WS-Security Provider (wsSecurityProvider)
Web Services Security default configuration for provider.
Name Type Default Description ws-security.callback-handler string Password callback handler implementation class. ws-security.enable.nonce.cache boolean true Whether to cache UsernameToken nonces. ws-security.encryption.username string Alias used for accessing encryption keystore. ws-security.signature.username string Alias used for accessing signature keystore. ws-security.username string User information to create Username Token.
Caller token.
Name Type Default Description allowCustomCacheKey boolean true Allow the generation of a custom cache key to access the authentication cache and get the subject. groupIdentifier string Specifies a SAML attribute used as the name of the group that the authenticated principal is a member of. There is no default value. includeTokenInSubject boolean true Specifies whether to include a SAML assertion in the subject. mapToUserRegistry
- Group
- No
- User
No Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
Group
Map a SAML identity to a group defined in the user registry
No
Do not map a SAML identity to a user or group in the registry
User
Map a SAML identity to a user defined in the registryname string Specify token name. The options are Usernametoken, X509token, Samltoken. realmIdentifier string Specifies a SAML attribute used as the realm name. The default is issuer. realmName string Specifies a realm name when mapToUserRegistry is set to No or Group. userIdentifier string Specifies a SAML attribute used as the user principal name in the subject. The default is NameID assertion. userUniqueIdentifier string Specifies a SAML attribute used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.
Required encryption configuration.
Name Type Default Description org.apache.ws.security.crypto.merlin.cert.provider string The provider used to load certificates. Defaults to keystore provider. org.apache.ws.security.crypto.merlin.file string The location of the keystore org.apache.ws.security.crypto.merlin.keystore.alias string The default keystore alias to use, if none is specified. org.apache.ws.security.crypto.merlin.keystore.password Reversably encoded password (string) Password to access keystore file. org.apache.ws.security.crypto.merlin.keystore.private.password Reversably encoded password (string) The default password used to load the private key. org.apache.ws.security.crypto.merlin.keystore.provider string The provider used to load keystores. Defaults to installed provider. org.apache.ws.security.crypto.merlin.keystore.type string JKS, JCEKS or PKCS11 org.apache.ws.security.crypto.merlin.truststore.file string The location of the truststore org.apache.ws.security.crypto.merlin.truststore.password Reversably encoded password (string) The truststore password. org.apache.ws.security.crypto.merlin.truststore.type string The truststore type. org.apache.ws.security.crypto.merlin.x509crl.file string The location of an (X509) CRL file to use. org.apache.ws.security.crypto.provider string org.apache.ws.security.components.crypto.Merlin Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".
Specifies the properties used to evaluate the trustworthiness and validity of a SAML Assertion.
Name Type Default Description audienceRestrictions string
This is specified as a child element rather than as an XML attribute.Specify the allowed audiences of the SAML Assertion. Default is all audiences allowed. clockSkew A period of time with millisecond precision 5m This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. requiredSubjectConfirmationMethod
- bearer
bearer Specify whether the Subject Confirmation Method is required in the SAML Assertion. Default is true. timeToLive A period of time with millisecond precision 30m Specify the default life time of a SAML Assertion in the case it does not define the NoOnOrAfter condition. Default is 30 minutes. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. wantAssertionsSigned boolean true Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed.
Required signature configuration.
Name Type Default Description org.apache.ws.security.crypto.merlin.cert.provider string The provider used to load certificates. Defaults to keystore provider. org.apache.ws.security.crypto.merlin.file string The location of the keystore org.apache.ws.security.crypto.merlin.keystore.alias string The default keystore alias to use, if none is specified. org.apache.ws.security.crypto.merlin.keystore.password Reversably encoded password (string) Password to access keystore file. org.apache.ws.security.crypto.merlin.keystore.private.password Reversably encoded password (string) The default password used to load the private key. org.apache.ws.security.crypto.merlin.keystore.provider string The provider used to load keystores. Defaults to installed provider. org.apache.ws.security.crypto.merlin.keystore.type string JKS, JCEKS or PKCS11 org.apache.ws.security.crypto.merlin.truststore.file string The location of the truststore org.apache.ws.security.crypto.merlin.truststore.password Reversably encoded password (string) The truststore password. org.apache.ws.security.crypto.merlin.truststore.type string The truststore type. org.apache.ws.security.crypto.merlin.x509crl.file string The location of an (X509) CRL file to use. org.apache.ws.security.crypto.provider string org.apache.ws.security.components.crypto.Merlin Provider used to create Crypto instances. Defaults to "org.apache.ws.security.components.crypto.Merlin".