Author: buildbot
Date: Mon Mar 29 13:57:13 2021
New Revision: 1073106
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/security-configuration.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/security-configuration.html
==============================================================================
--- websites/production/cxf/content/docs/security-configuration.html (original)
+++ websites/production/cxf/content/docs/security-configuration.html Mon Mar 29
13:57:13 2021
@@ -89,7 +89,15 @@ Apache CXF -- Security Configuration
<div id="wrapper-menu-page-bottom">
<div id="menu-page">
<!-- NavigationBar -->
-<div id="navigation"><ul class="alternate"><li><a shape="rect"
href="overview.html">Overview</a></li><li><a shape="rect"
href="how-tos.html">How-Tos</a></li><li><a shape="rect"
href="frontends.html">Frontends</a></li><li><a shape="rect"
href="databindings.html">DataBindings</a></li><li><a shape="rect"
href="transports.html">Transports</a></li><li><a shape="rect"
href="configuration.html">Configuration</a></li><li><a shape="rect"
href="debugging-and-logging.html">Debugging and Logging</a></li><li><a
shape="rect" href="tools.html">Tools</a></li><li><a shape="rect"
href="restful-services.html">RESTful Services</a></li><li><a shape="rect"
href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect"
href="service-routing.html">Service Routing</a></li><li><a shape="rect"
href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect"
href="ws-support.html">WS-* Support</a></li><li><a shape="rect"
href="advanced-integration.html">Advanced Integration</a></li><li><a shape
="rect" href="deployment.html">Deployment</a></li><li><a shape="rect"
href="schemas-and-namespaces.html">Use of Schemas and
Namespaces</a></li></ul><hr><ul
class="alternate"><li><p>Search</p></li></ul><div class="aui-message
aui-message-error"><p class="title"><strong>Error rendering macro
'html'</strong></p><p>Your Confluence administrator has disallowed the use of
Javascript in the HTML macro. This setting can be changed using HTML for
Confluence Configuration. Please see your administrator for
details.</p></div><hr><ul class="alternate"><li><a shape="rect"
href="http://cxf.apache.org/javadoc/latest/";>API 3.2.x (Javadoc)</a></li><li><a
shape="rect" href="http://cxf.apache.org/javadoc/latest-3.1.x/";>API 3.1.x
(Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/";>CXF
Website</a></li></ul><p> </p><p><a shape="rect" class="external-link"
href="http://www.apache.org/events/current-event.html";><span
class="confluence-embedded-file-wrapper"><img class="confluence-em
bedded-image confluence-external-resource"
src="http://www.apache.org/events/current-event-125x125.png";
data-image-src="http://www.apache.org/events/current-event-125x125.png";></span></a></p></div>
+<div id="navigation"><ul class="alternate"><li><a shape="rect"
href="overview.html">Overview</a></li><li><a shape="rect"
href="how-tos.html">How-Tos</a></li><li><a shape="rect"
href="frontends.html">Frontends</a></li><li><a shape="rect"
href="databindings.html">DataBindings</a></li><li><a shape="rect"
href="transports.html">Transports</a></li><li><a shape="rect"
href="configuration.html">Configuration</a></li><li><a shape="rect"
href="debugging-and-logging.html">Debugging and Logging</a></li><li><a
shape="rect" href="tools.html">Tools</a></li><li><a shape="rect"
href="restful-services.html">RESTful Services</a></li><li><a shape="rect"
href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect"
href="service-routing.html">Service Routing</a></li><li><a shape="rect"
href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect"
href="ws-support.html">WS-* Support</a></li><li><a shape="rect"
href="advanced-integration.html">Advanced Integration</a></li><li><a shape
="rect" href="deployment.html">Deployment</a></li><li><a shape="rect"
href="schemas-and-namespaces.html">Use of Schemas and
Namespaces</a></li></ul><hr><ul
class="alternate"><li><p>Search</p></li></ul><form
enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box"
action="http://www.google.com/cse";>
+ <div>
+ <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+ <input type="hidden" name="ie" value="UTF-8">
+ <input type="text" name="q" size="21">
+ <input type="submit" name="sa" value="Search">
+ </div>
+</form>
+<script type="text/javascript"
src="http://www.google.com/cse/brand?form=cse-search-box&lang=en";></script><hr><ul
class="alternate"><li><a shape="rect"
href="http://cxf.apache.org/javadoc/latest/";>API 3.2.x (Javadoc)</a></li><li><a
shape="rect" href="http://cxf.apache.org/javadoc/latest-3.1.x/";>API 3.1.x
(Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/";>CXF
Website</a></li></ul><p> </p><p><a shape="rect" class="external-link"
href="http://www.apache.org/events/current-event.html";><span
class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image
confluence-external-resource"
src="http://www.apache.org/events/current-event-125x125.png";
data-image-src="http://www.apache.org/events/current-event-125x125.png";></span></a></p></div>
<!-- NavigationBar -->
</div>
</div>
@@ -99,7 +107,7 @@ Apache CXF -- Security Configuration
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h2
id="SecurityConfiguration-Backgroundtocommonsecurityconfiguration">Background
to common security configuration</h2><p>From Apache CXF 3.1.0, the <a
shape="rect" href="ws-securitypolicy.html">WS-SecurityPolicy</a> and the <a
shape="rect" href="jax-rs-xml-security.html">XML Security</a> (JAX-RS)
components in CXF share a common set of configuration tags. Previously, the
configuration tags were all defined in the SecurityConstants class in the
cxf-rt-ws-security module. The JAX-RS XML Security component then referenced
these configuration tags directly, which meant that the XML Security component
had to have a dependency on a SOAP module, which was not ideal.</p><h2
id="SecurityConfiguration-NewconfigurationtagsinApacheCXF3.1.0">New
configuration tags in Apache CXF 3.1.0</h2><p>From Apache CXF 3.1.0, the
cxf-rt-security module is now shared between both the WS-Security and JAX-RS
XML Security modules, and contains a SecurityConstants class that defines s
ecurity constants used by both stacks. These configuration tags are exactly
the same as a set of previous configuration tags found in the WS-Security
SecurityConstants class in previous releases, except that the prefix is now
"security" (was "ws-security"). Here are the new set of configuration
tags:</p><h4 id="SecurityConfiguration-Userproperties">User properties</h4><div
class="table-wrap"><table class="confluenceTable"><colgroup span="1"><col
span="1"><col span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.username</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The user's name. It is used differently by each of the
Security functions, see <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME";>here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.password</p></td><td colspan="1" rowspan="1"
class="confluenceTd"
><p>The user's password when "security.callback-handler" is not defined. It is
>currently only used for the case of adding a password to a
>UsernameToken.</p></td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd"><p>security.signature.username</p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p>The user's name for signature. It is used
>as the alias name in the keystore to get the user's cert and private key for
>signature. See <a shape="rect"
>href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME";>here</a>
> for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd">security.signature.password <strong>CXF
>3.3.2</strong></td><td colspan="1" rowspan="1" class="confluenceTd">The
>user's password for signature when "security.callback-handler" is not
>defined.</td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd"><p>security.encryption.username</p></td><td colspan="1"
>rowspan="1" class=
"confluenceTd"><p>The user's name for encryption. It is used as the alias name
in the keystore to get the user's public key for encryption. See <a
shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME";>here</a>
for more information.</p></td></tr></tbody></table></div><h4
id="SecurityConfiguration-CallbackClassandCryptoproperties">Callback Class and
Crypto properties</h4><div class="table-wrap"><table
class="confluenceTable"><colgroup span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.callback-handler</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The CallbackHandler <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER";>implementation</a>
class used to obtain passwords.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.saml-callback-han
dler</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The SAML
CallbackHandler <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER";>implementation</a>
class used to construct SAML Assertions.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.signature.properties</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property <a
shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_PROPERTIES";>configuration</a>
to use for signature, if "security.signature.crypto" is not set
instead.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.encryption.properties</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The Crypto property <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES";>confi
guration</a> to use for encryption, if "security.encryption.crypto" is not set
instead.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.signature.crypto</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect"
class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html";>object</a>
to be used for signature. If this is not defined then
"security.signature.properties" is used instead.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>security.encryption.crypto</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect"
class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html";>object</a>
to be used for encryption. If this is not defined then
"security.encryption.properties" is used
instead.</p></td></tr></tbody></table></div><p><strong>Note:</strong> for
Symmetric bindings
that specify a protection token, the security-encryption properties are
used.</p><h4
id="SecurityConfiguration-BooleanSecurityconfigurationtags,e.g.thevalueshouldbe"true"or"false".">Boolean
Security configuration tags, e.g. the value should be "true" or
"false".</h4><div class="table-wrap"><table class="confluenceTable"><colgroup
span="1"><col span="1"><col span="1"><col span="1"></colgroup><tbody><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>constant</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>default</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>definition</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.enableRevocation</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>false</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to enable Certificate Revocation
List (CRL) checking or not when verifying trust in a
certificate.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.enable.unsigned-saml-assertion.principal</td><td
colspan="1" rowspan="1" class="confluenceTd">false</td><td colspan="1"
rowspan="1" class="confluenceTd">Whether to allow unsigned saml assertions as
SecurityContext Principals. The default is false.<p>Note that "unsigned" refers
to an internal signature. Even if the token is signed by an external signature
(as per the "sender-vouches" requirement), this boolean must still be
configured if you want to use the token to set up the security
context.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.validate.saml.subject.conf</td><td colspan="1"
rowspan="1" class="confluenceTd">true</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to validate the SubjectConfirmation requirements
of a received SAML Token.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.sc.jaas-subject</td><td colspan="1" rowspan="1"
class="confluenceTd">true</td><td colspan="1" rowspa
n="1" class="confluenceTd">Set this to "false" if security context must not be
created from JAAS Subject.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.validate.audience-restriction</td><td colspan="1"
rowspan="1" class="confluenceTd">(varies)</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If this is set to "true", then IF the SAML Token
contains Audience Restriction URIs, one of them must match one of the values of
the AUDIENCE_RESTRICTIONS property. The default is "true" for SOAP services in
CXF 3.0.x, and "false" for 2.7.x. The default is "false" for REST
services.</p></td></tr></tbody></table></div><h4
id="SecurityConfiguration-Non-booleanSecurityConfigurationparameters">Non-boolean
Security Configuration parameters</h4><div class="table-wrap"><table
class="confluenceTable"><colgroup span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.saml-role-attributename</p></td><td colspan=
"1" rowspan="1" class="confluenceTd"><p>The attribute URI of the SAML
AttributeStatement where the role information is stored. The default is "<a
shape="rect" class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a>".</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>security.subject.cert.constraints</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A String of regular expressions
(separated by the value specified for "security.cert.constraints.separator")
which will be applied to the subject DN of the certificate used for signature
validation, after trust verification of the certificate chain associated with
the certificate. These constraints are not used when the certificate is
contained in the keystore (direct trust).</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">security.cert.constraints.separator
<strong>CXF 3.3.3 / 3.2.10
</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The
separator that is used to parse certificate constraints configured via
"security.subject.cert.constraints". By default it is a
comma.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.audience-restrictions <strong>CXF
3.1.13</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A comma
separated String corresponding to a list of audience restriction URIs. The
default value for this property contains the request URL and the Service QName.
If the AUDIENCE_RESTRICTION_VALIDATION property is "true", and if a received
SAML Token contains audience restriction URIs, then one of them must match one
of the values specified in this
property.</p></td></tr></tbody></table></div><h4
id="SecurityConfiguration-STSClientConfigurationtags">STS Client Configuration
tags</h4><p><strong>Note: </strong>From CXF 3.1.3 onwards. Prior to CXF 3.1.3
these tags had a "ws-" prefix. The older tags will stil
l work for backwards compatibility reasons.</p><div class="table-wrap"><table
class="confluenceTable"><colgroup span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.client</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>A reference to the STSClient class used to communicate
with the STS.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.applies-to</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The "AppliesTo" address to send to the STS.
The default is the endpoint address of the service
provider.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.usecert</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>If true, writes out an X509Certificate
structure in UseKey/KeyInfo. If false (the default), writes out a KeyValue
structure instead.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.
sts.token.do.cancel</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Whether to cancel a token when using SecureConversation
after successful invocation. The default is "false".</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">security.issue.after.failed.renew</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to fall back to calling "issue"
after failing to renew an expired token. The default is
"true".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.cache.issued.token.in.endpoint</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Set this to "false" to not
cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider.
This should be done if a token is being retrieved from an STS in an
intermediary. The default value is "true".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p>security.sts.disable-wsmex-call-using-epr-address</p></td><td
colspan="1" rowspan="1" class="c
onfluenceTd"><p>Whether to avoid STS client trying send WS-MetadataExchange
call using STS EPR WSA address when the endpoint contract contains no
WS-MetadataExchange info. The default value is "false".</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.crypto</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A Crypto object to be used for the STS. See
<a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO";>here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.properties</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The Crypto property configuration to use
for the STS. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES";>here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="conflue
nceTd"><p>security.sts.token.username</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The alias name in the keystore to get the user's public
key to send to the STS for the PublicKey KeyType case.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.act-as</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in an
"ActAs" field. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS";>here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.on-behalf-of</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in an
"OnBehalfOf" field. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF";>here</a>
for more information.</p></td></tr><tr><td colspan="1
" rowspan="1" class="confluenceTd">security.issue.after.failed.renew</td><td
colspan="1" rowspan="1" class="confluenceTd">Whether to call "Issue" if a token
"Renew" fails. Some STSs do not support the renew binding. Defaults to
"true".</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.sts.token.imminent-expiry-value</td><td
colspan="1" rowspan="1" class="confluenceTd">The value in seconds within which
a token is considered to be expired by the client, i.e. it is considered to be
expired if it will expire in a time less than the value specified by this tag.
The default value is "10" for CXF 3.0.2+, and "0" for CXF
2.7.13+.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.sts.token.cacher.impl <strong>CXF
3.1.11</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><p>An
implementation of the STSTokenCacher interface, if you want to plug in custom
caching behaviour for STS clients. The default value is the
DefaultSTSTokenCacher.</p></
td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.sts.check.for.recursive.call <strong>CXF
3.3.3/3.2.10</strong></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Check that we are not invoking on the STS using its own
IssuedToken policy - in which case wewill end up with a recursive loop. This
check might be a problem in the unlikely scenario that the remote endpoint has
the same service / port QName as the STS, so this configuration flag allows
to disable this check for that scenario. The default is
"true".</p></td></tr></tbody></table></div><h2
id="SecurityConfiguration-Backwardscompatibility">Backwards
compatibility</h2><p>Users of Apache CXF prior to 3.1.0 do not need to make any
adjustment to their code or spring files. The older "ws-" prefix associated
with the configuration tags above will continue to be accepted.</p></div>
+<div id="ConfluenceContent"><h2
id="SecurityConfiguration-Backgroundtocommonsecurityconfiguration">Background
to common security configuration</h2><p>From Apache CXF 3.1.0, the <a
shape="rect" href="ws-securitypolicy.html">WS-SecurityPolicy</a> and the <a
shape="rect" href="jax-rs-xml-security.html">XML Security</a> (JAX-RS)
components in CXF share a common set of configuration tags. Previously, the
configuration tags were all defined in the SecurityConstants class in the
cxf-rt-ws-security module. The JAX-RS XML Security component then referenced
these configuration tags directly, which meant that the XML Security component
had to have a dependency on a SOAP module, which was not ideal.</p><h2
id="SecurityConfiguration-NewconfigurationtagsinApacheCXF3.1.0">New
configuration tags in Apache CXF 3.1.0</h2><p>From Apache CXF 3.1.0, the
cxf-rt-security module is now shared between both the WS-Security and JAX-RS
XML Security modules, and contains a SecurityConstants class that defines s
ecurity constants used by both stacks. These configuration tags are exactly
the same as a set of previous configuration tags found in the WS-Security
SecurityConstants class in previous releases, except that the prefix is now
"security" (was "ws-security"). Here are the new set of configuration
tags:</p><h4 id="SecurityConfiguration-Userproperties">User properties</h4><div
class="table-wrap"><table class="wrapped confluenceTable"><colgroup
span="1"><col span="1"><col span="1"></colgroup><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.username</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The user's name. It is used differently by
each of the Security functions, see <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME";>here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.password</p></td><td colspan="1" rowspan="1"
class="confl
uenceTd"><p>The user's password when "security.callback-handler" is not
defined. It is currently only used for the case of adding a password to a
UsernameToken.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.signature.username</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The user's name for signature. It is used
as the alias name in the keystore to get the user's cert and private key for
signature. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME";>here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.signature.password <strong>CXF
3.3.2</strong></td><td colspan="1" rowspan="1" class="confluenceTd">The user's
password for signature when "security.callback-handler" is not
defined.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.encryption.username</p></td><td colspan="1"
rowspan="1
" class="confluenceTd"><p>The user's name for encryption. It is used as the
alias name in the keystore to get the user's public key for encryption. See <a
shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME";>here</a>
for more information.</p></td></tr></tbody></table></div><h4
id="SecurityConfiguration-CallbackClassandCryptoproperties">Callback Class and
Crypto properties</h4><div class="table-wrap"><table class="wrapped
confluenceTable"><colgroup span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.callback-handler</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The CallbackHandler <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER";>implementation</a>
class used to obtain passwords.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.s
aml-callback-handler</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The SAML CallbackHandler <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER";>implementation</a>
class used to construct SAML Assertions.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.signature.properties</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The Crypto property <a
shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_PROPERTIES";>configuration</a>
to use for signature, if "security.signature.crypto" is not set
instead.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.encryption.properties</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The Crypto property <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_P
ROPERTIES">configuration</a> to use for encryption, if
"security.encryption.crypto" is not set instead.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>security.signature.crypto</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect"
class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/wss4j/common/crypto/Crypto.html";>object</a>
to be used for signature. If this is not defined then
"security.signature.properties" is used instead.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>security.encryption.crypto</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A Crypto <a shape="rect"
class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/wss4j/common/crypto/Crypto.html";>object</a>
to be used for encryption. If this is not defined then
"security.encryption.properties" is used
instead.</p></td></tr></tbody></table></div><p><strong>Note:</strong> for
Symmetric bindings that
specify a protection token, the security-encryption properties are
used.</p><h4
id="SecurityConfiguration-BooleanSecurityconfigurationtags,e.g.thevalueshouldbe"true"or"false".">Boolean
Security configuration tags, e.g. the value should be "true" or
"false".</h4><div class="table-wrap"><table class="wrapped
confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>constant</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>default</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>definition</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.enableRevocation</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>false</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Whether to enable Certificate Revocation List (CRL)
checking or not when verifying trust in a certificate.</p></td></tr><tr><td
colspan="1" rowspan
="1"
class="confluenceTd">security.enable.unsigned-saml-assertion.principal</td><td
colspan="1" rowspan="1" class="confluenceTd">false</td><td colspan="1"
rowspan="1" class="confluenceTd">Whether to allow unsigned saml assertions as
SecurityContext Principals. The default is false.<p>Note that "unsigned" refers
to an internal signature. Even if the token is signed by an external signature
(as per the "sender-vouches" requirement), this boolean must still be
configured if you want to use the token to set up the security
context.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.validate.saml.subject.conf</td><td colspan="1"
rowspan="1" class="confluenceTd">true</td><td colspan="1" rowspan="1"
class="confluenceTd">Whether to validate the SubjectConfirmation requirements
of a received SAML Token.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.sc.jaas-subject</td><td colspan="1" rowspan="1"
class="confluenceTd">true</td><td colspan="1" ro
wspan="1" class="confluenceTd">Set this to "false" if security context must
not be created from JAAS Subject.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.validate.audience-restriction</td><td colspan="1"
rowspan="1" class="confluenceTd">(varies)</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If this is set to "true", then IF the SAML Token
contains Audience Restriction URIs, one of them must match one of the values of
the AUDIENCE_RESTRICTIONS property. The default is "true" for SOAP services in
CXF 3.0.x, and "false" for 2.7.x. The default is "false" for REST
services.</p></td></tr></tbody></table></div><h4
id="SecurityConfiguration-Non-booleanSecurityConfigurationparameters">Non-boolean
Security Configuration parameters</h4><div class="table-wrap"><table
class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col
span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.saml-role-attributename</p></td>
<td colspan="1" rowspan="1" class="confluenceTd"><p>The attribute URI of the
SAML AttributeStatement where the role information is stored. The default is
"<a shape="rect" class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a>".</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p>security.subject.cert.constraints</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A String of regular expressions
(separated by the value specified for "security.cert.constraints.separator")
which will be applied to the subject DN of the certificate used for signature
validation, after trust verification of the certificate chain associated with
the certificate. These constraints are not used when the certificate is
contained in the keystore (direct trust).</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">security.cert.constraints.separator
<strong>CXF 3.
3.3 / 3.2.10</strong></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The separator that is used to parse certificate
constraints configured via "security.subject.cert.constraints". By default it
is a comma.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.audience-restrictions <strong>CXF
3.1.13</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A comma
separated String corresponding to a list of audience restriction URIs. The
default value for this property contains the request URL and the Service QName.
If the AUDIENCE_RESTRICTION_VALIDATION property is "true", and if a received
SAML Token contains audience restriction URIs, then one of them must match one
of the values specified in this
property.</p></td></tr></tbody></table></div><h4
id="SecurityConfiguration-STSClientConfigurationtags">STS Client Configuration
tags</h4><p><strong>Note: </strong>From CXF 3.1.3 onwards. Prior to CXF 3.1.3
these tags had a "ws-" prefix. The older ta
gs will still work for backwards compatibility reasons.</p><div
class="table-wrap"><table class="wrapped confluenceTable"><colgroup
span="1"><col span="1"><col span="1"></colgroup><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>security.sts.client</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A reference to the STSClient class used to
communicate with the STS.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.applies-to</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The "AppliesTo" address to send to the STS.
The default is the endpoint address of the service
provider.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.usecert</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>If true, writes out an X509Certificate
structure in UseKey/KeyInfo. If false (the default), writes out a KeyValue
structure instead.</p></td></tr><tr><td colspan="1" rowspan="1" class="conflu
enceTd"><p>security.sts.token.do.cancel</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Whether to cancel a token when using SecureConversation
after successful invocation. The default is "false".</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd">security.issue.after.failed.renew</td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to fall back to calling "issue"
after failing to renew an expired token. The default is
"true".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.cache.issued.token.in.endpoint</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Set this to "false" to not
cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider.
This should be done if a token is being retrieved from an STS in an
intermediary. The default value is "true".</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p>security.sts.disable-wsmex-call-using-epr-address</p></td><td
colspan="1"
rowspan="1" class="confluenceTd"><p>Whether to avoid STS client trying send
WS-MetadataExchange call using STS EPR WSA address when the endpoint contract
contains no WS-MetadataExchange info. The default value is
"false".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.crypto</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>A Crypto object to be used for the STS. See
<a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO";>here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.properties</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The Crypto property configuration to use
for the STS. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES";>here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspa
n="1" class="confluenceTd"><p>security.sts.token.username</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The alias name in the keystore
to get the user's public key to send to the STS for the PublicKey KeyType
case.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.act-as</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in an
"ActAs" field. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS";>here</a>
for more information.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>security.sts.token.on-behalf-of</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The token to be sent to the STS in an
"OnBehalfOf" field. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF";>here</a>
for more information.</p></td></t
r><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.issue.after.failed.renew</td><td colspan="1"
rowspan="1" class="confluenceTd">Whether to call "Issue" if a token "Renew"
fails. Some STSs do not support the renew binding. Defaults to
"true".</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.sts.token.imminent-expiry-value</td><td
colspan="1" rowspan="1" class="confluenceTd">The value in seconds within which
a token is considered to be expired by the client, i.e. it is considered to be
expired if it will expire in a time less than the value specified by this tag.
The default value is "10" for CXF 3.0.2+, and "0" for CXF
2.7.13+.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.sts.token.cacher.impl <strong>CXF
3.1.11</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><p>An
implementation of the STSTokenCacher interface, if you want to plug in custom
caching behaviour for STS clients. The default value is the DefaultS
TSTokenCacher.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">security.sts.check.for.recursive.call <strong>CXF
3.3.3/3.2.10</strong></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Check that we are not invoking on the STS using its own
IssuedToken policy - in which case wewill end up with a recursive loop. This
check might be a problem in the unlikely scenario that the remote endpoint has
the same service / port QName as the STS, so this configuration flag allows
to disable this check for that scenario. The default is
"true".</p></td></tr></tbody></table></div><h2
id="SecurityConfiguration-Backwardscompatibility">Backwards
compatibility</h2><p>Users of Apache CXF prior to 3.1.0 do not need to make any
adjustment to their code or spring files. The older "ws-" prefix associated
with the configuration tags above will continue to be accepted.</p></div>
</div>
<!-- Content -->
</td>
![http://www.apache.org/events/current-event-125x125.png"](http://www.apache.org/events/current-event-125x125.png"){kind=link}