WS-Security Provider (wsSecurityProvider)

Web Services Security default configuration for provider.

NameTypeDefaultDescription

ws-security.callback-handler

string

Password callback handler implementation class.

ws-security.enable.nonce.cache

boolean

true

Whether to cache UsernameToken nonces.

ws-security.encryption.username

string

Alias used for accessing encryption keystore.

ws-security.signature.username

string

Alias used for accessing signature keystore.

ws-security.username

string

User information to create Username Token.

wsSecurityProvider > callerToken

Caller token.

NameTypeDefaultDescription

allowCustomCacheKey

boolean

true

Allow the generation of a custom cache key to access the authentication cache and get the subject.

groupIdentifier

string

Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value.

includeTokenInSubject

boolean

true

Specifies whether to include a SAML assertion in the subject.

mapToUserRegistry

  • Group

  • No

  • User

No

Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
Group
Map a SAML identity to a group defined in the user registry
No
Do not map a SAML identity to a user or group in the registry
User
Map a SAML identity to a user defined in the registry

name

string

Specify token name. The options are Usernametoken, X509token, Samltoken.

realmIdentifier

string

Specifies a SAML attribute that is used as the realm name. The default is issuer.

realmName

string

Specifies a realm name when mapToUserRegistry is set to No or Group.

userIdentifier

string

Specifies a SAML attribute that is used as the user principal name in the subject. The default is NameID assertion.

userUniqueIdentifier

string

Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.

wsSecurityProvider > encryptionProperties

Required encryption configuration.

NameTypeDefaultDescription

org.apache.ws.security.crypto.merlin.cert.provider

string

The provider used to load certificates. Defaults to keystore provider.

org.apache.ws.security.crypto.merlin.file

string

The location of the keystore

org.apache.ws.security.crypto.merlin.keystore.alias

string

The default keystore alias to use, if none is specified.

org.apache.ws.security.crypto.merlin.keystore.password

Reversably encoded password (string)

Password to access keystore file.

org.apache.ws.security.crypto.merlin.keystore.private.password

Reversably encoded password (string)

The default password used to load the private key.

org.apache.ws.security.crypto.merlin.keystore.provider

string

The provider used to load keystores. Defaults to installed provider.

org.apache.ws.security.crypto.merlin.keystore.type

string

JKS, JCEKS or PKCS11

org.apache.ws.security.crypto.merlin.truststore.file

string

The location of the truststore

org.apache.ws.security.crypto.merlin.truststore.password

Reversably encoded password (string)

The truststore password.

org.apache.ws.security.crypto.merlin.truststore.type

string

The truststore type.

org.apache.ws.security.crypto.merlin.x509crl.file

string

The location of an (X509) CRL file to use.

org.apache.ws.security.crypto.provider

string

org.apache.ws.security.components.crypto.Merlin

Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".

wsSecurityProvider > samlToken

Specifies the properties that are used to evaluate the trustworthiness and validity of a SAML Assertion.

NameTypeDefaultDescription

audienceRestrictions

string
This is specified as a child element rather than as an XML attribute.

Specify the allowed audiences of the SAML Assertion. Default is all audiences allowed.

clockSkew

A period of time with millisecond precision

5m

This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

requiredSubjectConfirmationMethod

  • bearer

bearer

Specify whether the Subject Confirmation Method is required in the SAML Assertion. Default is true.

timeToLive

A period of time with millisecond precision

30m

Specify the default life time of a SAML Assertion in the case it does not define the NoOnOrAfter condition. Default is 30 minutes. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

wantAssertionsSigned

boolean

true

Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed.

wsSecurityProvider > signatureProperties

Required signature configuration.

NameTypeDefaultDescription

org.apache.ws.security.crypto.merlin.cert.provider

string

The provider used to load certificates. Defaults to keystore provider.

org.apache.ws.security.crypto.merlin.file

string

The location of the keystore

org.apache.ws.security.crypto.merlin.keystore.alias

string

The default keystore alias to use, if none is specified.

org.apache.ws.security.crypto.merlin.keystore.password

Reversably encoded password (string)

Password to access keystore file.

org.apache.ws.security.crypto.merlin.keystore.private.password

Reversably encoded password (string)

The default password used to load the private key.

org.apache.ws.security.crypto.merlin.keystore.provider

string

The provider used to load keystores. Defaults to installed provider.

org.apache.ws.security.crypto.merlin.keystore.type

string

JKS, JCEKS or PKCS11

org.apache.ws.security.crypto.merlin.truststore.file

string

The location of the truststore

org.apache.ws.security.crypto.merlin.truststore.password

Reversably encoded password (string)

The truststore password.

org.apache.ws.security.crypto.merlin.truststore.type

string

The truststore type.

org.apache.ws.security.crypto.merlin.x509crl.file

string

The location of an (X509) CRL file to use.

org.apache.ws.security.crypto.provider

string

org.apache.ws.security.components.crypto.Merlin

Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".