cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1368868 - /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Date Fri, 03 Aug 2012 10:21:13 GMT
Author: coheigea
Date: Fri Aug  3 10:21:13 2012
New Revision: 1368868

URL: http://svn.apache.org/viewvc?rev=1368868&view=rev
Log:
Finished updating SecurityConstants doc.

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1368868&r1=1368867&r2=1368868&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Fri Aug  3 10:21:13 2012
@@ -123,7 +123,7 @@ public final class SecurityConstants {
     public static final String ENCRYPT_CRYPTO = "ws-security.encryption.crypto";
     
     //
-    // Boolean configuration tags, e.g. the value should be "true" or "false".
+    // Boolean WS-Security configuration tags, e.g. the value should be "true" or "false".
     //
     
     /**
@@ -173,35 +173,40 @@ public final class SecurityConstants {
     public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache";
     
     //
-    // (Non-boolean) Configuration parameters
+    // Non-boolean WS-Security Configuration parameters
     //
     
     /**
-     * This configuration tag specifies the time in seconds after Creation that an incoming

-     * Timestamp is valid for. The default value is 300 seconds (5 minutes).
+     * The time in seconds after Creation that an incoming Timestamp is valid for. The default
+     * value is 300 seconds (5 minutes).
      */
     public static final String TIMESTAMP_TTL = "ws-security.timestamp.timeToLive";
     
     /**
-     * This configuration tag specifies the time in seconds in the future within which
-     * the Created time of an incoming Timestamp is valid. WSS4J rejects by default any
-     * timestamp which is "Created" in the future, and so there could potentially be
-     * problems in a scenario where a client's clock is slightly askew. The default
-     * value for this parameter is "0", meaning that no future-created Timestamps are
-     * allowed.
+     * The time in seconds in the future within which the Created time of an incoming 
+     * Timestamp is valid. The default value is "60", to avoid problems where clocks are

+     * slightly askew. To reject all future-created Timestamps, set this value to "0". 
      */
     public static final String TIMESTAMP_FUTURE_TTL = "ws-security.timestamp.futureTimeToLive";
     
     /**
-     * This configuration tag specifies the attribute URI of the SAML attributestatement
-     * where the role information is stored.
+     * The attribute URI of the SAML AttributeStatement where the role information is stored.
      * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
      */
     public static final String SAML_ROLE_ATTRIBUTENAME = "ws-security.saml-role-attributename";
     
+    /**
+     * A reference to the KerberosClient class used to obtain a service ticket. 
+     */
     public static final String KERBEROS_CLIENT = "ws-security.kerberos.client";
     
     /**
+     * The SpnegoClientAction implementation to use for SPNEGO. This allows the user to plug
in
+     * a different implementation to obtain a service ticket.
+     */
+    public static final String SPNEGO_CLIENT_ACTION = "ws-security.spnego.client.action";
+    
+    /**
      * The JAAS Context name to use for Kerberos. This is currently only supported for SPNEGO.
      */
     public static final String KERBEROS_JAAS_CONTEXT_NAME = "ws-security.kerberos.jaas.context";
@@ -212,12 +217,6 @@ public final class SecurityConstants {
     public static final String KERBEROS_SPN = "ws-security.kerberos.spn";
     
     /**
-     * The SpnegoClientAction implementation to use for SPNEGO. This allows the user to plug
in
-     * a different implementation to obtain a service ticket.
-     */
-    public static final String SPNEGO_CLIENT_ACTION = "ws-security.spnego.client.action";
-    
-    /**
      * This holds a reference to a ReplayCache instance used to cache UsernameToken nonces.
The
      * default instance that is used is the EHCacheReplayCache.
      */
@@ -246,11 +245,10 @@ public final class SecurityConstants {
         "org.apache.cxf.ws.security.tokenstore.TokenStore";
 
     /**
-     * This configuration tag is a comma separated String of regular expressions which
-     * will be applied to the subject DN of the certificate used for signature
-     * validation, after trust verification of the certificate chain associated with the

-     * certificate. These constraints are not used when the certificate is contained in
-     * the keystore (direct trust).
+     * A comma separated String of regular expressions which will be applied to the subject
DN of 
+     * the certificate used for signature validation, after trust verification of the certificate

+     * chain associated with the  certificate. These constraints are not used when the certificate

+     * is contained in the keystore (direct trust).
      */
     public static final String SUBJECT_CERT_CONSTRAINTS = "ws-security.subject.cert.constraints";
     
@@ -258,24 +256,73 @@ public final class SecurityConstants {
     // Validator implementations for validating received security tokens
     //
     
+    /**
+     * The WSS4J Validator instance to use to validate UsernameTokens. The default value
is the
+     * UsernameTokenValidator.
+     */
     public static final String USERNAME_TOKEN_VALIDATOR = "ws-security.ut.validator";
+    
+    /**
+     * The WSS4J Validator instance to use to validate SAML 1.1 Tokens. The default value
is the
+     * SamlAssertionValidator.
+     */
     public static final String SAML1_TOKEN_VALIDATOR = "ws-security.saml1.validator";
+    
+    /**
+     * The WSS4J Validator instance to use to validate SAML 2.0 Tokens. The default value
is the
+     * SamlAssertionValidator.
+     */
     public static final String SAML2_TOKEN_VALIDATOR = "ws-security.saml2.validator";
+    
+    /**
+     * The WSS4J Validator instance to use to validate Timestamps. The default value is the
+     * TimestampValidator.
+     */
     public static final String TIMESTAMP_TOKEN_VALIDATOR = "ws-security.timestamp.validator";
+    
+    /**
+     * The WSS4J Validator instance to use to validate trust in credentials used in
+     * Signature verification. The default value is the SignatureTrustValidator.
+     */
     public static final String SIGNATURE_TOKEN_VALIDATOR = "ws-security.signature.validator";
+    
+    /**
+     * The WSS4J Validator instance to use to validate BinarySecurityTokens. The default
value 
+     * is the NoOpValidator.
+     */
     public static final String BST_TOKEN_VALIDATOR = "ws-security.bst.validator";
+    
+    /**
+     * The WSS4J Validator instance to use to validate SecurityContextTokens. The default
value is 
+     * the NoOpValidator.
+     */
     public static final String SCT_TOKEN_VALIDATOR = "ws-security.sct.validator";
     
     //
     // STS Client Configuration tags
     //
     
+    /**
+     * A reference to the STSClient class used to communicate with the STS.
+     */
     public static final String STS_CLIENT = "ws-security.sts.client";
+    
+    /**
+     * The "AppliesTo" address to send to the STS. The default is the endpoint address of
the 
+     * service provider.
+     */
     public static final String STS_APPLIES_TO = "ws-security.sts.applies-to";
     
-    public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO = 
-            "ws-security.sts.token.usecert";
+    /**
+     * Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to
write
+     * out a KeyValue structure. The default value is "false".
+     */
+    public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO = "ws-security.sts.token.usecert";
     
+    /**
+     * Whether to cancel a token when using SecureConversation after successful invocation.
The
+     * default is "false".
+     */
     public static final String STS_TOKEN_DO_CANCEL = "ws-security.sts.token.do.cancel";
     
     /**
@@ -287,26 +334,57 @@ public final class SecurityConstants {
         "ws-security.cache.issued.token.in.endpoint";
     
     /**
-     * Set this property to avoid STS client trying send WS-MetadataExchange call using
+     * Whether to avoid STS client trying send WS-MetadataExchange call using
      * STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info.
+     * The default value is "false".
      */
     public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS =
         "ws-security.sts.disable-wsmex-call-using-epr-address";
     
     /**
+     * 
+     * A Crypto object to be used for the STS. If this is not defined then the 
+     * {@link STS_TOKEN_PROPERTIES} is used instead.
+     * 
      * WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO
      * the full security on the message. These properties control the way the STS client
-     * will decrypt the EncryptedData elements in the response
+     * will decrypt the EncryptedData elements in the response.
      * 
      * These are also used by the STSClient to send/process any RSA/DSAKeyValue tokens 
      * used if the KeyType is "PublicKey" 
      */
     public static final String STS_TOKEN_CRYPTO = "ws-security.sts.token.crypto";
+    
+    /**
+     * The Crypto property configuration to use for the STS, if {@link STS_TOKEN_CRYPTO}
is not
+     * set instead.
+     * The value of this tag must be either:
+     * a) A Java Properties object that contains the Crypto configuration.
+     * b) The path of the Crypto property file that contains the Crypto configuration.
+     * c) A URL that points to the Crypto property file that contains the Crypto configuration.
+     */
     public static final String STS_TOKEN_PROPERTIES = "ws-security.sts.token.properties";
+    
+    /**
+     * The alias name in the keystore to get the user's public key to send to the STS for
the
+     * PublicKey KeyType case.
+     */
     public static final String STS_TOKEN_USERNAME = "ws-security.sts.token.username";
     
+    /**
+     * The token to be sent to the STS in an "ActAs" field. It can be either:
+     * a) A String
+     * b) A DOM Element
+     * c) A CallbackHandler object to use to obtain the token
+     */
     public static final String STS_TOKEN_ACT_AS = "ws-security.sts.token.act-as";
     
+    /**
+     * The token to be sent to the STS in an "OnBehalfOf" field. It can be either:
+     * a) A String
+     * b) A DOM Element
+     * c) A CallbackHandler object to use to obtain the token
+     */
     public static final String STS_TOKEN_ON_BEHALF_OF = "ws-security.sts.token.on-behalf-of";
     
     //
@@ -325,18 +403,16 @@ public final class SecurityConstants {
             SIGNATURE_CRYPTO, ENCRYPT_PROPERTIES, ENCRYPT_CRYPTO,
             VALIDATE_TOKEN, ENABLE_REVOCATION, ALWAYS_ENCRYPT_UT, IS_BSP_COMPLIANT, 
             SELF_SIGN_SAML_ASSERTION, ENABLE_NONCE_CACHE, ENABLE_TIMESTAMP_CACHE,
-            STS_CLIENT, STS_TOKEN_PROPERTIES, STS_TOKEN_CRYPTO,
-            STS_TOKEN_DO_CANCEL, TIMESTAMP_TTL, 
-            STS_TOKEN_ACT_AS, STS_TOKEN_USERNAME, STS_TOKEN_USE_CERT_FOR_KEYINFO,
-            SAML1_TOKEN_VALIDATOR, SAML2_TOKEN_VALIDATOR, TIMESTAMP_TOKEN_VALIDATOR,
-            SIGNATURE_TOKEN_VALIDATOR, TIMESTAMP_FUTURE_TTL,
-            BST_TOKEN_VALIDATOR, SAML_CALLBACK_HANDLER, STS_TOKEN_ON_BEHALF_OF,
-            KERBEROS_CLIENT, SCT_TOKEN_VALIDATOR, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
-            KERBEROS_JAAS_CONTEXT_NAME, KERBEROS_SPN, SPNEGO_CLIENT_ACTION,
-            NONCE_CACHE_INSTANCE, 
-            TIMESTAMP_CACHE_INSTANCE, CACHE_CONFIG_FILE, TOKEN_STORE_CACHE_INSTANCE,
-            SAML_ROLE_ATTRIBUTENAME, DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS,
-            SUBJECT_CERT_CONSTRAINTS,
+            TIMESTAMP_TTL, TIMESTAMP_FUTURE_TTL, SAML_ROLE_ATTRIBUTENAME,
+            KERBEROS_CLIENT, SPNEGO_CLIENT_ACTION, KERBEROS_JAAS_CONTEXT_NAME, KERBEROS_SPN,

+            NONCE_CACHE_INSTANCE, TIMESTAMP_CACHE_INSTANCE, CACHE_CONFIG_FILE, 
+            TOKEN_STORE_CACHE_INSTANCE, SUBJECT_CERT_CONSTRAINTS,
+            USERNAME_TOKEN_VALIDATOR, SAML1_TOKEN_VALIDATOR, SAML2_TOKEN_VALIDATOR, 
+            TIMESTAMP_TOKEN_VALIDATOR, SIGNATURE_TOKEN_VALIDATOR, BST_TOKEN_VALIDATOR, 
+            SCT_TOKEN_VALIDATOR, STS_CLIENT, STS_APPLIES_TO, STS_TOKEN_USE_CERT_FOR_KEYINFO,
+            STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
+            DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
+            STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF,
             TOKEN, TOKEN_ID
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);



Mime
View raw message