public static final String SIGNATURE_PARTS = "signatureParts";
/**
* Parameter to define which parts of the request shall be signed, if they
* exist in the request. If they do not, then no error is thrown. This contrasts
* with the SIGNATURE_PARTS Identifier, which specifies elements that must be
* signed in the request.
*
* Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
* the format of the value string.
*
*/
public static final String OPTIONAL_SIGNATURE_PARTS = "optionalSignatureParts";
/**
* This parameter sets the number of iterations to use when deriving a key
* from a Username Token. The default is 1000.
*/
public static final String DERIVED_KEY_ITERATIONS = "derivedKeyIterations";
/**
* Defines which key identifier type to use for encryption. The WS-Security specifications
* recommends to use the identifier type IssuerSerial
. For encryption
* IssuerSerial
, DirectReference
, X509KeyIdentifier
,
* Thumbprint
, SKIKeyIdentifier
, EncryptedKeySHA1
* and EmbeddedKeyName
are valid only.
*
* The default is IssuerSerial
.
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ENC_KEY_ID, "X509KeyIdentifier");
*
*/
public static final String ENC_KEY_ID = "encryptionKeyIdentifier";
/**
* Defines which symmetric encryption algorithm to use. WSS4J supports the
* following algorithms:
*
* "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
* "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
* "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
* "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
*
* Except for AES 192 all of these algorithms are required by the XML Encryption
* specification. The default algorithm is:
*
* "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
*
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ENC_SYM_ALGO, WSConstants.AES_256);
*
*/
public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm";
/**
* Defines which algorithm to use to encrypt the generated symmetric key.
* The default algorithm is:
*
* "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
*
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ENC_KEY_TRANSPORT, WSConstants.KEYTRANSPORT_RSA15);
*
*/
public static final String ENC_KEY_TRANSPORT = "encryptionKeyTransportAlgorithm";
/**
* Defines the Agreement method algorithm to derive encryption key.
* The default algorithm is:
* "http://www.w3.org/2009/xmlenc11#ECDH-ES"
*
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ENC_KEY_AGREEMENT_METHOD,
* WSConstants.AGREEMENT_METHOD_ECDH_ES);
*
*
*/
public static final String ENC_KEY_AGREEMENT_METHOD = "encryptionKeyAgreementMethod";
/**
* Defines the Key Derivation algorithm to derive encryption key used with the keyAgreement method.
* The default algorithm is:
* "http://www.w3.org/2021/04/xmldsig-more#hkdf"
*
*
* The application may set this parameter using the following method:
*
* call.setProperty(ConfigurationConstants.ENC_KEY_DERIVATION_FUNCTION,
* WSConstants.KEYDERIVATION_HKDF);
*
*
*/
public static final String ENC_KEY_DERIVATION_FUNCTION = "encryptionKeyDerivationFunction";
/**
* Defines the Key Derivation parameters to derive encryption key used with the keyAgreement method. In case the
* property value is set, it supersedes the ENC_KEY_DERIVATION_FUNCTION value.
* The value for the property must implement the org.apache.xml.security.encryption.params.KeyDerivationParameters
* interface. Currently, only org.apache.xml.security.encryption.params.HKDFParams
and
* org.apache.xml.security.encryption.params.ConcatKDFParams
are available.
*
*
* The application may set this parameter using the following method:
*
* KeyDerivationParameters kdfParams = new ConcatKDFParams(keyBitLen, MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA256);
* kdfParams.setAlgorithmId("00363532534541");
* kdfParams.setPartyUInfo("00DFC9DB773C588F8F");
* kdfParams.setPartyVInfo("00DFDA76F7AB09B7C9");
* kdfParams.setSuppPubInfo(null);
* kdfParams.setSuppPrivInfo(null);
*
* call.set(ConfigurationConstants.ENC_KEY_DERIVATION_PARAMS,kdfParams);
*
*
*/
public static final String ENC_KEY_DERIVATION_PARAMS = "encryptionKeyDerivationParams";
/**
* Parameter to define which parts of the request shall be encrypted.
*
* The value of this parameter is a list of semi-colon separated
* element names that identify the elements to encrypt. An encryption mode
* specifier and a namespace identification, each inside a pair of curly
* brackets, may preceed each element name.
*
* The encryption mode specifier is either {Content}
or
* {Element}
. Please refer to the W3C XML Encryption
* specification about the differences between Element and Content
* encryption. The encryption mode defaults to Content
* if it is omitted. Example of a list:
*
* <parameter name="encryptionParts"
* value="{Content}{http://example.org/paymentv2}CreditCard;
* {Element}{}UserName" />
*
* The the first entry of the list identifies the element
* CreditCard
in the namespace
* http://example.org/paymentv2
, and will encrypt its content.
* Be aware that the element name, the namespace identifier, and the
* encryption modifier are case sensitive.
*
* The encryption modifier and the namespace identifier can be ommited.
* In this case the encryption mode defaults to Content
and
* the namespace is set to the SOAP namespace.
*
* An empty encryption mode defaults to Content
, an empty
* namespace identifier defaults to the SOAP namespace.
* The second line of the example defines Element
as
* encryption mode for an UserName
element in the SOAP
* namespace.
*
* Note that the special value "{}cid:Attachments;" means that all of the message
* attachments should be encrypted.
*
* To specify an element without a namespace use the string
* Null
as the namespace name (this is a case sensitive
* string)
*
* If no list is specified, the handler encrypts the SOAP Body in
* Content
mode by default.
*/
public static final String ENCRYPTION_PARTS = "encryptionParts";
/**
* Parameter to define which parts of the request shall be encrypted, if they
* exist in the request. If they do not, then no error is thrown. This contrasts
* with the ENCRYPTION_PARTS Identifier, which specifies elements that must be
* encrypted in the request.
*
* Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
* the format of the value string.
*
*/
public static final String OPTIONAL_ENCRYPTION_PARTS = "optionalEncryptionParts";
/**
* Defines which encryption digest algorithm to use with the RSA OAEP Key Transport
* algorithm for encryption. The default is SHA-1.
*
* The application may set this parameter using the following method:
*
* call.setProperty(
* ConfigurationConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
* );
*
*/
public static final String ENC_DIGEST_ALGO = "encryptionDigestAlgorithm";
/**
* Defines which encryption mgf algorithm to use with the RSA OAEP Key Transport
* algorithm for encryption. The default is mgfsha1.
*
* The application may set this parameter using the following method:
*
* call.setProperty(
* ConfigurationConstants.ENC_MGF_ALGO, "http://www.w3.org/2009/xmlenc11#mgf1sha256"
* );
*
*/
public static final String ENC_MGF_ALGO = "encryptionMGFAlgorithm";
/**
* Time-To-Live is the time difference between creation and expiry time in
* seconds of the UsernameToken Created value. After this time the SOAP request
* is invalid (at least the security data shall be treated this way).
*
* If this parameter is not defined, contains a value less or equal
* zero, or an illegal format the handlers use a default TTL of
* 300 seconds (5 minutes).
*/
public static final String TTL_USERNAMETOKEN = "utTimeToLive";
/**
* This configuration tag specifies the time in seconds in the future within which
* the Created time of an incoming UsernameToken is valid. The default value is "60",
* to avoid problems where clocks are slightly askew. To reject all future-created
* UsernameTokens, set this value to "0".
*/
public static final String TTL_FUTURE_USERNAMETOKEN = "utFutureTimeToLive";
/**
* This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR)
* of regular expressions which will be applied to the subject DN of the certificate used for signature
* validation, after trust verification of the certificate chain associated with the
* certificate.
*/
public static final String SIG_SUBJECT_CERT_CONSTRAINTS = "sigSubjectCertConstraints";
/**
* This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR)
* of regular expressions which will be applied to the issuer DN of the certificate used for signature
* validation, after trust verification of the certificate chain associated with the
* certificate.
*/
public static final String SIG_ISSUER_CERT_CONSTRAINTS = "sigIssuerCertConstraints";
/**
* This configuration tag refers to the separator that is used to parse certificate constraints
* configured in the SIG_SUBJECT_CERT_CONSTRAINTS and SIG_ISSUER_CERT_CONSTRAINTS configuration
* tags. By default it is a comma - ",".
*/
public static final String SIG_CERT_CONSTRAINTS_SEPARATOR = "sigCertConstraintsSeparator";
/**
* Time-To-Live is the time difference between creation and expiry time in
* seconds in the WSS Timestamp. After this time the SOAP request is
* invalid (at least the security data shall be treated this way).
*
* If this parameter is not defined, contains a value less or equal
* zero, or an illegal format the handlers use a default TTL of
* 300 seconds (5 minutes).
*/
public static final String TTL_TIMESTAMP = "timeToLive";
/**
* This configuration tag specifies the time in seconds in the future within which
* the Created time of an incoming Timestamp is valid. The default value is "60",
* to avoid problems where clocks are slightly askew. To reject all future-created
* Timestamps, set this value to "0".
*/
public static final String TTL_FUTURE_TIMESTAMP = "futureTimeToLive";
/**
* This tag refers to a Map of QName, Object (Validator) instances to be used to
* validate tokens identified by their QName. For the DOM layer, the Object should
* be a org.apache.wss4j.dom.validate.Validator instance. For the StAX layer, it
* should be a org.apache.wss4j.stax.validate.Validator instance.
*/
public static final String VALIDATOR_MAP = "validatorMap";
/**
* This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The
* default instance that is used is the EHCacheReplayCache.
*/
public static final String NONCE_CACHE_INSTANCE = "nonceCacheInstance";
/**
* This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The
* default instance that is used is the EHCacheReplayCache.
*/
public static final String TIMESTAMP_CACHE_INSTANCE = "timestampCacheInstance";
/**
* This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifier
* Strings (if the token contains a OneTimeUse Condition). The default instance that is
* used is the EHCacheReplayCache.
*/
public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = "samlOneTimeUseCacheInstance";
/**
* This holds a reference to a PasswordEncryptor instance, which is used to encrypt or
* decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations).
*
* By default, WSS4J uses the JasyptPasswordEncryptor, which must be instantiated with a
* password to use to decrypt keystore passwords in the Merlin Crypto properties file.
* This password is obtained via the CallbackHandler defined via PW_CALLBACK_CLASS
* or PW_CALLBACK_REF.
*
* The encrypted passwords must be stored in the format "ENC(encoded encrypted password)".
*/
public static final String PASSWORD_ENCRYPTOR_INSTANCE = "passwordEncryptorInstance";
/**
* This controls the deriving token from which DerivedKeyTokens derive keys from.
* Valid values are:
* - DirectReference: A reference to a BinarySecurityToken
* - EncryptedKey: A reference to an EncryptedKey
* - SecurityContextToken: A reference to a SecurityContextToken
*/
public static final String DERIVED_TOKEN_REFERENCE = "derivedTokenReference";
/**
* This controls the key identifier of Derived Tokens, i.e. how they reference the deriving key.
*/
public static final String DERIVED_TOKEN_KEY_ID = "derivedTokenKeyIdentifier";
/**
* The length to use (in bytes) when deriving a key for Signature. If this is not specified,
* it defaults to a value based on the signature algorithm.
*/
public static final String DERIVED_SIGNATURE_KEY_LENGTH = "derivedSignatureKeyLength";
/**
* The length to use (in bytes) when deriving a key for Encryption. If this is not specified,
* it defaults to a value based on the encryption algorithm.
*/
public static final String DERIVED_ENCRYPTION_KEY_LENGTH = "derivedEncryptionKeyLength";
}