cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1009782 - in /websites/production/cxf/content: cache/docs.pageCache docs/security-configuration.html
Date Tue, 04 Apr 2017 15:47:38 GMT
Author: buildbot
Date: Tue Apr  4 15:47:38 2017
New Revision: 1009782

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/security-configuration.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/security-configuration.html
==============================================================================
--- websites/production/cxf/content/docs/security-configuration.html (original)
+++ websites/production/cxf/content/docs/security-configuration.html Tue Apr  4 15:47:38 2017
@@ -107,7 +107,7 @@ Apache CXF -- Security Configuration
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><h2 id="SecurityConfiguration-Backgroundtocommonsecurityconfiguration">Background
to common security configuration</h2><p>From Apache CXF 3.1.0, the <a shape="rect"
href="ws-securitypolicy.html">WS-SecurityPolicy</a> and the <a shape="rect" href="jax-rs-xml-security.html">XML
Security</a> (JAX-RS) components in CXF share a common set of configuration tags. Previously,
the configuration tags were all defined in the SecurityConstants class in the cxf-rt-ws-security
module. The JAX-RS XML Security component then referenced these configuration tags directly,
which meant that the XML Security component had to have a dependency on a SOAP module, which
was not ideal.</p><h2 id="SecurityConfiguration-NewconfigurationtagsinApacheCXF3.1.0">New
configuration tags in Apache CXF 3.1.0</h2><p>From Apache CXF 3.1.0, the cxf-rt-security
module is now shared between both the WS-Security and JAX-RS XML Security modules, and contains
a SecurityConstants class that defines s
 ecurity constants used by both stacks. These configuration tags are exactly the same as a
set of previous configuration tags found in the WS-Security SecurityConstants class in previous
releases, except that the prefix is now "security" (was "ws-security"). Here are the new set
of configuration tags:</p><h4 id="SecurityConfiguration-Userproperties">User properties</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.username</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The user's name. It is used differently
by each of the Security functions, see <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME">here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.password</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The user's password when "security.callback-handler"
i
 s not defined. It is currently only used for the case of adding a password to a UsernameToken.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.signature.username</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The user's name for signature. It
is used as the alias name in the keystore to get the user's cert and private key for signature.
See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME">here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.encryption.username</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The user's name for encryption. It is used as
the alias name in the keystore to get the user's public key for encryption. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME">here</a>
for more information.</p></td><
 /tr></tbody></table></div><h4 id="SecurityConfiguration-CallbackClassandCryptoproperties">Callback
Class and Crypto properties</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.callback-handler</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The CallbackHandler <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER">implementation</a>
class used to obtain passwords.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.saml-callback-handler</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The SAML CallbackHandler <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER">implementation</a>
class used to construct SAML Assertions.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.signature
 .properties</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The
Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_PROPERTIES">configuration</a>
to use for signature, if "security.signature.crypto" is not set instead.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.properties</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES">configuration</a>
to use for encryption, if "security.encryption.crypto" is not set instead.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.signature.crypto</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect" class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/cryp
 to/Crypto.html">object</a> to be used for signature. If this is not defined then
"security.signature.properties" is used instead.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.crypto</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect" class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">object</a>
to be used for encryption. If this is not defined then "security.encryption.properties" is
used instead.</p></td></tr></tbody></table></div><p><strong>Note:</strong>
for Symmetric bindings that specify a protection token, the security-encryption properties
are used.</p><h4 id="SecurityConfiguration-BooleanSecurityconfigurationtags,e.g.thevalueshouldbe&quot;true&quot;or&quot;false&quot;.">Boolean
Security configuration tags, e.g. the value should be "true" or "false".</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"

 rowspan="1" class="confluenceTd"><p>constant</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>default</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>definition</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.enableRevocation</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>false</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to enable Certificate Revocation
List (CRL) checking or not when verifying trust in a certificate.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">security.enable.unsigned-saml-assertion.principal</td><td
colspan="1" rowspan="1" class="confluenceTd">false</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to allow unsigned saml assertions as SecurityContext Principals.
The default is false.<p>Note that "unsigned" refers to an internal signature. Even if
the token is signed by an external signature (as per the "sender-vouches" requirement), this
boole
 an must still be configured if you want to use the token to set up the security context.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">security.validate.saml.subject.conf</td><td
colspan="1" rowspan="1" class="confluenceTd">true</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to validate the SubjectConfirmation requirements of a received
SAML Token.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.sc.jaas-subject</td><td
colspan="1" rowspan="1" class="confluenceTd">true</td><td colspan="1" rowspan="1"
class="confluenceTd">Set this to "false" if security context must not be created from JAAS
Subject.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.validate.audience-restriction</td><td
colspan="1" rowspan="1" class="confluenceTd">(varies)</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If this is set to "true", then IF the SAML Token contains
Audience Restriction URIs, one of them must match either t
 he request URL or the Service QName. The default is "true" for CXF 3.0.x, and "false" for
2.7.x.</p></td></tr></tbody></table></div><h4 id="SecurityConfiguration-Non-booleanSecurityConfigurationparameters">Non-boolean
Security Configuration parameters</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.saml-role-attributename</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The attribute URI of the SAML AttributeStatement
where the role information is stored. The default is "<a shape="rect" class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a>".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.subject.cert.constraints</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A comma separated String of regular
expressions which will be applied to the sub
 ject DN of the certificate used for signature validation, after trust verification of the
certificate chain associated with the certificate. These constraints are not used when the
certificate is contained in the keystore (direct trust).</p></td></tr></tbody></table></div><h4
id="SecurityConfiguration-STSClientConfigurationtags">STS Client Configuration tags</h4><p><strong>Note:
</strong>From CXF 3.1.3 onwards. Prior to CXF 3.1.3 these tags had a "ws-" prefix. The
older tags will still work for backwards compatibility reasons.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.client</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to the STSClient class
used to communicate with the STS.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.sts.applies-to</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The "AppliesTo" address to send to
the ST
 S. The default is the endpoint address of the service provider.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.usecert</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>If true, writes out an X509Certificate
structure in UseKey/KeyInfo. If false (the default), writes out a KeyValue structure instead.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.do.cancel</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to cancel a token when using
SecureConversation after successful invocation. The default is "false".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">security.issue.after.failed.renew</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to fall back to calling "issue"
after failing to renew an expired token. The default is "true".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.cache.issued.token.in.endpoint</p></td>
 <td colspan="1" rowspan="1" class="confluenceTd"><p>Set this to "false" to not
cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should
be done if a token is being retrieved from an STS in an intermediary. The default value is
"true".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.disable-wsmex-call-using-epr-address</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to avoid STS client trying
send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains
no WS-MetadataExchange info. The default value is "false".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.crypto</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto object to be used for the
STS. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO">here</a>
for more information.</p></td
 ></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.properties</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property configuration
to use for the STS. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES">here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.username</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The alias name in the keystore to get the user's
public key to send to the STS for the PublicKey KeyType case.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.act-as</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in
an "ActAs" field. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS">here</a>
for more 
 information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.on-behalf-of</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in
an "OnBehalfOf" field. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF">here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.issue.after.failed.renew</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to call "Issue" if a token "Renew" fails. Some STSs do not
support the renew binding. Defaults to "true".</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">security.sts.token.imminent-expiry-value</td><td
colspan="1" rowspan="1" class="confluenceTd">The value in seconds within which a token
is considered to be expired by the client, i.e. it is considered to be expired if it will
expire in a time less than the value speci
 fied by this tag. The default value is "10" for CXF 3.0.2+, and "0" for CXF 2.7.13+.</td></tr></tbody></table></div><h2
id="SecurityConfiguration-Backwardscompatibility">Backwards compatibility</h2><p>Users
of Apache CXF prior to 3.1.0 do not need to make any adjustment to their code or spring files.
The older "ws-" prefix associated with the configuration tags above will continue to be accepted.</p></div>
+<div id="ConfluenceContent"><h2 id="SecurityConfiguration-Backgroundtocommonsecurityconfiguration">Background
to common security configuration</h2><p>From Apache CXF 3.1.0, the <a shape="rect"
href="ws-securitypolicy.html">WS-SecurityPolicy</a> and the <a shape="rect" href="jax-rs-xml-security.html">XML
Security</a> (JAX-RS) components in CXF share a common set of configuration tags. Previously,
the configuration tags were all defined in the SecurityConstants class in the cxf-rt-ws-security
module. The JAX-RS XML Security component then referenced these configuration tags directly,
which meant that the XML Security component had to have a dependency on a SOAP module, which
was not ideal.</p><h2 id="SecurityConfiguration-NewconfigurationtagsinApacheCXF3.1.0">New
configuration tags in Apache CXF 3.1.0</h2><p>From Apache CXF 3.1.0, the cxf-rt-security
module is now shared between both the WS-Security and JAX-RS XML Security modules, and contains
a SecurityConstants class that defines s
 ecurity constants used by both stacks. These configuration tags are exactly the same as a
set of previous configuration tags found in the WS-Security SecurityConstants class in previous
releases, except that the prefix is now "security" (was "ws-security"). Here are the new set
of configuration tags:</p><h4 id="SecurityConfiguration-Userproperties">User properties</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.username</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The user's name. It is used differently
by each of the Security functions, see <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME">here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.password</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The user's password when "security.callback-handler"
i
 s not defined. It is currently only used for the case of adding a password to a UsernameToken.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.signature.username</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The user's name for signature. It
is used as the alias name in the keystore to get the user's cert and private key for signature.
See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME">here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.encryption.username</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The user's name for encryption. It is used as
the alias name in the keystore to get the user's public key for encryption. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME">here</a>
for more information.</p></td><
 /tr></tbody></table></div><h4 id="SecurityConfiguration-CallbackClassandCryptoproperties">Callback
Class and Crypto properties</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.callback-handler</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The CallbackHandler <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER">implementation</a>
class used to obtain passwords.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.saml-callback-handler</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The SAML CallbackHandler <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER">implementation</a>
class used to construct SAML Assertions.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.signature
 .properties</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The
Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_PROPERTIES">configuration</a>
to use for signature, if "security.signature.crypto" is not set instead.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.properties</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES">configuration</a>
to use for encryption, if "security.encryption.crypto" is not set instead.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.signature.crypto</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect" class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/cryp
 to/Crypto.html">object</a> to be used for signature. If this is not defined then
"security.signature.properties" is used instead.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.encryption.crypto</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect" class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">object</a>
to be used for encryption. If this is not defined then "security.encryption.properties" is
used instead.</p></td></tr></tbody></table></div><p><strong>Note:</strong>
for Symmetric bindings that specify a protection token, the security-encryption properties
are used.</p><h4 id="SecurityConfiguration-BooleanSecurityconfigurationtags,e.g.thevalueshouldbe&quot;true&quot;or&quot;false&quot;.">Boolean
Security configuration tags, e.g. the value should be "true" or "false".</h4><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"

 rowspan="1" class="confluenceTd"><p>constant</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>default</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>definition</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.enableRevocation</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>false</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to enable Certificate Revocation
List (CRL) checking or not when verifying trust in a certificate.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">security.enable.unsigned-saml-assertion.principal</td><td
colspan="1" rowspan="1" class="confluenceTd">false</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to allow unsigned saml assertions as SecurityContext Principals.
The default is false.<p>Note that "unsigned" refers to an internal signature. Even if
the token is signed by an external signature (as per the "sender-vouches" requirement), this
boole
 an must still be configured if you want to use the token to set up the security context.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">security.validate.saml.subject.conf</td><td
colspan="1" rowspan="1" class="confluenceTd">true</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to validate the SubjectConfirmation requirements of a received
SAML Token.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.sc.jaas-subject</td><td
colspan="1" rowspan="1" class="confluenceTd">true</td><td colspan="1" rowspan="1"
class="confluenceTd">Set this to "false" if security context must not be created from JAAS
Subject.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">security.validate.audience-restriction</td><td
colspan="1" rowspan="1" class="confluenceTd">(varies)</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If this is set to "true", then IF the SAML Token contains
Audience Restriction URIs, one of them must match either t
 he request URL or the Service QName. The default is "true" for CXF 3.0.x, and "false" for
2.7.x.</p></td></tr></tbody></table></div><h4 id="SecurityConfiguration-Non-booleanSecurityConfigurationparameters">Non-boolean
Security Configuration parameters</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.saml-role-attributename</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The attribute URI of the SAML AttributeStatement
where the role information is stored. The default is "<a shape="rect" class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a>".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.subject.cert.constraints</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A comma separated String of regular
expressions which will be applied to the sub
 ject DN of the certificate used for signature validation, after trust verification of the
certificate chain associated with the certificate. These constraints are not used when the
certificate is contained in the keystore (direct trust).</p></td></tr></tbody></table></div><h4
id="SecurityConfiguration-STSClientConfigurationtags">STS Client Configuration tags</h4><p><strong>Note:
</strong>From CXF 3.1.3 onwards. Prior to CXF 3.1.3 these tags had a "ws-" prefix. The
older tags will still work for backwards compatibility reasons.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.client</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to the STSClient class
used to communicate with the STS.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.sts.applies-to</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The "AppliesTo" address to send to
the ST
 S. The default is the endpoint address of the service provider.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.usecert</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>If true, writes out an X509Certificate
structure in UseKey/KeyInfo. If false (the default), writes out a KeyValue structure instead.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.do.cancel</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to cancel a token when using
SecureConversation after successful invocation. The default is "false".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">security.issue.after.failed.renew</td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to fall back to calling "issue"
after failing to renew an expired token. The default is "true".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.cache.issued.token.in.endpoint</p></td>
 <td colspan="1" rowspan="1" class="confluenceTd"><p>Set this to "false" to not
cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should
be done if a token is being retrieved from an STS in an intermediary. The default value is
"true".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.disable-wsmex-call-using-epr-address</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Whether to avoid STS client trying
send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains
no WS-MetadataExchange info. The default value is "false".</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.crypto</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Crypto object to be used for the
STS. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO">here</a>
for more information.</p></td
 ></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.properties</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property configuration
to use for the STS. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES">here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.username</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The alias name in the keystore to get the user's
public key to send to the STS for the PublicKey KeyType case.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.act-as</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in
an "ActAs" field. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS">here</a>
for more 
 information.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>security.sts.token.on-behalf-of</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in
an "OnBehalfOf" field. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF">here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.issue.after.failed.renew</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to call "Issue" if a token "Renew" fails. Some STSs do not
support the renew binding. Defaults to "true".</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">security.sts.token.imminent-expiry-value</td><td
colspan="1" rowspan="1" class="confluenceTd">The value in seconds within which a token
is considered to be expired by the client, i.e. it is considered to be expired if it will
expire in a time less than the value speci
 fied by this tag. The default value is "10" for CXF 3.0.2+, and "0" for CXF 2.7.13+.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">security.sts.token.cacher.impl <strong>CXF
3.1.11</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><p>An
implementation of the STSTokenCacher interface, if you want to plug in custom caching behaviour
for STS clients. The default value is the DefaultSTSTokenCacher.</p></td></tr></tbody></table></div><h2
id="SecurityConfiguration-Backwardscompatibility">Backwards compatibility</h2><p>Users
of Apache CXF prior to 3.1.0 do not need to make any adjustment to their code or spring files.
The older "ws-" prefix associated with the configuration tags above will continue to be accepted.</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message