WS-Security Provider (wsSecurityProvider)
Web Services Security default configuration for provider.
Name | Type | Default | Description |
---|---|---|---|
ws-security.callback-handler | string | Password callback handler implementation class. | |
ws-security.enable.nonce.cache | boolean | true | Whether to cache UsernameToken nonces. |
ws-security.encryption.username | string | Alias used for accessing encryption keystore. | |
ws-security.signature.username | string | Alias used for accessing signature keystore. | |
ws-security.username | string | User information to create Username Token. |
callerToken
Caller token.
Name | Type | Default | Description |
---|---|---|---|
allowCustomCacheKey | boolean | true | Allow the generation of a custom cache key to access the authentication cache and get the subject. |
groupIdentifier | string | Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value. | |
includeTokenInSubject | boolean | true | Specifies whether to include a SAML assertion in the subject. |
mapToUserRegistry |
| No | Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject. |
name | string | Specify token name. The options are Usernametoken, X509token, Samltoken. | |
realmIdentifier | string | Specifies a SAML attribute that is used as the realm name. The default is issuer. | |
realmName | string | Specifies a realm name when mapToUserRegistry is set to No or Group. | |
userIdentifier | string | Specifies a SAML attribute that is used as the user principal name in the subject. The default is NameID assertion. | |
userUniqueIdentifier | string | Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value. |
encryptionProperties
Required encryption configuration.
Name | Type | Default | Description |
---|---|---|---|
org.apache.ws.security.crypto.merlin.cert.provider | string | The provider used to load certificates. Defaults to keystore provider. | |
org.apache.ws.security.crypto.merlin.file | string | The location of the keystore | |
org.apache.ws.security.crypto.merlin.keystore.alias | string | The default keystore alias to use, if none is specified. | |
org.apache.ws.security.crypto.merlin.keystore.password | Reversably encoded password (string) | Password to access keystore file. | |
org.apache.ws.security.crypto.merlin.keystore.private.password | Reversably encoded password (string) | The default password used to load the private key. | |
org.apache.ws.security.crypto.merlin.keystore.provider | string | The provider used to load keystores. Defaults to installed provider. | |
org.apache.ws.security.crypto.merlin.keystore.type | string | JKS, JCEKS or PKCS11 | |
org.apache.ws.security.crypto.merlin.truststore.file | string | The location of the truststore | |
org.apache.ws.security.crypto.merlin.truststore.password | Reversably encoded password (string) | The truststore password. | |
org.apache.ws.security.crypto.merlin.truststore.type | string | The truststore type. | |
org.apache.ws.security.crypto.merlin.x509crl.file | string | The location of an (X509) CRL file to use. | |
org.apache.ws.security.crypto.provider | string | org.apache.ws.security.components.crypto.Merlin | Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin". |
samlToken
Specifies the properties that are used to evaluate the trustworthiness and validity of a SAML Assertion.
Name | Type | Default | Description |
---|---|---|---|
audienceRestrictions | string | Specify the allowed audiences of the SAML Assertion. Default is all audiences allowed. | |
clockSkew | A period of time with millisecond precision | 5m | This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
requiredSubjectConfirmationMethod |
| bearer | Specify whether the Subject Confirmation Method is required in the SAML Assertion. Default is true. |
timeToLive | A period of time with millisecond precision | 30m | Specify the default life time of a SAML Assertion in the case it does not define the NoOnOrAfter condition. Default is 30 minutes. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
wantAssertionsSigned | boolean | true | Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed. |
signatureProperties
Required signature configuration.
Name | Type | Default | Description |
---|---|---|---|
org.apache.ws.security.crypto.merlin.cert.provider | string | The provider used to load certificates. Defaults to keystore provider. | |
org.apache.ws.security.crypto.merlin.file | string | The location of the keystore | |
org.apache.ws.security.crypto.merlin.keystore.alias | string | The default keystore alias to use, if none is specified. | |
org.apache.ws.security.crypto.merlin.keystore.password | Reversably encoded password (string) | Password to access keystore file. | |
org.apache.ws.security.crypto.merlin.keystore.private.password | Reversably encoded password (string) | The default password used to load the private key. | |
org.apache.ws.security.crypto.merlin.keystore.provider | string | The provider used to load keystores. Defaults to installed provider. | |
org.apache.ws.security.crypto.merlin.keystore.type | string | JKS, JCEKS or PKCS11 | |
org.apache.ws.security.crypto.merlin.truststore.file | string | The location of the truststore | |
org.apache.ws.security.crypto.merlin.truststore.password | Reversably encoded password (string) | The truststore password. | |
org.apache.ws.security.crypto.merlin.truststore.type | string | The truststore type. | |
org.apache.ws.security.crypto.merlin.x509crl.file | string | The location of an (X509) CRL file to use. | |
org.apache.ws.security.crypto.provider | string | org.apache.ws.security.components.crypto.Merlin | Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin". |