1 /** 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, 13 * software distributed under the License is distributed on an 14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 * KIND, either express or implied. See the License for the 16 * specific language governing permissions and limitations 17 * under the License. 18 */ 19 package org.apache.wss4j.common; 20 21 /** 22 * This class defines Configuration Constants that are shared between the DOM + StAX code. This 23 * allows a user to configure both layers in the same way (e.g. via a Map). 24 */ 25 public class ConfigurationConstants { 26 27 protected ConfigurationConstants() { 28 // complete 29 } 30 31 // 32 // Action configuration tags 33 // 34 35 /** 36 * The action parameter. It is a blank separated list of actions to perform. 37 * <p/> 38 * The application may set this parameter using the following method: 39 * <pre> 40 * call.setProperty(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN); 41 * </pre> 42 */ 43 public static final String ACTION = "action"; 44 45 /** 46 * Perform a UsernameToken action. 47 */ 48 public static final String USERNAME_TOKEN = "UsernameToken"; 49 50 /** 51 * Perform a UsernameTokenSignature action. 52 */ 53 public static final String USERNAME_TOKEN_SIGNATURE = "UsernameTokenSignature"; 54 55 /** 56 * Perform a UsernameToken action with no password. 57 */ 58 public static final String USERNAME_TOKEN_NO_PASSWORD = "UsernameTokenNoPassword"; 59 60 /** 61 * Perform an unsigned SAML Token action. 62 */ 63 public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned"; 64 65 /** 66 * Perform a signed SAML Token action. 67 */ 68 public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned"; 69 70 /** 71 * Perform a Signature action. The signature specific parameters define how 72 * to sign, which keys to use, and so on. 73 */ 74 public static final String SIGNATURE = "Signature"; 75 76 /** 77 * Perform an Encryption action. The encryption specific parameters define how 78 * to encrypt, which keys to use, and so on. 79 */ 80 @Deprecated 81 public static final String ENCRYPT = "Encrypt"; 82 83 /** 84 * Perform an Encryption action. The encryption specific parameters define how 85 * to encrypt, which keys to use, and so on. 86 */ 87 public static final String ENCRYPTION = "Encryption"; 88 89 /** 90 * Add a timestamp to the security header. 91 */ 92 public static final String TIMESTAMP = "Timestamp"; 93 94 /** 95 * Perform a Signature action with derived keys. The signature specific parameters define how 96 * to sign, which keys to use, and so on. 97 */ 98 public static final String SIGNATURE_DERIVED = "SignatureDerived"; 99 100 /** 101 * Perform an Encryption action with derived keys. The encryption specific parameters define how 102 * to encrypt, which keys to use, and so on. 103 */ 104 @Deprecated 105 public static final String ENCRYPT_DERIVED = "EncryptDerived"; 106 107 /** 108 * Perform an Encryption action with derived keys. The encryption specific parameters define how 109 * to encrypt, which keys to use, and so on. 110 */ 111 public static final String ENCRYPTION_DERIVED = "EncryptionDerived"; 112 113 /** 114 * Perform a Signature action with a kerberos token. The signature specific parameters define how 115 * to sign, which keys to use, and so on. 116 */ 117 public static final String SIGNATURE_WITH_KERBEROS_TOKEN = "SignatureWithKerberosToken"; 118 119 /** 120 * Perform a Encryption action with a kerberos token. The signature specific parameters define how 121 * to encrypt, which keys to use, and so on. 122 */ 123 @Deprecated 124 public static final String ENCRYPT_WITH_KERBEROS_TOKEN = "EncryptWithKerberosToken"; 125 126 /** 127 * Perform a Encryption action with a kerberos token. The signature specific parameters define how 128 * to encrypt, which keys to use, and so on. 129 */ 130 public static final String ENCRYPTION_WITH_KERBEROS_TOKEN = "EncryptionWithKerberosToken"; 131 132 /** 133 * Add a kerberos token. 134 */ 135 public static final String KERBEROS_TOKEN = "KerberosToken"; 136 137 /** 138 * Add a "Custom" token. This token will be retrieved from a CallbackHandler via 139 * WSPasswordCallback.Usage.CUSTOM_TOKEN and written out as is in the security header. 140 */ 141 public static final String CUSTOM_TOKEN = "CustomToken"; 142 143 // 144 // User properties 145 // 146 147 /** 148 * The actor or role name of the <code>wsse:Security</code> header. If this parameter 149 * is omitted, the actor name is not set. 150 * <p/> 151 * The value of the actor or role has to match the receiver's setting 152 * or may contain standard values. 153 * <p/> 154 * The application may set this parameter using the following method: 155 * <pre> 156 * call.setProperty(ConfigurationConstants.ACTOR, "ActorName"); 157 * </pre> 158 */ 159 public static final String ACTOR = "actor"; 160 161 /** 162 * The user's name. It is used differently by each of the WS-Security functions. 163 * <ul> 164 * <li>The <i>UsernameToken</i> function sets this name in the 165 * <code>UsernameToken</code>. 166 * </li> 167 * <li>The <i>Signing</i> function uses this name as the alias name 168 * in the keystore to get user's certificate and private key to 169 * perform signing if {@link #SIGNATURE_USER} is not used. 170 * </li> 171 * <li>The <i>encryption</i> 172 * functions uses this parameter as fallback if {@link #ENCRYPTION_USER} 173 * is not used. 174 * </li> 175 * </ul> 176 */ 177 public static final String USER = "user"; 178 179 /** 180 * The user's name for encryption. The encryption functions use the public key of 181 * this user's certificate to encrypt the generated symmetric key. 182 * <p/> 183 * If this parameter is not set, then the encryption 184 * function falls back to the {@link #USER} parameter to get the 185 * certificate. 186 * <p/> 187 * If <b>only</b> encryption of the SOAP body data is requested, 188 * it is recommended to use this parameter to define the username. 189 * <p/> 190 * The application may set this parameter using the following method: 191 * <pre> 192 * call.setProperty(ConfigurationConstants.ENCRYPTION_USER, "encryptionUser"); 193 * </pre> 194 */ 195 public static final String ENCRYPTION_USER = "encryptionUser"; 196 197 /** 198 * The user's name for signature. This name is used as the alias name in the keystore 199 * to get user's certificate and private key to perform signing. 200 * <p/> 201 * If this parameter is not set, then the signature 202 * function falls back to the {@link #USER} parameter. 203 * <p/> 204 * The application may set this parameter using the following method: 205 * <pre> 206 * call.setProperty(ConfigurationConstants.SIGNATURE_USER, "signatureUser"); 207 * </pre> 208 */ 209 public static final String SIGNATURE_USER = "signatureUser"; 210 211 /** 212 * Specifying this name as {@link #ENCRYPTION_USER} 213 * triggers a special action to get the public key to use for encryption. 214 * <p/> 215 * The handler uses the public key of the sender's certificate. Using this 216 * way to define an encryption key simplifies certificate management to 217 * a large extent. 218 */ 219 public static final String USE_REQ_SIG_CERT = "useReqSigCert"; 220 221 // 222 // Callback class and property file properties 223 // 224 225 /** 226 * This tag refers to the CallbackHandler implementation class used to obtain passwords. 227 * The value of this tag must be the class name of a 228 * {@link javax.security.auth.callback.CallbackHandler} instance. 229 * </p> 230 * The callback function 231 * {@link javax.security.auth.callback.CallbackHandler#handle( 232 * javax.security.auth.callback.Callback[])} gets an array of 233 * {@link org.apache.wss4j.common.ext.WSPasswordCallback} objects. Only the first entry of the 234 * array is used. This object contains the username/keyname as identifier. The callback 235 * handler must set the password or key associated with this identifier before it returns. 236 * <p/> 237 * The application may set this parameter using the following method: 238 * <pre> 239 * call.setProperty(ConfigurationConstants.PW_CALLBACK_CLASS, "PWCallbackClass"); 240 * </pre> 241 */ 242 public static final String PW_CALLBACK_CLASS = "passwordCallbackClass"; 243 244 /** 245 * This tag refers to the CallbackHandler implementation object used to obtain 246 * passwords. The value of this tag must be a 247 * {@link javax.security.auth.callback.CallbackHandler} instance. 248 * </p> 249 * Refer to {@link #PW_CALLBACK_CLASS} for further information about password callback 250 * handling. 251 */ 252 public static final String PW_CALLBACK_REF = "passwordCallbackRef"; 253 254 /** 255 * This tag refers to the SAML CallbackHandler implementation class used to construct 256 * SAML Assertions. The value of this tag must be the class name of a 257 * {@link javax.security.auth.callback.CallbackHandler} instance. 258 */ 259 public static final String SAML_CALLBACK_CLASS = "samlCallbackClass"; 260 261 /** 262 * This tag refers to the SAML CallbackHandler implementation object used to construct 263 * SAML Assertions. The value of this tag must be a 264 * {@link javax.security.auth.callback.CallbackHandler} instance. 265 */ 266 public static final String SAML_CALLBACK_REF = "samlCallbackRef"; 267 268 /** 269 * The path of the crypto property file to use for Signature creation. The classloader 270 * loads this file. Therefore it must be accessible via the classpath. 271 * <p/> 272 * To locate the implementation of the 273 * {@link org.apache.wss4j.common.crypto.Crypto Crypto} 274 * interface implementation the property file must contain the property 275 * <code>org.apache.wss4j.crypto.provider</code>. The value of 276 * this property is the classname of the implementation class. 277 * <p/> 278 * The following line defines the standard implementation: 279 * <pre> 280 * org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin 281 * </pre> 282 * The other contents of the property file depend on the implementation 283 * of the {@link org.apache.wss4j.common.crypto.Crypto Crypto} 284 * interface. Please see the WSS4J website for more information on the Merlin property 285 * tags and values. 286 * </p> 287 * The application may set this parameter using the following method: 288 * <pre> 289 * call.setProperty(ConfigurationConstants.SIG_PROP_FILE, "myCrypto.properties"); 290 * </pre> 291 */ 292 public static final String SIG_PROP_FILE = "signaturePropFile"; 293 294 /** 295 * The key that holds a reference to the object holding complete information about 296 * the signature Crypto implementation. This object can either be a Crypto instance or a 297 * <code>java.util.Properties</code> file, which should contain all information that 298 * would contain in an equivalent properties file which includes the Crypto implementation 299 * class name. 300 * 301 * Refer to documentation of {@link #SIG_PROP_FILE}. 302 */ 303 public static final String SIG_PROP_REF_ID = "signaturePropRefId"; 304 305 /** 306 * The path of the crypto property file to use for Signature verification. The 307 * classloader loads this file. Therefore it must be accessible via the classpath. 308 * <p/> 309 * Refer to documentation of {@link #SIG_PROP_FILE}. 310 */ 311 public static final String SIG_VER_PROP_FILE = "signatureVerificationPropFile"; 312 313 /** 314 * The key that holds a reference to the object holding complete information about 315 * the signature verification Crypto implementation. This object can either be a Crypto 316 * instance or a <code>java.util.Properties</code> file, which should contain all 317 * information that would contain in an equivalent properties file which includes the 318 * Crypto implementation class name. 319 * 320 * Refer to documentation of {@link #SIG_VER_PROP_FILE}. 321 */ 322 public static final String SIG_VER_PROP_REF_ID = "signatureVerificationPropRefId"; 323 324 /** 325 * The path of the crypto property file to use for Decryption. The classloader loads this 326 * file. Therefore it must be accessible via the classpath. Refer to documentation of 327 * {@link #SIG_PROP_FILE} for more information about the contents of the Properties file. 328 * <p/> 329 * The application may set this parameter using the following method: 330 * <pre> 331 * call.setProperty(ConfigurationConstants.DEC_PROP_FILE, "myCrypto.properties"); 332 * </pre> 333 */ 334 public static final String DEC_PROP_FILE = "decryptionPropFile"; 335 336 /** 337 * The key that holds a reference to the object holding complete information about 338 * the decryption Crypto implementation. This object can either be a Crypto instance or a 339 * <code>java.util.Properties</code> file, which should contain all information that 340 * would contain in an equivalent properties file which includes the Crypto implementation 341 * class name. 342 * 343 * Refer to documentation of {@link #DEC_PROP_FILE}. 344 */ 345 public static final String DEC_PROP_REF_ID = "decryptionPropRefId"; 346 347 /** 348 * The path of the crypto property file to use for Encryption. The classloader loads this 349 * file. Therefore it must be accessible via the classpath. Refer to documentation of 350 * {@link #SIG_PROP_FILE} for more information about the contents of the Properties file. 351 * <p/> 352 * The application may set this parameter using the following method: 353 * <pre> 354 * call.setProperty(ConfigurationConstants.ENC_PROP_FILE, "myCrypto.properties"); 355 * </pre> 356 */ 357 public static final String ENC_PROP_FILE = "encryptionPropFile"; 358 359 /** 360 * The key that holds a reference to the object holding complete information about 361 * the encryption Crypto implementation. This object can either be a Crypto instance or a 362 * <code>java.util.Properties</code> file, which should contain all information that 363 * would contain in an equivalent properties file which includes the Crypto implementation 364 * class name. 365 * 366 * Refer to documentation of {@link #ENC_PROP_FILE}. 367 */ 368 public static final String ENC_PROP_REF_ID = "encryptionPropRefId"; 369 370 // 371 // Boolean configuration tags, e.g. the value should be "true" or "false". 372 // 373 374 /** 375 * Whether to enable signatureConfirmation or not. The default value is "false". 376 */ 377 public static final String ENABLE_SIGNATURE_CONFIRMATION = "enableSignatureConfirmation"; 378 379 /** 380 * Whether to set the mustUnderstand flag on an outbound message or not. The default 381 * setting is "true". 382 * <p/> 383 * The application may set this parameter using the following method: 384 * <pre> 385 * call.setProperty(ConfigurationConstants.MUST_UNDERSTAND, "false"); 386 * </pre> 387 */ 388 public static final String MUST_UNDERSTAND = "mustUnderstand"; 389 390 /** 391 * Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The 392 * default value is "true". 393 * <p/> 394 * The application may set this parameter using the following method: 395 * <pre> 396 * call.setProperty(ConfigurationConstants.IS_BSP_COMPLIANT, "false"); 397 * </pre> 398 */ 399 public static final String IS_BSP_COMPLIANT = "isBSPCompliant"; 400 401 /** 402 * Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod 403 * child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. 404 * The default is true. 405 */ 406 public static final String ADD_INCLUSIVE_PREFIXES = "addInclusivePrefixes"; 407 408 /** 409 * Whether to add a Nonce Element to a UsernameToken. This only applies when the 410 * password type is of type "text". A Nonce is automatically added for the "digest" 411 * case. The default is false. 412 */ 413 public static final String ADD_USERNAMETOKEN_NONCE = "addUsernameTokenNonce"; 414 415 /** 416 * Whether to add a Created Element to a UsernameToken. This only applies when the 417 * password type is of type "text". A Created is automatically added for the "digest" 418 * case. The default is false. 419 */ 420 public static final String ADD_USERNAMETOKEN_CREATED = "addUsernameTokenCreated"; 421 422 /** 423 * This variable controls whether types other than PasswordDigest or PasswordText 424 * are allowed when processing UsernameTokens. The default value is "false". 425 */ 426 public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes"; 427 428 /** 429 * This variable controls whether a UsernameToken with no password element is allowed. 430 * The default value is "false". Set it to "true" to allow deriving keys from UsernameTokens 431 * or to support UsernameTokens for purposes other than authentication. 432 */ 433 public static final String ALLOW_USERNAMETOKEN_NOPASSWORD = "allowUsernameTokenNoPassword"; 434 435 /** 436 * This variable controls whether (wsse) namespace qualified password types are 437 * accepted when processing UsernameTokens. The default value is "false". 438 */ 439 public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES 440 = "allowNamespaceQualifiedPasswordTypes"; 441 442 /** 443 * This variable controls whether to enable Certificate Revocation List (CRL) checking 444 * or not when verifying trust in a certificate. The default value is "false". 445 */ 446 public static final String ENABLE_REVOCATION = "enableRevocation"; 447 448 /** 449 * This parameter sets whether to use a single certificate or a whole certificate 450 * chain when constructing a BinarySecurityToken used for direct reference in 451 * signature. The default is "true", meaning that only a single certificate is used. 452 */ 453 public static final String USE_SINGLE_CERTIFICATE = "useSingleCertificate"; 454 455 /** 456 * This parameter sets whether to use the Username Token derived key for a MAC 457 * or not. The default is "true". 458 */ 459 public static final String USE_DERIVED_KEY_FOR_MAC = "useDerivedKeyForMAC"; 460 461 /** 462 * Set whether Timestamps have precision in milliseconds. This applies to the 463 * creation of Timestamps only. The default value is "true". 464 */ 465 public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds"; 466 467 /** 468 * Set the value of this parameter to true to enable strict timestamp 469 * handling. The default value is "true". 470 * 471 * Strict Timestamp handling: throw an exception if a Timestamp contains 472 * an <code>Expires</code> element and the semantics of the request are 473 * expired, i.e. the current time at the receiver is past the expires time. 474 */ 475 public static final String TIMESTAMP_STRICT = "timestampStrict"; 476 477 /** 478 * Set the value of this parameter to true to require that a Timestamp must have 479 * an "Expires" Element. The default is "false". 480 */ 481 public static final String REQUIRE_TIMESTAMP_EXPIRES = "requireTimestampExpires"; 482 483 /** 484 * Defines whether to encrypt the symmetric encryption key or not. If true 485 * (the default), the symmetric key used for encryption is encrypted in turn, 486 * and inserted into the security header in an "EncryptedKey" structure. If 487 * set to false, no EncryptedKey structure is constructed. 488 * <p/> 489 * The application may set this parameter using the following method: 490 * <pre> 491 * call.setProperty(ConfigurationConstants.ENC_SYM_ENC_KEY, "false"); 492 * </pre> 493 */ 494 public static final String ENC_SYM_ENC_KEY = "encryptSymmetricEncryptionKey"; 495 496 /** 497 * Whether the engine needs to enforce EncryptedData elements are 498 * in a signed subtree of the document. This can be used to prevent 499 * some wrapping based attacks when encrypt-before-sign token 500 * protection is selected. 501 */ 502 public static final String REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS = "requireSignedEncryptedDataElements"; 503 504 /** 505 * Whether to allow the RSA v1.5 Key Transport Algorithm or not. Use of this algorithm 506 * is discouraged, and so the default is "false". 507 */ 508 public static final String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM = "allowRSA15KeyTransportAlgorithm"; 509 510 /** 511 * Whether to validate the SubjectConfirmation requirements of a received SAML Token 512 * (sender-vouches or holder-of-key). The default is true. 513 */ 514 public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION = 515 "validateSamlSubjectConfirmation"; 516 517 /** 518 * Whether to include the Signature Token in the security header as well or not. This is only 519 * applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false. 520 */ 521 public static final String INCLUDE_SIGNATURE_TOKEN = "includeSignatureToken"; 522 523 /** 524 * Whether to include the Encryption token (BinarySecurityToken) in the security header as well 525 * or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. 526 * The default is false. 527 */ 528 public static final String INCLUDE_ENCRYPTION_TOKEN = "includeEncryptionToken"; 529 530 /** 531 * Whether to use the "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" 532 * namespace for SecureConversation + Derived Keys. If set to "false", it will use the 533 * namespace "http://schemas.xmlsoap.org/ws/2005/02/sc". 534 * 535 * The default is true. 536 */ 537 public static final String USE_2005_12_NAMESPACE = "use200512Namespace"; 538 539 /** 540 * Whether to get a secret key from a CallbackHandler or not for encryption only. The default is 541 * false. If set to true WSS4J attempts to get the secret key from the CallbackHandler instead of 542 * generating a random key internally. This allows the user more control over the symmetric key 543 * if required. 544 */ 545 public static final String GET_SECRET_KEY_FROM_CALLBACK_HANDLER = "getSecretKeyFromCallbackHandler"; 546 547 /** 548 * Whether to store bytes (CipherData or BinarySecurityToken) in an attachment. The default is false, 549 * meaning that bytes are BASE-64 encoded and "inlined" in the message. Setting this to true is more 550 * efficient, as it means that the BASE-64 encoding step can be skipped. For this to work, a 551 * CallbackHandler must be set on RequestData that can handle attachments. 552 */ 553 public static final String STORE_BYTES_IN_ATTACHMENT = "storeBytesInAttachment"; 554 555 /** 556 * Whether to expand xop:Include Elements encountered when verifying a Signature. The default is true, 557 * meaning that the relevant attachment bytes are BASE-64 encoded and inserted into the Element. This 558 * ensures that the actual bytes are signed, and not just the reference. This configuration tag has 559 * been deprecated in favour of EXPAND_XOP_INCLUDE. 560 */ 561 @Deprecated 562 public static final String EXPAND_XOP_INCLUDE_FOR_SIGNATURE = "expandXOPIncludeForSignature"; 563 564 /** 565 * Whether to search for and expand xop:Include Elements for encryption and signature (on the outbound 566 * side) or for signature verification (on the inbound side). The default is false on the outbound 567 * side and true on the inbound side. What this means on the inbound side, is that the relevant attachment 568 * bytes are BASE-64 encoded and inserted into the Element. This ensures that the actual bytes are signed, 569 * and not just the reference. 570 */ 571 public static final String EXPAND_XOP_INCLUDE = "expandXOPInclude"; 572 573 // 574 // (Non-boolean) Configuration parameters for the actions/processors 575 // 576 577 /** 578 * Specific parameter for UsernameTokens to define the encoding of the password. It can 579 * be used on either the outbound or inbound side. The valid values are: 580 * 581 * - PasswordDigest 582 * - PasswordText 583 * - PasswordNone 584 * 585 * On the Outbound side, the default value is PW_DIGEST. There is no default value on 586 * the inbound side. If a value is specified on the inbound side, the password type of 587 * the received UsernameToken must match the specified type, or an exception will be 588 * thrown. 589 */ 590 public static final String PASSWORD_TYPE = "passwordType"; 591 592 /** 593 * Defines which key identifier type to use for signature. The WS-Security specifications 594 * recommends to use the identifier type <code>IssuerSerial</code>. 595 * 596 * For signature <code>IssuerSerial</code>, <code>DirectReference</code>, 597 * <code>X509KeyIdentifier</code>, <code>Thumbprint</code>, <code>SKIKeyIdentifier</code> 598 * and <code>KeyValue</code> are valid only. 599 * <p/> 600 * The default is <code>IssuerSerial</code>. 601 * <p/> 602 * The application may set this parameter using the following method: 603 * <pre> 604 * call.setProperty(ConfigurationConstants.SIG_KEY_ID, "DirectReference"); 605 * </pre> 606 */ 607 public static final String SIG_KEY_ID = "signatureKeyIdentifier"; 608 609 /** 610 * Defines which signature algorithm to use. The default is set by the data in the 611 * certificate, i.e. one of the following: 612 * 613 * "http://www.w3.org/2000/09/xmldsig#rsa-sha1" 614 * "http://www.w3.org/2000/09/xmldsig#dsa-sha1" 615 * 616 * <p/> 617 * The application may set this parameter using the following method: 618 * <pre> 619 * call.setProperty( 620 * ConfigurationConstants.SIG_ALGO, 621 * "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" 622 * ); 623 * </pre> 624 */ 625 public static final String SIG_ALGO = "signatureAlgorithm"; 626 627 /** 628 * Defines which signature digest algorithm to use. The default is: 629 * 630 * "http://www.w3.org/2000/09/xmldsig#sha1" 631 * 632 * <p/> 633 * The application may set this parameter using the following method: 634 * <pre> 635 * call.setProperty( 636 * ConfigurationConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256" 637 * ); 638 * </pre> 639 */ 640 public static final String SIG_DIGEST_ALGO = "signatureDigestAlgorithm"; 641 642 /** 643 * Defines which signature c14n (canonicalization) algorithm to use. The default is: 644 * "http://www.w3.org/2001/10/xml-exc-c14n#" 645 */ 646 public static final String SIG_C14N_ALGO = "signatureC14nAlgorithm"; 647 648 /** 649 * Parameter to define which parts of the request shall be signed. 650 * <p/> 651 * Refer to {@link #ENCRYPTION_PARTS} for a detailed description of 652 * the format of the value string. 653 * <p/> 654 * If this parameter is not specified the handler signs the SOAP Body 655 * by default, i.e.: 656 * <pre> 657 * <parameter name="signatureParts" 658 * value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" /> 659 * </pre> 660 * To specify an element without a namespace use the string 661 * <code>Null</code> as the namespace name (this is a case sensitive 662 * string) 663 * <p/> 664 * If there is no other element in the request with a local name of 665 * <code>Body</code> then the SOAP namespace identifier can be empty 666 * (<code>{}</code>). 667 */ 668 public static final String SIGNATURE_PARTS = "signatureParts"; 669 670 /** 671 * Parameter to define which parts of the request shall be signed, if they 672 * exist in the request. If they do not, then no error is thrown. This contrasts 673 * with the SIGNATURE_PARTS Identifier, which specifies elements that must be 674 * signed in the request. 675 * <p/> 676 * Refer to {@link #ENCRYPTION_PARTS} for a detailed description of 677 * the format of the value string. 678 * <p/> 679 */ 680 public static final String OPTIONAL_SIGNATURE_PARTS = "optionalSignatureParts"; 681 682 /** 683 * This parameter sets the number of iterations to use when deriving a key 684 * from a Username Token. The default is 1000. 685 */ 686 public static final String DERIVED_KEY_ITERATIONS = "derivedKeyIterations"; 687 688 /** 689 * Defines which key identifier type to use for encryption. The WS-Security specifications 690 * recommends to use the identifier type <code>IssuerSerial</code>. For encryption 691 * <code>IssuerSerial</code>, <code>DirectReference</code>, <code>X509KeyIdentifier</code>, 692 * <code>Thumbprint</code>, <code>SKIKeyIdentifier</code>, <code>EncryptedKeySHA1</code> 693 * and <code>EmbeddedKeyName</code> are valid only. 694 * <p/> 695 * The default is <code>IssuerSerial</code>. 696 * <p/> 697 * The application may set this parameter using the following method: 698 * <pre> 699 * call.setProperty(ConfigurationConstants.ENC_KEY_ID, "X509KeyIdentifier"); 700 * </pre> 701 */ 702 public static final String ENC_KEY_ID = "encryptionKeyIdentifier"; 703 704 /** 705 * Defines which symmetric encryption algorithm to use. WSS4J supports the 706 * following algorithms: 707 * 708 * "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; 709 * "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; 710 * "http://www.w3.org/2001/04/xmlenc#aes256-cbc"; 711 * "http://www.w3.org/2001/04/xmlenc#aes192-cbc"; 712 * 713 * Except for AES 192 all of these algorithms are required by the XML Encryption 714 * specification. The default algorithm is: 715 * 716 * "http://www.w3.org/2001/04/xmlenc#aes128-cbc" 717 * 718 * <p/> 719 * The application may set this parameter using the following method: 720 * <pre> 721 * call.setProperty(ConfigurationConstants.ENC_SYM_ALGO, WSConstants.AES_256); 722 * </pre> 723 */ 724 public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm"; 725 726 /** 727 * Defines which algorithm to use to encrypt the generated symmetric key. 728 * The default algorithm is: 729 * 730 * "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" 731 * 732 * <p/> 733 * The application may set this parameter using the following method: 734 * <pre> 735 * call.setProperty(ConfigurationConstants.ENC_KEY_TRANSPORT, WSConstants.KEYTRANSPORT_RSA15); 736 * </pre> 737 */ 738 public static final String ENC_KEY_TRANSPORT = "encryptionKeyTransportAlgorithm"; 739 740 /** 741 * Parameter to define which parts of the request shall be encrypted. 742 * <p/> 743 * The value of this parameter is a list of semi-colon separated 744 * element names that identify the elements to encrypt. An encryption mode 745 * specifier and a namespace identification, each inside a pair of curly 746 * brackets, may preceed each element name. 747 * <p/> 748 * The encryption mode specifier is either <code>{Content}</code> or 749 * <code>{Element}</code>. Please refer to the W3C XML Encryption 750 * specification about the differences between Element and Content 751 * encryption. The encryption mode defaults to <code>Content</code> 752 * if it is omitted. Example of a list: 753 * <pre> 754 * <parameter name="encryptionParts" 755 * value="{Content}{http://example.org/paymentv2}CreditCard; 756 * {Element}{}UserName" /> 757 * </pre> 758 * The the first entry of the list identifies the element 759 * <code>CreditCard</code> in the namespace 760 * <code>http://example.org/paymentv2</code>, and will encrypt its content. 761 * Be aware that the element name, the namespace identifier, and the 762 * encryption modifier are case sensitive. 763 * <p/> 764 * The encryption modifier and the namespace identifier can be ommited. 765 * In this case the encryption mode defaults to <code>Content</code> and 766 * the namespace is set to the SOAP namespace. 767 * <p/> 768 * An empty encryption mode defaults to <code>Content</code>, an empty 769 * namespace identifier defaults to the SOAP namespace. 770 * The second line of the example defines <code>Element</code> as 771 * encryption mode for an <code>UserName</code> element in the SOAP 772 * namespace. 773 * <p/> 774 * Note that the special value "{}cid:Attachments;" means that all of the message 775 * attachments should be encrypted. 776 * <p/> 777 * To specify an element without a namespace use the string 778 * <code>Null</code> as the namespace name (this is a case sensitive 779 * string) 780 * <p/> 781 * If no list is specified, the handler encrypts the SOAP Body in 782 * <code>Content</code> mode by default. 783 */ 784 public static final String ENCRYPTION_PARTS = "encryptionParts"; 785 786 /** 787 * Parameter to define which parts of the request shall be encrypted, if they 788 * exist in the request. If they do not, then no error is thrown. This contrasts 789 * with the ENCRYPTION_PARTS Identifier, which specifies elements that must be 790 * encrypted in the request. 791 * <p/> 792 * Refer to {@link #ENCRYPTION_PARTS} for a detailed description of 793 * the format of the value string. 794 * <p/> 795 */ 796 public static final String OPTIONAL_ENCRYPTION_PARTS = "optionalEncryptionParts"; 797 798 /** 799 * Defines which encryption digest algorithm to use with the RSA OAEP Key Transport 800 * algorithm for encryption. The default is SHA-1. 801 * <p/> 802 * The application may set this parameter using the following method: 803 * <pre> 804 * call.setProperty( 805 * ConfigurationConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256" 806 * ); 807 * </pre> 808 */ 809 public static final String ENC_DIGEST_ALGO = "encryptionDigestAlgorithm"; 810 811 /** 812 * Defines which encryption mgf algorithm to use with the RSA OAEP Key Transport 813 * algorithm for encryption. The default is mgfsha1. 814 * <p/> 815 * The application may set this parameter using the following method: 816 * <pre> 817 * call.setProperty( 818 * ConfigurationConstants.ENC_MGF_ALGO, "http://www.w3.org/2009/xmlenc11#mgf1sha256" 819 * ); 820 * </pre> 821 */ 822 public static final String ENC_MGF_ALGO = "encryptionMGFAlgorithm"; 823 824 /** 825 * Time-To-Live is the time difference between creation and expiry time in 826 * seconds of the UsernameToken Created value. After this time the SOAP request 827 * is invalid (at least the security data shall be treated this way). 828 * <p/> 829 * If this parameter is not defined, contains a value less or equal 830 * zero, or an illegal format the handlers use a default TTL of 831 * 300 seconds (5 minutes). 832 */ 833 public static final String TTL_USERNAMETOKEN = "utTimeToLive"; 834 835 /** 836 * This configuration tag specifies the time in seconds in the future within which 837 * the Created time of an incoming UsernameToken is valid. The default value is "60", 838 * to avoid problems where clocks are slightly askew. To reject all future-created 839 * UsernameTokens, set this value to "0". 840 */ 841 public static final String TTL_FUTURE_USERNAMETOKEN = "utFutureTimeToLive"; 842 843 /** 844 * This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR) 845 * of regular expressions which will be applied to the subject DN of the certificate used for signature 846 * validation, after trust verification of the certificate chain associated with the 847 * certificate. 848 */ 849 public static final String SIG_SUBJECT_CERT_CONSTRAINTS = "sigSubjectCertConstraints"; 850 851 /** 852 * This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR) 853 * of regular expressions which will be applied to the issuer DN of the certificate used for signature 854 * validation, after trust verification of the certificate chain associated with the 855 * certificate. 856 */ 857 public static final String SIG_ISSUER_CERT_CONSTRAINTS = "sigIssuerCertConstraints"; 858 859 /** 860 * This configuration tag refers to the separator that is used to parse certificate constraints 861 * configured in the SIG_SUBJECT_CERT_CONSTRAINTS and SIG_ISSUER_CERT_CONSTRAINTS configuration 862 * tags. By default it is a comma - ",". 863 */ 864 public static final String SIG_CERT_CONSTRAINTS_SEPARATOR = "sigCertConstraintsSeparator"; 865 866 /** 867 * Time-To-Live is the time difference between creation and expiry time in 868 * seconds in the WSS Timestamp. After this time the SOAP request is 869 * invalid (at least the security data shall be treated this way). 870 * <p/> 871 * If this parameter is not defined, contains a value less or equal 872 * zero, or an illegal format the handlers use a default TTL of 873 * 300 seconds (5 minutes). 874 */ 875 public static final String TTL_TIMESTAMP = "timeToLive"; 876 877 /** 878 * This configuration tag specifies the time in seconds in the future within which 879 * the Created time of an incoming Timestamp is valid. The default value is "60", 880 * to avoid problems where clocks are slightly askew. To reject all future-created 881 * Timestamps, set this value to "0". 882 */ 883 public static final String TTL_FUTURE_TIMESTAMP = "futureTimeToLive"; 884 885 /** 886 * This tag refers to a Map of QName, Object (Validator) instances to be used to 887 * validate tokens identified by their QName. For the DOM layer, the Object should 888 * be a org.apache.wss4j.dom.validate.Validator instance. For the StAX layer, it 889 * should be a org.apache.wss4j.stax.validate.Validator instance. 890 */ 891 public static final String VALIDATOR_MAP = "validatorMap"; 892 893 /** 894 * This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The 895 * default instance that is used is the EHCacheReplayCache. 896 */ 897 public static final String NONCE_CACHE_INSTANCE = "nonceCacheInstance"; 898 899 /** 900 * This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The 901 * default instance that is used is the EHCacheReplayCache. 902 */ 903 public static final String TIMESTAMP_CACHE_INSTANCE = "timestampCacheInstance"; 904 905 /** 906 * This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifier 907 * Strings (if the token contains a OneTimeUse Condition). The default instance that is 908 * used is the EHCacheReplayCache. 909 */ 910 public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = "samlOneTimeUseCacheInstance"; 911 912 /** 913 * This holds a reference to a PasswordEncryptor instance, which is used to encrypt or 914 * decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations). 915 * 916 * By default, WSS4J uses the JasyptPasswordEncryptor, which must be instantiated with a 917 * password to use to decrypt keystore passwords in the Merlin Crypto properties file. 918 * This password is obtained via the CallbackHandler defined via PW_CALLBACK_CLASS 919 * or PW_CALLBACK_REF. 920 * 921 * The encrypted passwords must be stored in the format "ENC(encoded encrypted password)". 922 */ 923 public static final String PASSWORD_ENCRYPTOR_INSTANCE = "passwordEncryptorInstance"; 924 925 /** 926 * This controls the deriving token from which DerivedKeyTokens derive keys from. 927 * Valid values are: 928 * - DirectReference: A reference to a BinarySecurityToken 929 * - EncryptedKey: A reference to an EncryptedKey 930 * - SecurityContextToken: A reference to a SecurityContextToken 931 */ 932 public static final String DERIVED_TOKEN_REFERENCE = "derivedTokenReference"; 933 934 /** 935 * This controls the key identifier of Derived Tokens, i.e. how they reference the deriving key. 936 */ 937 public static final String DERIVED_TOKEN_KEY_ID = "derivedTokenKeyIdentifier"; 938 939 /** 940 * The length to use (in bytes) when deriving a key for Signature. If this is not specified, 941 * it defaults to a value based on the signature algorithm. 942 */ 943 public static final String DERIVED_SIGNATURE_KEY_LENGTH = "derivedSignatureKeyLength"; 944 945 /** 946 * The length to use (in bytes) when deriving a key for Encryption. If this is not specified, 947 * it defaults to a value based on the encryption algorithm. 948 */ 949 public static final String DERIVED_ENCRYPTION_KEY_LENGTH = "derivedEncryptionKeyLength"; 950 951 952 } 953