wsSecurityProvider - WS-Security Provider (wsSecurityProvider)

Web Services Security default configuration for provider.

NameTypeDefaultDescription
ws-security.usernamestringUser information to create Username Token.
ws-security.callback-handlerstringPassword callback handler implementation class.
ws-security.encryption.usernamestringAlias used for accessing encryption keystore.
ws-security.signature.usernamestringAlias used for accessing signature keystore.
ws-security.enable.nonce.cachebooleantrueWhether to cache UsernameToken nonces.

callerToken

Caller token.

NameTypeDefaultDescription
namestringSpecify token name. The options are Usernametoken, X509token, Samltoken.
userIdentifierstringSpecifies a SAML attribute that is used as the user principal name in the subject. The default is NameID assertion.
groupIdentifierstringSpecifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value.
userUniqueIdentifierstringSpecifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.
realmIdentifierstringSpecifies a SAML attribute that is used as the realm name. The default is issuer.
includeTokenInSubjectbooleantrueSpecifies whether to include a SAML assertion in the subject.
mapToUserRegistry
  • No
  • Group
  • User
NoSpecifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
No
Do not map a SAML identity to a user or group in the registry
Group
Map a SAML identity to a group defined in the user registry
User
Map a SAML identity to a user defined in the registry
realmNamestringSpecifies a realm name when mapToUserRegistry is set to No or Group.
allowCustomCacheKeybooleantrueAllow the generation of a custom cache key to access the authentication cache and get the subject.

signatureProperties

Required signature configuration.

NameTypeDefaultDescription
org.apache.ws.security.crypto.merlin.keystore.typestringJKS, JCEKS or PKCS11
org.apache.ws.security.crypto.merlin.keystore.aliasstringThe default keystore alias to use, if none is specified.
org.apache.ws.security.crypto.merlin.keystore.passwordReversably encoded password (string)Password to access keystore file.
org.apache.ws.security.crypto.merlin.filestringThe location of the keystore
org.apache.ws.security.crypto.merlin.truststore.filestringThe location of the truststore
org.apache.ws.security.crypto.merlin.truststore.passwordReversably encoded password (string)The truststore password.
org.apache.ws.security.crypto.merlin.truststore.typestringThe truststore type.
org.apache.ws.security.crypto.providerstringorg.apache.ws.security.components.crypto.MerlinProvider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".
org.apache.ws.security.crypto.merlin.keystore.providerstringThe provider used to load keystores. Defaults to installed provider.
org.apache.ws.security.crypto.merlin.cert.providerstringThe provider used to load certificates. Defaults to keystore provider.
org.apache.ws.security.crypto.merlin.x509crl.filestringThe location of an (X509) CRL file to use.
org.apache.ws.security.crypto.merlin.keystore.private.passwordReversably encoded password (string)The default password used to load the private key.

encryptionProperties

Required encryption configuration.

NameTypeDefaultDescription
org.apache.ws.security.crypto.merlin.keystore.typestringJKS, JCEKS or PKCS11
org.apache.ws.security.crypto.merlin.keystore.aliasstringThe default keystore alias to use, if none is specified.
org.apache.ws.security.crypto.merlin.keystore.passwordReversably encoded password (string)Password to access keystore file.
org.apache.ws.security.crypto.providerstringorg.apache.ws.security.components.crypto.MerlinProvider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".
org.apache.ws.security.crypto.merlin.filestringThe location of the keystore
org.apache.ws.security.crypto.merlin.keystore.providerstringThe provider used to load keystores. Defaults to installed provider.
org.apache.ws.security.crypto.merlin.cert.providerstringThe provider used to load certificates. Defaults to keystore provider.
org.apache.ws.security.crypto.merlin.x509crl.filestringThe location of an (X509) CRL file to use.
org.apache.ws.security.crypto.merlin.keystore.private.passwordReversably encoded password (string)The default password used to load the private key.
org.apache.ws.security.crypto.merlin.truststore.filestringThe location of the truststore
org.apache.ws.security.crypto.merlin.truststore.passwordReversably encoded password (string)The truststore password.
org.apache.ws.security.crypto.merlin.truststore.typestringThe truststore type.

samlToken

Specifies the properties that are used to evaluate the trustworthiness and validity of a SAML Assertion.

NameTypeDefaultDescription
wantAssertionsSignedbooleantrueIndicates a requirement for the <saml:Assertion> elements received by this service provider to be signed.
clockSkewA period of time with millisecond precision5mThis is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
requiredSubjectConfirmationMethod
  • bearer
bearerSpecify whether the Subject Confirmation Method is required in the SAML Assertion. Default is true.
bearer
bearer
timeToLiveA period of time with millisecond precision30mSpecify the default life time of a SAML Assertion in the case it does not define the NoOnOrAfter condition. Default is 30 minutes. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

samlToken > audienceRestrictions

Specify the allowed audiences of the SAML Assertion. Default is all audiences allowed.