WS-Security Provider (wsSecurityProvider)

Web Services Security default configuration for provider.

NameTypeDefaultDescription

ws-security.callback-handler

string

Password callback handler implementation class.

ws-security.enable.nonce.cache

boolean

true

Whether to cache UsernameToken nonces.

ws-security.encryption.username

string

Alias used for accessing encryption keystore.

ws-security.signature.username

string

Alias used for accessing signature keystore.

ws-security.username

string

User information to create Username Token.

callerToken

Caller token.

NameTypeDefaultDescription

allowCustomCacheKey

boolean

true

Allow the generation of a custom cache key to access the authentication cache and get the subject.

groupIdentifier

string

Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value.

includeTokenInSubject

boolean

true

Specifies whether to include a SAML assertion in the subject.

mapToUserRegistry

  • Group

  • No

  • User

No

Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
Group
Map a SAML identity to a group defined in the user registry
No
Do not map a SAML identity to a user or group in the registry
User
Map a SAML identity to a user defined in the registry

name

string

Specify token name. The options are Usernametoken, X509token, Samltoken.

realmIdentifier

string

Specifies a SAML attribute that is used as the realm name. The default is issuer.

realmName

string

Specifies a realm name when mapToUserRegistry is set to No or Group.

userIdentifier

string

Specifies a SAML attribute that is used as the user principal name in the subject. The default is NameID assertion.

userUniqueIdentifier

string

Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.

encryptionProperties

Required encryption configuration.

NameTypeDefaultDescription

org.apache.ws.security.crypto.merlin.cert.provider

string

The provider used to load certificates. Defaults to keystore provider.

org.apache.ws.security.crypto.merlin.file

string

The location of the keystore

org.apache.ws.security.crypto.merlin.keystore.alias

string

The default keystore alias to use, if none is specified.

org.apache.ws.security.crypto.merlin.keystore.password

Reversably encoded password (string)

Password to access keystore file.

org.apache.ws.security.crypto.merlin.keystore.private.password

Reversably encoded password (string)

The default password used to load the private key.

org.apache.ws.security.crypto.merlin.keystore.provider

string

The provider used to load keystores. Defaults to installed provider.

org.apache.ws.security.crypto.merlin.keystore.type

string

JKS, JCEKS or PKCS11

org.apache.ws.security.crypto.merlin.truststore.file

string

The location of the truststore

org.apache.ws.security.crypto.merlin.truststore.password

Reversably encoded password (string)

The truststore password.

org.apache.ws.security.crypto.merlin.truststore.type

string

The truststore type.

org.apache.ws.security.crypto.merlin.x509crl.file

string

The location of an (X509) CRL file to use.

org.apache.ws.security.crypto.provider

string

org.apache.ws.security.components.crypto.Merlin

Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".

samlToken

Specifies the properties that are used to evaluate the trustworthiness and validity of a SAML Assertion.

NameTypeDefaultDescription

audienceRestrictions

string
This is specified as a child element rather than as an XML attribute.

Specify the allowed audiences of the SAML Assertion. Default is all audiences allowed.

clockSkew

A period of time with millisecond precision

5m

This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

requiredSubjectConfirmationMethod

  • bearer

bearer

Specify whether the Subject Confirmation Method is required in the SAML Assertion. Default is true.

timeToLive

A period of time with millisecond precision

30m

Specify the default life time of a SAML Assertion in the case it does not define the NoOnOrAfter condition. Default is 30 minutes. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

wantAssertionsSigned

boolean

true

Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed.

signatureProperties

Required signature configuration.

NameTypeDefaultDescription

org.apache.ws.security.crypto.merlin.cert.provider

string

The provider used to load certificates. Defaults to keystore provider.

org.apache.ws.security.crypto.merlin.file

string

The location of the keystore

org.apache.ws.security.crypto.merlin.keystore.alias

string

The default keystore alias to use, if none is specified.

org.apache.ws.security.crypto.merlin.keystore.password

Reversably encoded password (string)

Password to access keystore file.

org.apache.ws.security.crypto.merlin.keystore.private.password

Reversably encoded password (string)

The default password used to load the private key.

org.apache.ws.security.crypto.merlin.keystore.provider

string

The provider used to load keystores. Defaults to installed provider.

org.apache.ws.security.crypto.merlin.keystore.type

string

JKS, JCEKS or PKCS11

org.apache.ws.security.crypto.merlin.truststore.file

string

The location of the truststore

org.apache.ws.security.crypto.merlin.truststore.password

Reversably encoded password (string)

The truststore password.

org.apache.ws.security.crypto.merlin.truststore.type

string

The truststore type.

org.apache.ws.security.crypto.merlin.x509crl.file

string

The location of an (X509) CRL file to use.

org.apache.ws.security.crypto.provider

string

org.apache.ws.security.components.crypto.Merlin

Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".