View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.common;
20  
21  /**
22   * This class defines Configuration Constants that are shared between the DOM + StAX code. This
23   * allows a user to configure both layers in the same way (e.g. via a Map).
24   */
25  public class ConfigurationConstants {
26  
27      protected ConfigurationConstants() {
28          // complete
29      }
30  
31      //
32      // Action configuration tags
33      //
34  
35      /**
36       * The action parameter. It is a blank separated list of actions to perform.
37       * <p/>
38       * The application may set this parameter using the following method:
39       * <pre>
40       * call.setProperty(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN);
41       * </pre>
42       */
43      public static final String ACTION = "action";
44  
45      /**
46       * Perform a UsernameToken action.
47       */
48      public static final String USERNAME_TOKEN = "UsernameToken";
49  
50      /**
51       * Perform a UsernameTokenSignature action.
52       */
53      public static final String USERNAME_TOKEN_SIGNATURE = "UsernameTokenSignature";
54  
55      /**
56       * Perform a UsernameToken action with no password.
57       */
58      public static final String USERNAME_TOKEN_NO_PASSWORD = "UsernameTokenNoPassword";
59  
60      /**
61       * Perform an unsigned SAML Token action.
62       */
63      public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned";
64  
65      /**
66       * Perform a signed SAML Token action.
67       */
68      public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned";
69  
70      /**
71       * Perform a Signature action. The signature specific parameters define how
72       * to sign, which keys to use, and so on.
73       */
74      public static final String SIGNATURE = "Signature";
75  
76      /**
77       * Perform an Encryption action. The encryption specific parameters define how
78       * to encrypt, which keys to use, and so on.
79       */
80      @Deprecated
81      public static final String ENCRYPT = "Encrypt";
82  
83      /**
84       * Perform an Encryption action. The encryption specific parameters define how
85       * to encrypt, which keys to use, and so on.
86       */
87      public static final String ENCRYPTION = "Encryption";
88  
89      /**
90       * Add a timestamp to the security header.
91       */
92      public static final String TIMESTAMP = "Timestamp";
93  
94      /**
95       * Perform a Signature action with derived keys. The signature specific parameters define how
96       * to sign, which keys to use, and so on.
97       */
98      public static final String SIGNATURE_DERIVED = "SignatureDerived";
99  
100     /**
101      * Perform an Encryption action with derived keys. The encryption specific parameters define how
102      * to encrypt, which keys to use, and so on.
103      */
104     @Deprecated
105     public static final String ENCRYPT_DERIVED = "EncryptDerived";
106 
107     /**
108      * Perform an Encryption action with derived keys. The encryption specific parameters define how
109      * to encrypt, which keys to use, and so on.
110      */
111     public static final String ENCRYPTION_DERIVED = "EncryptionDerived";
112 
113     /**
114      * Perform a Signature action with a kerberos token. The signature specific parameters define how
115      * to sign, which keys to use, and so on.
116      */
117     public static final String SIGNATURE_WITH_KERBEROS_TOKEN = "SignatureWithKerberosToken";
118 
119     /**
120      * Perform a Encryption action with a kerberos token. The signature specific parameters define how
121      * to encrypt, which keys to use, and so on.
122      */
123     @Deprecated
124     public static final String ENCRYPT_WITH_KERBEROS_TOKEN = "EncryptWithKerberosToken";
125 
126     /**
127      * Perform a Encryption action with a kerberos token. The signature specific parameters define how
128      * to encrypt, which keys to use, and so on.
129      */
130     public static final String ENCRYPTION_WITH_KERBEROS_TOKEN = "EncryptionWithKerberosToken";
131 
132     /**
133      * Add a kerberos token.
134      */
135     public static final String KERBEROS_TOKEN = "KerberosToken";
136 
137     /**
138      * Add a "Custom" token. This token will be retrieved from a CallbackHandler via
139      * WSPasswordCallback.Usage.CUSTOM_TOKEN and written out as is in the security header.
140      */
141     public static final String CUSTOM_TOKEN = "CustomToken";
142 
143     //
144     // User properties
145     //
146 
147     /**
148      * The actor or role name of the <code>wsse:Security</code> header. If this parameter
149      * is omitted, the actor name is not set.
150      * <p/>
151      * The value of the actor or role has to match the receiver's setting
152      * or may contain standard values.
153      * <p/>
154      * The application may set this parameter using the following method:
155      * <pre>
156      * call.setProperty(ConfigurationConstants.ACTOR, "ActorName");
157      * </pre>
158      */
159     public static final String ACTOR = "actor";
160 
161     /**
162      * The user's name. It is used differently by each of the WS-Security functions.
163      * <ul>
164      * <li>The <i>UsernameToken</i> function sets this name in the
165      * <code>UsernameToken</code>.
166      * </li>
167      * <li>The <i>Signing</i> function uses this name as the alias name
168      * in the keystore to get user's certificate and private key to
169      * perform signing if {@link #SIGNATURE_USER} is not used.
170      * </li>
171      * <li>The <i>encryption</i>
172      * functions uses this parameter as fallback if {@link #ENCRYPTION_USER}
173      * is not used.
174      * </li>
175      * </ul>
176      */
177     public static final String USER = "user";
178 
179     /**
180      * The user's name for encryption. The encryption functions use the public key of
181      * this user's certificate to encrypt the generated symmetric key.
182      * <p/>
183      * If this parameter is not set, then the encryption
184      * function falls back to the {@link #USER} parameter to get the
185      * certificate.
186      * <p/>
187      * If <b>only</b> encryption of the SOAP body data is requested,
188      * it is recommended to use this parameter to define the username.
189      * <p/>
190      * The application may set this parameter using the following method:
191      * <pre>
192      * call.setProperty(ConfigurationConstants.ENCRYPTION_USER, "encryptionUser");
193      * </pre>
194      */
195     public static final String ENCRYPTION_USER = "encryptionUser";
196 
197     /**
198      * The user's name for signature. This name is used as the alias name in the keystore
199      * to get user's certificate and private key to perform signing.
200      * <p/>
201      * If this parameter is not set, then the signature
202      * function falls back to the {@link #USER} parameter.
203      * <p/>
204      * The application may set this parameter using the following method:
205      * <pre>
206      * call.setProperty(ConfigurationConstants.SIGNATURE_USER, "signatureUser");
207      * </pre>
208      */
209     public static final String SIGNATURE_USER = "signatureUser";
210 
211     /**
212      * Specifying this name as {@link #ENCRYPTION_USER}
213      * triggers a special action to get the public key to use for encryption.
214      * <p/>
215      * The handler uses the public key of the sender's certificate. Using this
216      * way to define an encryption key simplifies certificate management to
217      * a large extent.
218      */
219     public static final String USE_REQ_SIG_CERT = "useReqSigCert";
220 
221     //
222     // Callback class and property file properties
223     //
224 
225     /**
226      * This tag refers to the CallbackHandler implementation class used to obtain passwords.
227      * The value of this tag must be the class name of a
228      * {@link javax.security.auth.callback.CallbackHandler} instance.
229      * </p>
230      * The callback function
231      * {@link javax.security.auth.callback.CallbackHandler#handle(
232      * javax.security.auth.callback.Callback[])} gets an array of
233      * {@link org.apache.wss4j.common.ext.WSPasswordCallback} objects. Only the first entry of the
234      * array is used. This object contains the username/keyname as identifier. The callback
235      * handler must set the password or key associated with this identifier before it returns.
236      * <p/>
237      * The application may set this parameter using the following method:
238      * <pre>
239      * call.setProperty(ConfigurationConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
240      * </pre>
241      */
242     public static final String PW_CALLBACK_CLASS = "passwordCallbackClass";
243 
244     /**
245      * This tag refers to the CallbackHandler implementation object used to obtain
246      * passwords. The value of this tag must be a
247      * {@link javax.security.auth.callback.CallbackHandler} instance.
248      * </p>
249      * Refer to {@link #PW_CALLBACK_CLASS} for further information about password callback
250      * handling.
251      */
252     public static final String PW_CALLBACK_REF = "passwordCallbackRef";
253 
254     /**
255      * This tag refers to the SAML CallbackHandler implementation class used to construct
256      * SAML Assertions. The value of this tag must be the class name of a
257      * {@link javax.security.auth.callback.CallbackHandler} instance.
258      */
259     public static final String SAML_CALLBACK_CLASS = "samlCallbackClass";
260 
261     /**
262      * This tag refers to the SAML CallbackHandler implementation object used to construct
263      * SAML Assertions. The value of this tag must be a
264      * {@link javax.security.auth.callback.CallbackHandler} instance.
265      */
266     public static final String SAML_CALLBACK_REF = "samlCallbackRef";
267 
268     /**
269      * The path of the crypto property file to use for Signature creation. The classloader
270      * loads this file. Therefore it must be accessible via the classpath.
271      * <p/>
272      * To locate the implementation of the
273      * {@link org.apache.wss4j.common.crypto.Crypto Crypto}
274      * interface implementation the property file must contain the property
275      * <code>org.apache.wss4j.crypto.provider</code>. The value of
276      * this property is the classname of the implementation class.
277      * <p/>
278      * The following line defines the standard implementation:
279      * <pre>
280      * org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin
281      * </pre>
282      * The other contents of the property file depend on the implementation
283      * of the {@link org.apache.wss4j.common.crypto.Crypto Crypto}
284      * interface. Please see the WSS4J website for more information on the Merlin property
285      * tags and values.
286      * </p>
287      * The application may set this parameter using the following method:
288      * <pre>
289      * call.setProperty(ConfigurationConstants.SIG_PROP_FILE, "myCrypto.properties");
290      * </pre>
291      */
292     public static final String SIG_PROP_FILE = "signaturePropFile";
293 
294     /**
295      * The key that holds a reference to the object holding complete information about
296      * the signature Crypto implementation. This object can either be a Crypto instance or a
297      * <code>java.util.Properties</code> file, which should contain all information that
298      * would contain in an equivalent properties file which includes the Crypto implementation
299      * class name.
300      *
301      * Refer to documentation of {@link #SIG_PROP_FILE}.
302      */
303     public static final String SIG_PROP_REF_ID = "signaturePropRefId";
304 
305     /**
306      * The path of the crypto property file to use for Signature verification. The
307      * classloader loads this file. Therefore it must be accessible via the classpath.
308      * <p/>
309      * Refer to documentation of {@link #SIG_PROP_FILE}.
310      */
311     public static final String SIG_VER_PROP_FILE = "signatureVerificationPropFile";
312 
313     /**
314      * The key that holds a reference to the object holding complete information about
315      * the signature verification Crypto implementation. This object can either be a Crypto
316      * instance or a <code>java.util.Properties</code> file, which should contain all
317      * information that would contain in an equivalent properties file which includes the
318      * Crypto implementation class name.
319      *
320      * Refer to documentation of {@link #SIG_VER_PROP_FILE}.
321      */
322     public static final String SIG_VER_PROP_REF_ID = "signatureVerificationPropRefId";
323 
324     /**
325      * The path of the crypto property file to use for Decryption. The classloader loads this
326      * file. Therefore it must be accessible via the classpath. Refer to documentation of
327      * {@link #SIG_PROP_FILE} for more information about the contents of the Properties file.
328      * <p/>
329      * The application may set this parameter using the following method:
330      * <pre>
331      * call.setProperty(ConfigurationConstants.DEC_PROP_FILE, "myCrypto.properties");
332      * </pre>
333      */
334     public static final String DEC_PROP_FILE = "decryptionPropFile";
335 
336     /**
337      * The key that holds a reference to the object holding complete information about
338      * the decryption Crypto implementation. This object can either be a Crypto instance or a
339      * <code>java.util.Properties</code> file, which should contain all information that
340      * would contain in an equivalent properties file which includes the Crypto implementation
341      * class name.
342      *
343      * Refer to documentation of {@link #DEC_PROP_FILE}.
344      */
345     public static final String DEC_PROP_REF_ID = "decryptionPropRefId";
346 
347     /**
348      * The path of the crypto property file to use for Encryption. The classloader loads this
349      * file. Therefore it must be accessible via the classpath. Refer to documentation of
350      * {@link #SIG_PROP_FILE} for more information about the contents of the Properties file.
351      * <p/>
352      * The application may set this parameter using the following method:
353      * <pre>
354      * call.setProperty(ConfigurationConstants.ENC_PROP_FILE, "myCrypto.properties");
355      * </pre>
356      */
357     public static final String ENC_PROP_FILE = "encryptionPropFile";
358 
359     /**
360      * The key that holds a reference to the object holding complete information about
361      * the encryption Crypto implementation. This object can either be a Crypto instance or a
362      * <code>java.util.Properties</code> file, which should contain all information that
363      * would contain in an equivalent properties file which includes the Crypto implementation
364      * class name.
365      *
366      * Refer to documentation of {@link #ENC_PROP_FILE}.
367      */
368     public static final String ENC_PROP_REF_ID = "encryptionPropRefId";
369 
370     //
371     // Boolean configuration tags, e.g. the value should be "true" or "false".
372     //
373 
374     /**
375      * Whether to enable signatureConfirmation or not. The default value is "false".
376      */
377     public static final String ENABLE_SIGNATURE_CONFIRMATION = "enableSignatureConfirmation";
378 
379     /**
380      * Whether to set the mustUnderstand flag on an outbound message or not. The default
381      * setting is "true".
382      * <p/>
383      * The application may set this parameter using the following method:
384      * <pre>
385      * call.setProperty(ConfigurationConstants.MUST_UNDERSTAND, "false");
386      * </pre>
387      */
388     public static final String MUST_UNDERSTAND = "mustUnderstand";
389 
390     /**
391      * Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The
392      * default value is "true".
393      * <p/>
394      * The application may set this parameter using the following method:
395      * <pre>
396      * call.setProperty(ConfigurationConstants.IS_BSP_COMPLIANT, "false");
397      * </pre>
398      */
399     public static final String IS_BSP_COMPLIANT = "isBSPCompliant";
400 
401     /**
402      * Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod
403      * child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS.
404      * The default is true.
405      */
406     public static final String ADD_INCLUSIVE_PREFIXES = "addInclusivePrefixes";
407 
408     /**
409      * Whether to add a Nonce Element to a UsernameToken. This only applies when the
410      * password type is of type "text". A Nonce is automatically added for the "digest"
411      * case. The default is false.
412      */
413     public static final String ADD_USERNAMETOKEN_NONCE = "addUsernameTokenNonce";
414 
415     /**
416      * Whether to add a Created Element to a UsernameToken. This only applies when the
417      * password type is of type "text". A Created is automatically added for the "digest"
418      * case. The default is false.
419      */
420     public static final String ADD_USERNAMETOKEN_CREATED = "addUsernameTokenCreated";
421 
422     /**
423      * This variable controls whether types other than PasswordDigest or PasswordText
424      * are allowed when processing UsernameTokens. The default value is "false".
425      */
426     public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes";
427 
428     /**
429      * This variable controls whether a UsernameToken with no password element is allowed.
430      * The default value is "false". Set it to "true" to allow deriving keys from UsernameTokens
431      * or to support UsernameTokens for purposes other than authentication.
432      */
433     public static final String ALLOW_USERNAMETOKEN_NOPASSWORD = "allowUsernameTokenNoPassword";
434 
435     /**
436      * This variable controls whether (wsse) namespace qualified password types are
437      * accepted when processing UsernameTokens. The default value is "false".
438      */
439     public static final String ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES
440         = "allowNamespaceQualifiedPasswordTypes";
441 
442     /**
443      * This variable controls whether to enable Certificate Revocation List (CRL) checking
444      * or not when verifying trust in a certificate. The default value is "false".
445      */
446     public static final String ENABLE_REVOCATION = "enableRevocation";
447 
448     /**
449      * This parameter sets whether to use a single certificate or a whole certificate
450      * chain when constructing a BinarySecurityToken used for direct reference in
451      * signature. The default is "true", meaning that only a single certificate is used.
452      */
453     public static final String USE_SINGLE_CERTIFICATE = "useSingleCertificate";
454 
455     /**
456      * This parameter sets whether to use the Username Token derived key for a MAC
457      * or not. The default is "true".
458      */
459     public static final String USE_DERIVED_KEY_FOR_MAC = "useDerivedKeyForMAC";
460 
461     /**
462      * Set whether Timestamps have precision in milliseconds. This applies to the
463      * creation of Timestamps only. The default value is "true".
464      */
465     public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds";
466 
467     /**
468      * Set the value of this parameter to true to enable strict timestamp
469      * handling. The default value is "true".
470      *
471      * Strict Timestamp handling: throw an exception if a Timestamp contains
472      * an <code>Expires</code> element and the semantics of the request are
473      * expired, i.e. the current time at the receiver is past the expires time.
474      */
475     public static final String TIMESTAMP_STRICT = "timestampStrict";
476 
477     /**
478      * Set the value of this parameter to true to require that a Timestamp must have
479      * an "Expires" Element. The default is "false".
480      */
481     public static final String REQUIRE_TIMESTAMP_EXPIRES = "requireTimestampExpires";
482 
483     /**
484      * Defines whether to encrypt the symmetric encryption key or not. If true
485      * (the default), the symmetric key used for encryption is encrypted in turn,
486      * and inserted into the security header in an "EncryptedKey" structure. If
487      * set to false, no EncryptedKey structure is constructed.
488      * <p/>
489      * The application may set this parameter using the following method:
490      * <pre>
491      * call.setProperty(ConfigurationConstants.ENC_SYM_ENC_KEY, "false");
492      * </pre>
493      */
494     public static final String ENC_SYM_ENC_KEY = "encryptSymmetricEncryptionKey";
495 
496     /**
497      * Whether the engine needs to enforce EncryptedData elements are
498      * in a signed subtree of the document. This can be used to prevent
499      * some wrapping based attacks when encrypt-before-sign token
500      * protection is selected.
501      */
502     public static final String REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS = "requireSignedEncryptedDataElements";
503 
504     /**
505      * Whether to allow the RSA v1.5 Key Transport Algorithm or not. Use of this algorithm
506      * is discouraged, and so the default is "false".
507      */
508     public static final String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM = "allowRSA15KeyTransportAlgorithm";
509 
510     /**
511      * Whether to validate the SubjectConfirmation requirements of a received SAML Token
512      * (sender-vouches or holder-of-key). The default is true.
513      */
514     public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION =
515         "validateSamlSubjectConfirmation";
516 
517     /**
518      * Whether to include the Signature Token in the security header as well or not. This is only
519      * applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases. The default is false.
520      */
521     public static final String INCLUDE_SIGNATURE_TOKEN = "includeSignatureToken";
522 
523     /**
524      * Whether to include the Encryption token (BinarySecurityToken) in the security header as well
525      * or not. This is only applicable to the IssuerSerial, Thumbprint and SKI Key Identifier cases.
526      * The default is false.
527      */
528     public static final String INCLUDE_ENCRYPTION_TOKEN = "includeEncryptionToken";
529 
530     /**
531      * Whether to use the "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
532      * namespace for SecureConversation + Derived Keys. If set to "false", it will use the
533      * namespace "http://schemas.xmlsoap.org/ws/2005/02/sc".
534      *
535      * The default is true.
536      */
537     public static final String USE_2005_12_NAMESPACE = "use200512Namespace";
538 
539     /**
540      * Whether to get a secret key from a CallbackHandler or not for encryption only. The default is
541      * false. If set to true WSS4J attempts to get the secret key from the CallbackHandler instead of
542      * generating a random key internally. This allows the user more control over the symmetric key
543      * if required.
544      */
545     public static final String GET_SECRET_KEY_FROM_CALLBACK_HANDLER = "getSecretKeyFromCallbackHandler";
546 
547     /**
548      * Whether to store bytes (CipherData or BinarySecurityToken) in an attachment. The default is false,
549      * meaning that bytes are BASE-64 encoded and "inlined" in the message. Setting this to true is more
550      * efficient, as it means that the BASE-64 encoding step can be skipped. For this to work, a
551      * CallbackHandler must be set on RequestData that can handle attachments.
552      */
553     public static final String STORE_BYTES_IN_ATTACHMENT = "storeBytesInAttachment";
554 
555     /**
556      * Whether to expand xop:Include Elements encountered when verifying a Signature. The default is true,
557      * meaning that the relevant attachment bytes are BASE-64 encoded and inserted into the Element. This
558      * ensures that the actual bytes are signed, and not just the reference. This configuration tag has
559      * been deprecated in favour of EXPAND_XOP_INCLUDE.
560      */
561     @Deprecated
562     public static final String EXPAND_XOP_INCLUDE_FOR_SIGNATURE = "expandXOPIncludeForSignature";
563 
564     /**
565      * Whether to search for and expand xop:Include Elements for encryption and signature (on the outbound
566      * side) or for signature verification (on the inbound side). The default is false on the outbound
567      * side and true on the inbound side. What this means on the inbound side, is that the relevant attachment
568      * bytes are BASE-64 encoded and inserted into the Element. This ensures that the actual bytes are signed,
569      * and not just the reference.
570      */
571     public static final String EXPAND_XOP_INCLUDE = "expandXOPInclude";
572 
573     //
574     // (Non-boolean) Configuration parameters for the actions/processors
575     //
576 
577     /**
578      * Specific parameter for UsernameTokens to define the encoding of the password. It can
579      * be used on either the outbound or inbound side. The valid values are:
580      *
581      * - PasswordDigest
582      * - PasswordText
583      * - PasswordNone
584      *
585      * On the Outbound side, the default value is PW_DIGEST. There is no default value on
586      * the inbound side. If a value is specified on the inbound side, the password type of
587      * the received UsernameToken must match the specified type, or an exception will be
588      * thrown.
589      */
590     public static final String PASSWORD_TYPE = "passwordType";
591 
592     /**
593      * Defines which key identifier type to use for signature. The WS-Security specifications
594      * recommends to use the identifier type <code>IssuerSerial</code>.
595      *
596      * For signature <code>IssuerSerial</code>, <code>DirectReference</code>,
597      * <code>X509KeyIdentifier</code>, <code>Thumbprint</code>, <code>SKIKeyIdentifier</code>
598      * and <code>KeyValue</code> are valid only.
599      * <p/>
600      * The default is <code>IssuerSerial</code>.
601      * <p/>
602      * The application may set this parameter using the following method:
603      * <pre>
604      * call.setProperty(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
605      * </pre>
606      */
607     public static final String SIG_KEY_ID = "signatureKeyIdentifier";
608 
609     /**
610      * Defines which signature algorithm to use. The default is set by the data in the
611      * certificate, i.e. one of the following:
612      *
613      * "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
614      * "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
615      *
616      * <p/>
617      * The application may set this parameter using the following method:
618      * <pre>
619      * call.setProperty(
620      *     ConfigurationConstants.SIG_ALGO,
621      *     "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
622      * );
623      * </pre>
624      */
625     public static final String SIG_ALGO = "signatureAlgorithm";
626 
627     /**
628      * Defines which signature digest algorithm to use. The default is:
629      *
630      * "http://www.w3.org/2000/09/xmldsig#sha1"
631      *
632      * <p/>
633      * The application may set this parameter using the following method:
634      * <pre>
635      * call.setProperty(
636      *    ConfigurationConstants.SIG_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
637      * );
638      * </pre>
639      */
640     public static final String SIG_DIGEST_ALGO = "signatureDigestAlgorithm";
641 
642     /**
643      * Defines which signature c14n (canonicalization) algorithm to use. The default is:
644      * "http://www.w3.org/2001/10/xml-exc-c14n#"
645      */
646     public static final String SIG_C14N_ALGO = "signatureC14nAlgorithm";
647 
648     /**
649      * Parameter to define which parts of the request shall be signed.
650      * <p/>
651      * Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
652      * the format of the value string.
653      * <p/>
654      * If this parameter is not specified the handler signs the SOAP Body
655      * by default, i.e.:
656      * <pre>
657      * &lt;parameter name="signatureParts"
658      *   value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
659      * </pre>
660      * To specify an element without a namespace use the string
661      * <code>Null</code> as the namespace name (this is a case sensitive
662      * string)
663      * <p/>
664      * If there is no other element in the request with a local name of
665      * <code>Body</code> then the SOAP namespace identifier can be empty
666      * (<code>{}</code>).
667      */
668     public static final String SIGNATURE_PARTS = "signatureParts";
669 
670     /**
671      * Parameter to define which parts of the request shall be signed, if they
672      * exist in the request. If they do not, then no error is thrown. This contrasts
673      * with the SIGNATURE_PARTS Identifier, which specifies elements that must be
674      * signed in the request.
675      * <p/>
676      * Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
677      * the format of the value string.
678      * <p/>
679      */
680     public static final String OPTIONAL_SIGNATURE_PARTS = "optionalSignatureParts";
681 
682     /**
683      * This parameter sets the number of iterations to use when deriving a key
684      * from a Username Token. The default is 1000.
685      */
686     public static final String DERIVED_KEY_ITERATIONS = "derivedKeyIterations";
687 
688     /**
689      * Defines which key identifier type to use for encryption. The WS-Security specifications
690      * recommends to use the identifier type <code>IssuerSerial</code>. For encryption
691      * <code>IssuerSerial</code>, <code>DirectReference</code>, <code>X509KeyIdentifier</code>,
692      * <code>Thumbprint</code>, <code>SKIKeyIdentifier</code>, <code>EncryptedKeySHA1</code>
693      * and <code>EmbeddedKeyName</code> are valid only.
694      * <p/>
695      * The default is <code>IssuerSerial</code>.
696      * <p/>
697      * The application may set this parameter using the following method:
698      * <pre>
699      * call.setProperty(ConfigurationConstants.ENC_KEY_ID, "X509KeyIdentifier");
700      * </pre>
701      */
702     public static final String ENC_KEY_ID = "encryptionKeyIdentifier";
703 
704     /**
705      * Defines which symmetric encryption algorithm to use. WSS4J supports the
706      * following algorithms:
707      *
708      * "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
709      * "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
710      * "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
711      * "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
712      *
713      * Except for AES 192 all of these algorithms are required by the XML Encryption
714      * specification. The default algorithm is:
715      *
716      * "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
717      *
718      * <p/>
719      * The application may set this parameter using the following method:
720      * <pre>
721      * call.setProperty(ConfigurationConstants.ENC_SYM_ALGO, WSConstants.AES_256);
722      * </pre>
723      */
724     public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm";
725 
726     /**
727      * Defines which algorithm to use to encrypt the generated symmetric key.
728      * The default algorithm is:
729      *
730      * "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
731      *
732      * <p/>
733      * The application may set this parameter using the following method:
734      * <pre>
735      * call.setProperty(ConfigurationConstants.ENC_KEY_TRANSPORT, WSConstants.KEYTRANSPORT_RSA15);
736      * </pre>
737      */
738     public static final String ENC_KEY_TRANSPORT = "encryptionKeyTransportAlgorithm";
739 
740     /**
741      * Parameter to define which parts of the request shall be encrypted.
742      * <p/>
743      * The value of this parameter is a list of semi-colon separated
744      * element names that identify the elements to encrypt. An encryption mode
745      * specifier and a namespace identification, each inside a pair of curly
746      * brackets, may preceed each element name.
747      * <p/>
748      * The encryption mode specifier is either <code>{Content}</code> or
749      * <code>{Element}</code>. Please refer to the W3C XML Encryption
750      * specification about the differences between Element and Content
751      * encryption. The encryption mode defaults to <code>Content</code>
752      * if it is omitted. Example of a list:
753      * <pre>
754      * &lt;parameter name="encryptionParts"
755      *   value="{Content}{http://example.org/paymentv2}CreditCard;
756      *             {Element}{}UserName" />
757      * </pre>
758      * The the first entry of the list identifies the element
759      * <code>CreditCard</code> in the namespace
760      * <code>http://example.org/paymentv2</code>, and will encrypt its content.
761      * Be aware that the element name, the namespace identifier, and the
762      * encryption modifier are case sensitive.
763      * <p/>
764      * The encryption modifier and the namespace identifier can be ommited.
765      * In this case the encryption mode defaults to <code>Content</code> and
766      * the namespace is set to the SOAP namespace.
767      * <p/>
768      * An empty encryption mode defaults to <code>Content</code>, an empty
769      * namespace identifier defaults to the SOAP namespace.
770      * The second line of the example defines <code>Element</code> as
771      * encryption mode for an <code>UserName</code> element in the SOAP
772      * namespace.
773      * <p/>
774      * Note that the special value "{}cid:Attachments;" means that all of the message
775      * attachments should be encrypted.
776      * <p/>
777      * To specify an element without a namespace use the string
778      * <code>Null</code> as the namespace name (this is a case sensitive
779      * string)
780      * <p/>
781      * If no list is specified, the handler encrypts the SOAP Body in
782      * <code>Content</code> mode by default.
783      */
784     public static final String ENCRYPTION_PARTS = "encryptionParts";
785 
786     /**
787      * Parameter to define which parts of the request shall be encrypted, if they
788      * exist in the request. If they do not, then no error is thrown. This contrasts
789      * with the ENCRYPTION_PARTS Identifier, which specifies elements that must be
790      * encrypted in the request.
791      * <p/>
792      * Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
793      * the format of the value string.
794      * <p/>
795      */
796     public static final String OPTIONAL_ENCRYPTION_PARTS = "optionalEncryptionParts";
797 
798     /**
799      * Defines which encryption digest algorithm to use with the RSA OAEP Key Transport
800      * algorithm for encryption. The default is SHA-1.
801      * <p/>
802      * The application may set this parameter using the following method:
803      * <pre>
804      * call.setProperty(
805      *    ConfigurationConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256"
806      * );
807      * </pre>
808      */
809     public static final String ENC_DIGEST_ALGO = "encryptionDigestAlgorithm";
810 
811     /**
812      * Defines which encryption mgf algorithm to use with the RSA OAEP Key Transport
813      * algorithm for encryption. The default is mgfsha1.
814      * <p/>
815      * The application may set this parameter using the following method:
816      * <pre>
817      * call.setProperty(
818      *    ConfigurationConstants.ENC_MGF_ALGO, "http://www.w3.org/2009/xmlenc11#mgf1sha256"
819      * );
820      * </pre>
821      */
822     public static final String ENC_MGF_ALGO = "encryptionMGFAlgorithm";
823 
824     /**
825      * Time-To-Live is the time difference between creation and expiry time in
826      * seconds of the UsernameToken Created value. After this time the SOAP request
827      * is invalid (at least the security data shall be treated this way).
828      * <p/>
829      * If this parameter is not defined, contains a value less or equal
830      * zero, or an illegal format the handlers use a default TTL of
831      * 300 seconds (5 minutes).
832      */
833     public static final String TTL_USERNAMETOKEN = "utTimeToLive";
834 
835     /**
836      * This configuration tag specifies the time in seconds in the future within which
837      * the Created time of an incoming UsernameToken is valid. The default value is "60",
838      * to avoid problems where clocks are slightly askew. To reject all future-created
839      * UsernameTokens, set this value to "0".
840      */
841     public static final String TTL_FUTURE_USERNAMETOKEN = "utFutureTimeToLive";
842 
843     /**
844      * This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR)
845      * of regular expressions which will be applied to the subject DN of the certificate used for signature
846      * validation, after trust verification of the certificate chain associated with the
847      * certificate.
848      */
849     public static final String SIG_SUBJECT_CERT_CONSTRAINTS = "sigSubjectCertConstraints";
850 
851     /**
852      * This configuration tag is a String (separated by the value specified for SIG_CERT_CONSTRAINTS_SEPARATOR)
853      * of regular expressions which will be applied to the issuer DN of the certificate used for signature
854      * validation, after trust verification of the certificate chain associated with the
855      * certificate.
856      */
857     public static final String SIG_ISSUER_CERT_CONSTRAINTS = "sigIssuerCertConstraints";
858 
859     /**
860      * This configuration tag refers to the separator that is used to parse certificate constraints
861      * configured in the SIG_SUBJECT_CERT_CONSTRAINTS and SIG_ISSUER_CERT_CONSTRAINTS configuration
862      * tags. By default it is a comma - ",".
863      */
864     public static final String SIG_CERT_CONSTRAINTS_SEPARATOR = "sigCertConstraintsSeparator";
865 
866     /**
867      * Time-To-Live is the time difference between creation and expiry time in
868      * seconds in the WSS Timestamp. After this time the SOAP request is
869      * invalid (at least the security data shall be treated this way).
870      * <p/>
871      * If this parameter is not defined, contains a value less or equal
872      * zero, or an illegal format the handlers use a default TTL of
873      * 300 seconds (5 minutes).
874      */
875     public static final String TTL_TIMESTAMP = "timeToLive";
876 
877     /**
878      * This configuration tag specifies the time in seconds in the future within which
879      * the Created time of an incoming Timestamp is valid. The default value is "60",
880      * to avoid problems where clocks are slightly askew. To reject all future-created
881      * Timestamps, set this value to "0".
882      */
883     public static final String TTL_FUTURE_TIMESTAMP = "futureTimeToLive";
884 
885     /**
886      * This tag refers to a Map of QName, Object (Validator) instances to be used to
887      * validate tokens identified by their QName. For the DOM layer, the Object should
888      * be a org.apache.wss4j.dom.validate.Validator instance. For the StAX layer, it
889      * should be a org.apache.wss4j.stax.validate.Validator instance.
890      */
891     public static final String VALIDATOR_MAP = "validatorMap";
892 
893     /**
894      * This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The
895      * default instance that is used is the EHCacheReplayCache.
896      */
897     public static final String NONCE_CACHE_INSTANCE = "nonceCacheInstance";
898 
899     /**
900      * This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The
901      * default instance that is used is the EHCacheReplayCache.
902      */
903     public static final String TIMESTAMP_CACHE_INSTANCE = "timestampCacheInstance";
904 
905     /**
906      * This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifier
907      * Strings (if the token contains a OneTimeUse Condition). The default instance that is
908      * used is the EHCacheReplayCache.
909      */
910     public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = "samlOneTimeUseCacheInstance";
911 
912     /**
913      * This holds a reference to a PasswordEncryptor instance, which is used to encrypt or
914      * decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations).
915      *
916      * By default, WSS4J uses the JasyptPasswordEncryptor, which must be instantiated with a
917      * password to use to decrypt keystore passwords in the Merlin Crypto properties file.
918      * This password is obtained via the CallbackHandler defined via PW_CALLBACK_CLASS
919      * or PW_CALLBACK_REF.
920      *
921      * The encrypted passwords must be stored in the format "ENC(encoded encrypted password)".
922      */
923     public static final String PASSWORD_ENCRYPTOR_INSTANCE = "passwordEncryptorInstance";
924 
925     /**
926      * This controls the deriving token from which DerivedKeyTokens derive keys from.
927      * Valid values are:
928      *  - DirectReference: A reference to a BinarySecurityToken
929      *  - EncryptedKey: A reference to an EncryptedKey
930      *  - SecurityContextToken: A reference to a SecurityContextToken
931      */
932     public static final String DERIVED_TOKEN_REFERENCE = "derivedTokenReference";
933 
934     /**
935      * This controls the key identifier of Derived Tokens, i.e. how they reference the deriving key.
936      */
937     public static final String DERIVED_TOKEN_KEY_ID = "derivedTokenKeyIdentifier";
938 
939     /**
940      * The length to use (in bytes) when deriving a key for Signature. If this is not specified,
941      * it defaults to a value based on the signature algorithm.
942      */
943     public static final String DERIVED_SIGNATURE_KEY_LENGTH = "derivedSignatureKeyLength";
944 
945     /**
946      * The length to use (in bytes) when deriving a key for Encryption. If this is not specified,
947      * it defaults to a value based on the encryption algorithm.
948      */
949     public static final String DERIVED_ENCRYPTION_KEY_LENGTH = "derivedEncryptionKeyLength";
950 
951 
952 }
953