cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF Documentation > WS-SecurityPolicy
Date Wed, 14 Aug 2013 13:26:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecurityPolicy">WS-SecurityPolicy</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >| ws-security.role.classifier | If
one of the WSS4J Validators returns a JAAS Subject from Validation, then the WSS4JInInterceptor
will attempt to create a SecurityContext based on this Subject. If this value is not specified,
then it tries to get roles using the DefaultSecurityContext in cxf-rt-core. Otherwise it uses
this value in combination with the SUBJECT_ROLE_CLASSIFIER_TYPE to get the roles from the
Subject. | <br>| ws-security.role.classifier.type | If one of the WSS4J Validators returns
a JAAS Subject from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext
based on this Subject. Currently accepted values are &quot;prefix&quot; or &quot;classname&quot;.
Must be used in conjunction with the SUBJECT_ROLE_CLASSIFIER. The default value is &quot;prefix&quot;.
| <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">|
ws-security.asymmetric.signature.algorithm | This configuration tag overrides the default
Asymmetric Signature algorithm (RSA-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy
specification does not allow the use of other algorithms at present. | <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h4. Validator implementations
for validating received security tokens <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="WS-SecurityPolicy-WSSecurityPolicy"></a>WS-SecurityPolicy</h1>

<p>CXF 2.2 introduced support for using <a href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html"
class="external-link" rel="nofollow">WS-SecurityPolicy</a> to configure WSS4J instead
of the custom configuration documented on the <a href="/confluence/display/CXF20DOC/WS-Security"
title="WS-Security">WS-Security</a> page.  However, all of the "background" material
on the <a href="/confluence/display/CXF20DOC/WS-Security" title="WS-Security">WS-Security</a>
page still applies and is important to know.   WS-SecurityPolicy just provides an easier and
more standards based way to configure and control the security requirements.   With the security
requirements documented in the WSDL as <a href="/confluence/display/CXF20DOC/WS-Policy"
title="WS-Policy">WS-Policy</a> fragments, other tools such as .NET can easily know
how to configure themselves to inter-operate with CXF services.</p>


<h3><a name="WS-SecurityPolicy-EnablingWSSecurityPolicy"></a>Enabling WS-SecurityPolicy</h3>

<p>In CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available
on the classpath, the WS-SecurityPolicy stuff is automatically enabled.   Since the entire
security runtime is policy driven, the only requirement is that the policy engine and security
policies be available.</p>

<p>If you are using the full "bundle" jar, all the security and policy stuff is already
included.</p>


<h3><a name="WS-SecurityPolicy-Policydescription"></a>Policy description</h3>

<p>With WS-SecurityPolicy, the binding and/or operation in the wsdl references a <a
href="/confluence/display/CXF20DOC/WS-Policy" title="WS-Policy">WS-Policy</a> fragment
that describes the basic security requirements for interacting with that service.   The <a
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html" class="external-link"
rel="nofollow">WS-SecurityPolicy specification</a> allows for specifying things like
asymmetric/symmetric keys, using transports (https) for encryption, which parts/headers to
encrypt or sign, whether to sign then encrypt or encrypt then sign, whether to include timestamps,
whether to use derived keys, etc...   Basically, it describes what actions are necessary to
securely interact with the service described in the WSDL.</p>

<p>However, the WS-SecurityPolicy fragment does not include "everything" that is required
for a runtime to be able to able to create the messages.  It does not describe things such
as locations of key stores, user names and passwords, etc...  Those need to be configured
in at runtime to augment the WS-SecurityPolicy fragment.</p>


<h3><a name="WS-SecurityPolicy-Configuringtheextraproperties"></a>Configuring
the extra properties</h3>

<p>There are several extra properties that may need to be set to provide the additional
bits of information to the runtime. Note that you should check that a particular property
is supported in the version of CXF you are using.</p>

<h4><a name="WS-SecurityPolicy-Userproperties"></a>User properties</h4>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> ws-security.username </td>
<td class='confluenceTd'> The user's name. It is used differently by each of the WS-Security
functions, see <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME"
class="external-link" rel="nofollow">here</a> for more information. </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.password </td>
<td class='confluenceTd'> The user's password when "ws-security.callback-handler" is
not defined. It is currently only used for the case of adding a password to a UsernameToken.
</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.signature.username </td>
<td class='confluenceTd'> The user's name for signature. It is used as the alias name
in the keystore to get the user's cert and private key for signature. See <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME"
class="external-link" rel="nofollow">here</a> for more information. </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.encryption.username </td>
<td class='confluenceTd'> The user's name for encryption. It is used as the alias name
in the keystore to get the user's public key for encryption. See <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME"
class="external-link" rel="nofollow">here</a> for more information.</td>
</tr>
</tbody></table>
</div>


<h4><a name="WS-SecurityPolicy-CallbackClassandCryptoproperties"></a>Callback
Class and Crypto properties</h4>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> ws-security.callback-handler </td>
<td class='confluenceTd'> The CallbackHandler <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER"
class="external-link" rel="nofollow">implementation</a> class used to obtain passwords.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.saml-callback-handler </td>
<td class='confluenceTd'> The SAML CallbackHandler <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER"
class="external-link" rel="nofollow">implementation</a> class used to construct SAML
Assertions.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.signature.properties </td>
<td class='confluenceTd'> The Crypto property <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_PROPERTIES"
class="external-link" rel="nofollow">configuration</a> to use for signature, if "ws-security.signature.crypto"
is not set instead.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.encryption.properties </td>
<td class='confluenceTd'> The Crypto property <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES"
class="external-link" rel="nofollow">configuration</a> to use for encryption, if
"ws-security.encryption.crypto" is not set instead. </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.signature.crypto </td>
<td class='confluenceTd'> A Crypto <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html"
class="external-link" rel="nofollow">object</a> to be used for signature. If this
is not defined then "ws-security.signature.properties" is used instead.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.encryption.crypto </td>
<td class='confluenceTd'> A Crypto <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html"
class="external-link" rel="nofollow">object</a> to be used for encryption. If this
is not defined then "ws-security.encryption.properties" is used instead.</td>
</tr>
</tbody></table>
</div>


<p><b>Note:</b> for Symmetric bindings that specify a protection token,
the ws-security-encryption properties are used.</p>

<h4><a name="WS-SecurityPolicy-BooleanWSSecurityconfigurationtags%2Ce.g.thevalueshouldbe%22true%22or%22false%22."></a>Boolean
WS-Security configuration tags, e.g. the value should be "true" or "false".</h4>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> constant </td>
<td class='confluenceTd'> default </td>
<td class='confluenceTd'> definition</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.validate.token </td>
<td class='confluenceTd'> true </td>
<td class='confluenceTd'> Whether to validate the password of a received UsernameToken
or not.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.enableRevocation </td>
<td class='confluenceTd'> false </td>
<td class='confluenceTd'> Whether to enable Certificate Revocation List (CRL) checking
or not when verifying trust in a certificate.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.username-token.always.encrypted </td>
<td class='confluenceTd'> true </td>
<td class='confluenceTd'> Whether to always encrypt UsernameTokens that are defined
as a SupportingToken. This should not be set to false in a production environment, as it exposes
the password (or the digest of the password) on the wire.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.is-bsp-compliant </td>
<td class='confluenceTd'> true </td>
<td class='confluenceTd'> Whether to ensure compliance with the Basic Security Profile
(BSP) 1.1 or not.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.self-sign-saml-assertion </td>
<td class='confluenceTd'> false </td>
<td class='confluenceTd'> Whether to self-sign a SAML Assertion or not. If this is set
to true, then an enveloped signature will be generated when the SAML Assertion is constructed.
</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.enable.nonce.cache </td>
<td class='confluenceTd'> (varies) </td>
<td class='confluenceTd'> Whether to cache UsernameToken nonces. See <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE"
class="external-link" rel="nofollow">here</a> for more information.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.enable.timestamp.cache </td>
<td class='confluenceTd'> (varies) </td>
<td class='confluenceTd'>  Whether to cache Timestamp Created Strings. See <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE"
class="external-link" rel="nofollow">here</a> for more information.</td>
</tr>
</tbody></table>
</div>


<h4><a name="WS-SecurityPolicy-NonbooleanWSSecurityConfigurationparameters"></a>Non-boolean
WS-Security Configuration parameters</h4>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> ws-security.timestamp.timeToLive </td>
<td class='confluenceTd'> The time in seconds to append to the Creation value of an
incoming Timestamp to determine whether to accept the Timestamp as valid or not. The default
value is 300 seconds (5 minutes).</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.timestamp.futureTimeToLive </td>
<td class='confluenceTd'> The time in seconds in the future within which the Created
time of an incoming Timestamp is valid. The default value is "60". See <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#TIMESTAMP_FUTURE_TTL"
class="external-link" rel="nofollow">here</a> for more information.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.saml-role-attributename </td>
<td class='confluenceTd'> The attribute URI of the SAML AttributeStatement where the
role information is stored. The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.kerberos.client </td>
<td class='confluenceTd'> A reference to the <a href="http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java?view=markup"
class="external-link" rel="nofollow">KerberosClient</a> class used to obtain a service
ticket.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.spnego.client.action </td>
<td class='confluenceTd'> The <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/spnego/SpnegoClientAction.html"
class="external-link" rel="nofollow">SpnegoClientAction</a> implementation to use
for SPNEGO. This allows the user to plug in a different implementation to obtain a service
ticket.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.kerberos.jaas.context </td>
<td class='confluenceTd'> The JAAS Context name to use for Kerberos. This is currently
only supported for SPNEGO.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.kerberos.spn </td>
<td class='confluenceTd'> The Kerberos Service Provider Name (spn) to use. This is currently
only supported for SPNEGO.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.nonce.cache.instance </td>
<td class='confluenceTd'> This holds a reference to a <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/cache/ReplayCache.html"
class="external-link" rel="nofollow">ReplayCache</a> instance used to cache UsernameToken
nonces. The default instance that is used is the <a href="http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/cache/EHCacheReplayCache.java?view=markup"
class="external-link" rel="nofollow">EHCacheReplayCache</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.timestamp.cache.instance </td>
<td class='confluenceTd'> This holds a reference to a <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/cache/ReplayCache.html"
class="external-link" rel="nofollow">ReplayCache</a> instance used to cache Timestamp
Created Strings. The default instance that is used is the <a href="http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/cache/EHCacheReplayCache.java?view=markup"
class="external-link" rel="nofollow">EHCacheReplayCache</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.cache.config.file </td>
<td class='confluenceTd'> Set this property to point to a configuration file for the
underlying caching implementation. The default configuration file that is used is <a href="http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/resources/cxf-ehcache.xml?view=markup"
class="external-link" rel="nofollow">cxf-ehcache.xml</a> in the cxf-rt-ws-security
module.</td>
</tr>
<tr>
<td class='confluenceTd'> org.apache.cxf.ws.security.tokenstore.TokenStore </td>
<td class='confluenceTd'>  The <a href="http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java?view=markup"
class="external-link" rel="nofollow">TokenStore</a> instance to use to cache security
tokens. By default this uses the <a href="http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java?view=markup"
class="external-link" rel="nofollow">EHCacheTokenStore</a> if EhCache is available.
Otherwise it uses the <a href="http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java?view=markup"
class="external-link" rel="nofollow">MemoryTokenStore</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.subject.cert.constraints </td>
<td class='confluenceTd'> A comma separated String of regular expressions which will
be applied to the subject DN of the certificate used for signature validation, after trust
verification of the certificate chain associated with the certificate. These constraints are
not used when the certificate is contained in the keystore (direct trust). </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.role.classifier </td>
<td class='confluenceTd'> If one of the WSS4J Validators returns a JAAS Subject from
Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on
this Subject. If this value is not specified, then it tries to get roles using the DefaultSecurityContext
in cxf-rt-core. Otherwise it uses this value in combination with the SUBJECT_ROLE_CLASSIFIER_TYPE
to get the roles from the Subject. </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.role.classifier.type </td>
<td class='confluenceTd'> If one of the WSS4J Validators returns a JAAS Subject from
Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on
this Subject. Currently accepted values are "prefix" or "classname". Must be used in conjunction
with the SUBJECT_ROLE_CLASSIFIER. The default value is "prefix". </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.asymmetric.signature.algorithm </td>
<td class='confluenceTd'> This configuration tag overrides the default Asymmetric Signature
algorithm (RSA-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification
does not allow the use of other algorithms at present. </td>
</tr>
</tbody></table>
</div>


<h4><a name="WS-SecurityPolicy-Validatorimplementationsforvalidatingreceivedsecuritytokens"></a>Validator
implementations for validating received security tokens</h4>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> ws-security.ut.validator </td>
<td class='confluenceTd'> The WSS4J Validator instance to use to validate UsernameTokens.
The default value is the <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/validate/UsernameTokenValidator.html"
class="external-link" rel="nofollow">UsernameTokenValidator</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.saml1.validator </td>
<td class='confluenceTd'> The WSS4J Validator instance to use to validate SAML 1.1 Tokens.
The default value is the <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/validate/SamlAssertionValidator.html"
class="external-link" rel="nofollow">SamlAssertionValidator</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.saml2.validator </td>
<td class='confluenceTd'> The WSS4J Validator instance to use to validate SAML 2.0 Tokens.
The default value is the <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/validate/SamlAssertionValidator.html"
class="external-link" rel="nofollow">SamlAssertionValidator</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.timestamp.validator </td>
<td class='confluenceTd'> The WSS4J Validator instance to use to validate Timestamps.
The default value is the <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/validate/TimestampValidator.html"
class="external-link" rel="nofollow">TimestampValidator</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.signature.validator </td>
<td class='confluenceTd'> The WSS4J Validator instance to use to validate trust in credentials
used in Signature verification. The default value is the <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/validate/SignatureTrustValidator.html"
class="external-link" rel="nofollow">SignatureTrustValidator</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.bst.validator </td>
<td class='confluenceTd'> The WSS4J Validator instance to use to validate BinarySecurityTokens.
The default value is the <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/validate/NoOpValidator.html"
class="external-link" rel="nofollow">NoOpValidator</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sct.validator </td>
<td class='confluenceTd'> The WSS4J Validator instance to use to validate SecurityContextTokens.
The default value is the <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/validate/NoOpValidator.html"
class="external-link" rel="nofollow">NoOpValidator</a>.</td>
</tr>
</tbody></table>
</div>


<h4><a name="WS-SecurityPolicy-STSClientConfigurationtags"></a>STS Client
Configuration tags</h4>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> ws-security.sts.client </td>
<td class='confluenceTd'> A reference to the STSClient class used to communicate with
the STS.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sts.applies-to </td>
<td class='confluenceTd'> The "AppliesTo" address to send to the STS. The default is
the endpoint address of the service provider.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sts.token.usecert </td>
<td class='confluenceTd'> If true, writes out an X509Certificate structure in UseKey/KeyInfo.
 If false (the default), writes out a KeyValue structure instead. </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sts.token.do.cancel </td>
<td class='confluenceTd'> Whether to cancel a token when using SecureConversation after
successful invocation. The default is "false".</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.cache.issued.token.in.endpoint </td>
<td class='confluenceTd'> Set this to "false" to not cache a SecurityToken per proxy
object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved
from an STS in an intermediary. The default value is "true". </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sts.disable-wsmex-call-using-epr-address </td>
<td class='confluenceTd'>  Whether to avoid STS client trying send WS-MetadataExchange
call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange
info. The default value is "false".</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sts.token.crypto </td>
<td class='confluenceTd'> A Crypto object to be used for the STS. See <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO"
class="external-link" rel="nofollow">here</a> for more information.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sts.token.properties </td>
<td class='confluenceTd'> The Crypto property configuration to use for the STS. See
<a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES"
class="external-link" rel="nofollow">here</a> for more information.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sts.token.username </td>
<td class='confluenceTd'> The alias name in the keystore to get the user's public key
to send to the STS for the PublicKey KeyType case.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sts.token.act-as </td>
<td class='confluenceTd'> The token to be sent to the STS in an "ActAs" field. See <a
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS"
class="external-link" rel="nofollow">here</a> for more information.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.sts.token.on-behalf-of </td>
<td class='confluenceTd'> The token to be sent to the STS in an "OnBehalfOf" field.
See <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF"
class="external-link" rel="nofollow">here</a> for more information.</td>
</tr>
</tbody></table>
</div>


<h4><a name="WS-SecurityPolicy-ConfiguringviaSpring"></a>Configuring via
Spring</h4>

<p>The properties are easily configured as client or endpoint properties--use the former
for the SOAP client, the latter for the web service provider.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:jaxws="http://cxf.apache.org/jaxws"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
   http://cxf.apache.org/jaxws
   http://cxf.apache.org/schemas/jaxws.xsd"&gt;

   &lt;jaxws:client name="{http://cxf.apache.org}MyPortName"
      createdFromAPI="true"&gt;
      &lt;jaxws:properties&gt;
         &lt;entry key="ws-security.callback-handler"
             value="interop.client.KeystorePasswordCallback"/&gt;
         &lt;entry key="ws-security.signature.properties"
             value="etc/client.properties"/&gt;
         &lt;entry key="ws-security.encryption.properties"
             value="etc/service.properties"/&gt;
         &lt;entry key="ws-security.encryption.username"
             value="servicekeyalias"/&gt;
      &lt;/jaxws:properties&gt;
   &lt;/jaxws:client&gt;

&lt;/beans&gt;
</pre>
</div></div>

<p>For the jaxws:client's <em>name</em> attribute above, use the namespace
of the WSDL along with the <em>name</em> attribute of the desired wsdl:port element
under the WSDL's service section. (See <a href="http://tinyurl.com/yatskw4" class="external-link"
rel="nofollow">here</a> and <a href="http://tinyurl.com/y9e7rjf" class="external-link"
rel="nofollow">here</a> for an example.)</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:jaxws="http://cxf.apache.org/jaxws"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
   http://cxf.apache.org/jaxws
   http://cxf.apache.org/schemas/jaxws.xsd"&gt;

   &lt;jaxws:endpoint
      id="MyService"
      address="https://localhost:9001/MyService"
      serviceName="interop:MyService"
      endpointName="interop:MyServiceEndpoint"
      implementor="com.foo.MyService"&gt;

      &lt;jaxws:properties&gt;
         &lt;entry key="ws-security.callback-handler"
             value="interop.client.UTPasswordCallback"/&gt;
         &lt;entry key="ws-security.signature.properties"
             value="etc/keystore.properties"/&gt;
         &lt;entry key="ws-security.encryption.properties"
             value="etc/truststore.properties"/&gt;
         &lt;entry key="ws-security.encryption.username"
             value="useReqSigCert"/&gt;
      &lt;/jaxws:properties&gt;

   &lt;/jaxws:endpoint&gt;
&lt;/beans&gt;
</pre>
</div></div>

<p>See this <a href="http://www.jroller.com/gmazza/entry/cxf_x509_profile" class="external-link"
rel="nofollow">blog entry</a> for a more end-to-end example of using WS-SecurityPolicy
with X.509 keys.</p>

<h4><a name="WS-SecurityPolicy-ConfiguringviaAPI%27s"></a>Configuring via
API's</h4>

<p>Configuring the properties for the client just involves setting the properties in
the client's RequestContext:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
Map&lt;String, Object&gt; ctx = ((BindingProvider)port).getRequestContext();
ctx.put("ws-security.encryption.properties", properties);
port.echoString("hello");
</pre>
</div></div>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF20DOC">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecurityPolicy">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=112639&revisedVersion=31&originalVersion=30">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecurityPolicy?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message