You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by we...@apache.org on 2005/09/06 21:42:05 UTC
svn commit: r279080 - in
/webservices/wss4j/trunk/src/org/apache/ws/security/handler: WSHandler.java
WSHandlerConstants.java
Author: werner
Date: Tue Sep 6 12:41:58 2005
New Revision: 279080
URL: http://svn.apache.org/viewcvs?rev=279080&view=rev
Log:
First iplementation of the SignatureCOnfirmation feature of WSS 1.1.
Enhance to sign the SignatureConfirmation if at least on Signature
action is defined for the handler in the response path. The first
handler in the response path takes care of this.
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=279080&r1=279079&r2=279080&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Tue Sep 6 12:41:58 2005
@@ -63,6 +63,7 @@
* @author Werner Dittmann (Werner.Dittmann@t-online.de).
*/
public abstract class WSHandler {
+ protected static String DONE = "done";
protected static Log log = LogFactory.getLog(WSHandler.class.getName());
protected static final WSSecurityEngine secEngine = WSSecurityEngine.getInstance();
protected static Hashtable cryptos = new Hashtable(5);
@@ -141,7 +142,7 @@
/*
* If after all the parsing no Signature parts defined, set here a
* default set. This is necessary because we add SignatureConfirmation
- * and therefore the defaul (Body) must be set here. The default setting
+ * and therefore the default (Body) must be set here. The default setting
* in WSSignEnvelope doesn't work because the vector is not empty anymore.
*/
if (reqData.getSignatureParts().isEmpty()) {
@@ -152,18 +153,22 @@
}
/*
* If SignatureConfirmation is enabled and this is a reqsponse then
- * insert SignatureCOnfrmation elements, note their ids in the signature
+ * insert SignatureCOnfrmation elements, note their wsu:id in the signature
* parts. They will be signed automatically during a (probably) defined
* SIGN action.
*/
if (wssConfig.isEnableSignatureConfirmation() && !isRequest) {
- Vector results = null;
- if ((results = (Vector) getProperty(reqData.getMsgContext(),
- WSHandlerConstants.RECV_RESULTS)) != null) {
- performSIGNConfirmation(mu, doc, reqData, results);
+ String done;
+ if ((done = (String) getProperty(reqData.getMsgContext(),
+ WSHandlerConstants.SIG_CONF_DONE)) == null
+ || !DONE.equals(done)) {
+ Vector results = null;
+ if ((results = (Vector) getProperty(reqData.getMsgContext(),
+ WSHandlerConstants.RECV_RESULTS)) != null) {
+ performSIGNConfirmation(mu, doc, reqData, results);
+ }
}
}
-
/*
* Here we have all necessary information to perform the requested
* action(s).
@@ -508,14 +513,14 @@
log.debug("Perform Signature confirmation");
}
/*
- * loop over all results gathered by all handlers in the chain. For
- * each handler result get the various actions. After that loop we
- * have all signature results in the signatureActions vector
+ * loop over all results gathered by all handlers in the chain. For each
+ * handler result get the various actions. After that loop we have all
+ * signature results in the signatureActions vector
*/
Vector signatureActions = new Vector();
for (int i = 0; i < results.size(); i++) {
WSHandlerResult wshResult = (WSHandlerResult) results.get(i);
-
+
WSSecurityUtil.fetchAllActionResults(wshResult.getResults(),
WSConstants.SIGN, signatureActions);
WSSecurityUtil.fetchAllActionResults(wshResult.getResults(),
@@ -525,30 +530,32 @@
}
Vector signatureParts = reqData.getSignatureParts();
// prepare a SignatureConfirmation token
- WSAddSignatureConfirmation wsc = new WSAddSignatureConfirmation(reqData.getActor(), mu);
+ WSAddSignatureConfirmation wsc = new WSAddSignatureConfirmation(reqData
+ .getActor(), mu);
int idHash = wsc.hashCode();
if (signatureActions.size() > 0) {
if (doDebug) {
- log.debug("Signature Confirmation: number of Signature results: " + signatureActions.size());
+ log
+ .debug("Signature Confirmation: number of Signature results: "
+ + signatureActions.size());
}
for (int i = 0; i < signatureActions.size(); i++) {
- WSSecurityEngineResult wsr = (WSSecurityEngineResult)signatureActions.get(i);
+ WSSecurityEngineResult wsr = (WSSecurityEngineResult) signatureActions
+ .get(i);
byte[] sigVal = wsr.getSignatureValue();
- if (sigVal != null) {
- String id = "sigcon-" + (idHash + i);
- wsc.setId(id);
- wsc.build(doc, sigVal);
- signatureParts.add(new WSEncryptionPart(id));
- }
- wsr.setSignatureValue(null);
+ String id = "sigcon-" + (idHash + i);
+ wsc.setId(id);
+ wsc.build(doc, sigVal);
+ signatureParts.add(new WSEncryptionPart(id));
}
- }
- else {
+ } else {
String id = "sigcon-" + idHash;
wsc.setId(id);
wsc.build(doc, null);
signatureParts.add(new WSEncryptionPart(id));
}
+ setProperty(reqData.getMsgContext(), WSHandlerConstants.SIG_CONF_DONE,
+ DONE);
}
protected void checkSignatureConfirmation(RequestData reqData,
@@ -586,7 +593,6 @@
for (int ii = 0; ii < sigv.size(); ii++) {
byte[] storedValue = (byte[])sigv.get(i);
if (Arrays.equals(sigVal, storedValue)) {
- log.debug("Check Signature confirmation: match ");
found = true;
sigv.remove(ii);
break;
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewcvs/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java?rev=279080&r1=279079&r2=279080&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java Tue Sep 6 12:41:58 2005
@@ -1,1372 +1,695 @@
/*
- * Copyright 2003-2004 The Apache Software Foundation.
-
+ * Copyright 2003-2005 The Apache Software Foundation.
*
-
* Licensed under the Apache License, Version 2.0 (the "License");
-
* you may not use this file except in compliance with the License.
-
* You may obtain a copy of the License at
-
*
-
* http://www.apache.org/licenses/LICENSE-2.0
-
*
-
* Unless required by applicable law or agreed to in writing, software
-
* distributed under the License is distributed on an "AS IS" BASIS,
-
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-
* See the License for the specific language governing permissions and
-
* limitations under the License.
-
*
-
*/
-
-
package org.apache.ws.security.handler;
-
-
import org.apache.ws.security.WSConstants;
-
-
-
import java.util.Hashtable;
-
import java.util.Map;
-
-
/**
-
* This class defines the names, actions, and other string for the deployment
-
* data of the WSS handler. Both the Axis handler as well as the JAX-RPC handler
-
* use this class.
-
*
-
* @author Werner Dittmann (werner@apache.org)
-
*/
public class WSHandlerConstants {
-
-
-
/**
-
* The action parameter. The
-
* handlers use the value of this parameter to determine how
-
* to process the SOAP Envelope. For example in a Axis WSDD file:
-
* <pre>
-
* <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
-
* <parameter name="action" value="UsernameToken"/>
-
* ...
-
* </pre>
-
* orders the handler to attach a <code>UsernameToken</code> to the SOAP
-
* enevelope. It is a blank separated list of actions to perform.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.ACTION, WSDoAllConstants.USERNAME_TOKEN);
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting)
-
*/
-
public static final String ACTION = "action";
-
public static final String SEND = "send";
-
public static final String RECEIVE = "receive";
/**
-
* Perform nothing.
-
*/
-
public static final String NO_SECURITY = "NoSecurity";
-
-
/**
-
* Perform a UsernameToken identification only.
-
*/
-
public static final String USERNAME_TOKEN = "UsernameToken";
-
-
/**
-
* Perform a SAML Token identification.
-
*/
-
public static final String SAML_TOKEN_UNSIGNED = "SAMLTokenUnsigned";
-
public static final String SAML_TOKEN_SIGNED = "SAMLTokenSigned";
-
-
/**
-
* Perform Signature.
-
* The signature specific parameters define how to sign, which keys
-
* to use, and so on
-
*/
-
public static final String SIGNATURE = "Signature";
-
-
/**
-
* Perform Encryption.
-
* The encryption specific parameters define how to encrypt, which keys
-
* to use, and so on.
-
*/
-
public static final String ENCRYPT = "Encrypt";
-
-
/**
-
* Add a timestamp to the security header.
-
*/
-
public static final String TIMESTAMP = "Timestamp";
-
-
/**
-
* Supress the serialization of the SOAP message.
-
* <p/>
-
* Usually the handler serializes the processed SOAP message into a string
-
* and sets it into the Axis message context as new current message. To
-
* supress this action, define this action. In this case the handler
-
* stores the processed SOAP message as <code>Document</code> in the
-
* Axis message context with the property name <code>SND_SECURITY</code>.
-
* <p/>
-
* A chained handler can retrieve the SOAP message and process it. The
-
* last handler in the chain must set the processed SOAP message as
-
* current message in Axis message context.
-
*/
-
public static final String NO_SERIALIZATION = "NoSerialization";
-
-
/**
-
* Use this to use a specific signature mechanism for .Net.
-
* This signature mechanism uses data from the username token and
-
* a well defined constant string and constructs a signature
-
* key.
-
*/
-
public static final String SIGN_WITH_UT_KEY = "UsernameTokenSignature";
/**
-
* This is an interal property name to support handler chaining.
-
* The Axis WSS4J handlers use this message context property to
-
* hand over the SOAP partially processed envelope document to
-
* the next WSS4J handler in the chain.
-
*/
-
public static final String SND_SECURITY = "SND_SECURTIY";
-
// public static final String RCV_SECURITY = "RCV_SECURTIY";
-
-
/**
-
* The actor name of the <code>wsse:Security</code> header.
-
* <p/>
-
* If this parameter is omitted, the actor name is not set. Please
-
* refer to {@link org.apache.axis.Constants#ATTR_ACTOR} and {@link org.apache.axis.Constants#ATTR_ROLE}
-
* about the parameter names. They are set to <code>"actor"</code>
-
* and <code>"role"</code> respectively.
-
* <p/>
-
* The value of the actor or role has to match the receiver's setting
-
* or may contain standard values.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.ACTOR, "ActorName");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
*
-
* @see org.apache.axis.Constants#URI_SOAP11_NEXT_ACTOR
-
* @see org.apache.axis.Constants#URI_SOAP12_NEXT_ROLE
-
*/
-
public static final String ACTOR = "actor";
-
-
/**
-
* The role name of the <code>wsse:Security</code> header.
-
* This is used for SOAP 1.2. Refer also to {@link #ACTOR}.
-
*/
-
public static final String ROLE = "role";
-
-
/**
-
* Sets the <code>mustUnderstand</code> flag.
-
* <p/>
-
* If the parameter has the value <code>1</code>
-
* or <code>true</code> the <code>mustUnderstand</code> is set.
-
* The values <code>0</code> or <code>false</code> supress the
-
* flag.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.MUST_UNDERSTAND, "false");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
* <p/>
-
* The default setting is <code>true</code>
-
* <p/>
-
* Please refer to {@link org.apache.axis.Constants#ATTR_MUST_UNDERSTAND}
-
* about the parameter name (<code>"mustUnderstand"</code>).
-
*/
-
public static final String MUST_UNDERSTAND = "mustUnderstand";
-
-
/**
-
* The user's name. It is used differently by the WS Security functions.
-
* <ul>
-
* <li>The <i>UsernameToken</i> function sets this name in the
-
* <code>UsernameToken</code>.
-
* </li>
-
* <li>The <i>Signing</i> function uses this name as the alias name
-
* in the keystore to get user's certificate and private key to
-
* perform signing.
-
* </li>
-
* <li>The <i>encryption</i>
-
* functions uses this parameter as fallback if {@link #ENCRYPTION_USER}
-
* is not used.
-
* </li>
-
* </ul>
-
* It is also possible to set the user's name and the according password
-
* via the call function, for example:
-
* <pre>
-
* ...
-
* call.setUsername("name");
-
* call.setPassword("WSS4Java");
-
* ...
-
* </pre>
-
* The user parameter in the deployment descritor (WSDD) file overwrites
-
* the application's setting.
-
* </p>
-
* For an additional way to set the password refer to
-
* {@link #PW_CALLBACK_CLASS} and {@link #PW_CALLBACK_REF}.
-
* <p/>
-
* If the security functions uses the username from the message context, it
-
* clears the username from the message context
-
* after they copied it. This prevents sending of the username in the
-
* HTTP header.
-
* <p/>
-
* In this case the HTTP authentication mechansisms do <b>not</b> work
-
* anymore. User authentication shall be done via the username token or
-
* the certificate verification of the signature certificate.
-
*/
-
public static final String USER = "user";
-
-
/**
-
* The Axis WSS4J handlers provide several ways to get the password required
-
* to construct a username token or to sign a message.
-
* In addition the callback class may check if a username/password
-
* combination is valid. Refer to the documentation of
-
* {@link org.apache.ws.security.WSPasswordCallback} for more information
-
* about this feature.
-
* <ul>
-
* <li> A class that implements a callback interface (see below). The
-
* handler loads this class and calls the callback method. This
-
* class must have a public default constructor with not parameters.
-
* </li>
-
* <li> The application (or a preceeding handler) sets a reference to an
-
* object that implements the callback interface
-
* </li>
-
* <li> The application sets the password directly using the
-
* <code>setPassword</code> function of the <code>Call</code>.
-
* </ul>
-
* The callback class or callback object shall implement specific password
-
* getter methods, for example reading a database or directory.
-
* <p/>
-
* The handler first checks if it can get a the password via a callback
-
* class. If that fails it checks if it can get the password from the
-
* object reference, if that also fails the handler tries the password
-
* property.
-
* <p/>
-
* The following parameter defines a class that implements a callback
-
* handler interface. The handler loads the class and calls the callback
-
* handler method to get the password. The callback
-
* class needs to implement the
-
* {@link javax.security.auth.callback.CallbackHandler} interface.
-
* <p/>
-
* The callback function
-
* {@link javax.security.auth.callback.CallbackHandler#handle(javax.security.auth.callback.Callback[])}
-
* gets an array of {@link org.apache.ws.security.WSPasswordCallback}
-
* objects. Only the first entry of the array is used. This object
-
* contains the username/keyname as identifier. The callback handler must
-
* set the password or key associated with this identifier before it returns.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
* <p/>
-
* Refer also to comment in {@link #USER} about HTTP authentication
-
* functions.
-
*/
-
public static final String PW_CALLBACK_CLASS = "passwordCallbackClass";
-
-
/**
-
* An application may set an object reference to an object that implements
-
* the {@link javax.security.auth.callback.CallbackHandler} interface.
-
* Only the application can set this property using:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.PW_CALLBACK_REF, anPWCallbackObject);
-
* </pre>
-
* Refer to {@link #PW_CALLBACK_CLASS} for further information about
-
* password callback handling and the priority of the different
-
* methods.
-
* <p/>
-
* Note: every handler that preceeds this handler in the chain can set
-
* this property too. This may be useful on the server side.
-
*/
-
public static final String PW_CALLBACK_REF = "passwordCallbackRef";
-
-
/**
-
* The user's name for encryption.
-
* <p/>
-
* The encryption functions uses the public key of this user's certificate
-
* to encrypt the generated symmetric key.
-
* <p/>
-
* If this parameter is not set, then the encryption
-
* function falls back to the {@link #USER} parameter to get the
-
* certificate.
-
* <p/>
-
* If <b>only</b> encryption of the SOAP body data is requested,
-
* it is recommended to use this parameter to define the username.
-
* The application can then use the standard user and password
-
* functions (see example at {@link #USER} to enable HTTP authentication
-
* functions.
-
* <p/>
-
* Encryption only does not authenticate a user / sender, therefore it
-
* does not need a password.
-
* <p/>
-
* Placing the username of the encryption certficate in the WSDD is not
-
* a security risk, because the public key of that certificate is used
-
* only.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.ENCYRPTION_USER, "encryptionuser");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
*/
-
public static final String ENCRYPTION_USER = "encryptionUser";
-
-
/**
-
* Specifying this name as {@link ENCRYPTION_USER}
-
* triggers a special action to get the public key to use for encryption.
-
* The handler uses the public key of the sender's certificate. Using this
-
* way to define an encryption key simplifies certificate management to
-
* a large extend.
-
*/
-
public static final String USE_REQ_SIG_CERT = "useReqSigCert";
-
-
/**
-
* This parameter works in the same way as {@link #PW_CALLBACK_CLASS} but
-
* the Axis WSS4J handler uses it to get the key associated with a key name.
-
*/
-
public static final String ENC_CALLBACK_CLASS = "EmbeddedKeyCallbackClass";
-
-
/**
-
* This parameter works in the same way as {@link #PW_CALLBACK_REF} but
-
* the Axis WSS4J handler uses it to get the key associated with a key name.
-
*/
-
public static final String ENC_CALLBACK_REF = "EmbeddedKeyCallbackRef";
-
-
/**
-
* Text of the key name that needs to be sent
-
*/
-
public static final String ENC_KEY_NAME = "EmbeddedKeyName";
-
-
/**
-
* The name of the crypto propterty file to use for SOAP Signature.
-
* <p/>
-
* The classloader loads this file. Therefore it must be accessible
-
* via the classpath.
-
* <p/>
-
* To locate the implementation of the
-
* {@link org.apache.ws.security.components.crypto.Crypto Crypto}
-
* interface implementation the property file must contain the property
-
* <code>org.apache.ws.security.crypto.provider</code>. The value of
-
* this property is the classname of the implementation class.
-
* <p/>
-
* The following line defines the standard implementation:
-
* <pre>
-
* org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
-
* </pre>
-
* The other contents of the property file depend on the implementation
-
* of the {@link org.apache.ws.security.components.crypto.Crypto Crypto}
-
* interface implementation.
-
* <p/>
-
* The property file of the standard implementation
-
* {@link org.apache.ws.security.components.crypto.Merlin} uses
-
* the following properties:
-
* <pre>
-
* org.apache.ws.security.crypto.provider
-
* org.apache.ws.security.crypto.merlin.file
-
* org.apache.ws.security.crypto.merlin.keystore.type
-
* org.apache.ws.security.crypto.merlin.keystore.provider
-
* org.apache.ws.security.crypto.merlin.keystore.password
-
* org.apache.ws.security.crypto.merlin.keystore.alias
-
* org.apache.ws.security.crypto.merlin.cert.provider
-
* </pre>
-
* The entries are:
-
* <ul>
-
* <li> <code>org.apache.ws.security.crypto.provider</code> see
-
* description above
-
* </li>
-
* <li><code>org.apache.ws.security.crypto.merlin.file</code>
-
* The path to the keystore file. At first the classloader tries to load
-
* this file, if this fails the implementations performs a file system
-
* lookup.
-
* </li>
-
* <li><code>org.apache.ws.security.crypto.merlin.keystore.type</code>
-
* The keystore type, for example <code>JKS</code> for the Java key store.
-
* Other keystore type, such as <code>pkcs12</code> are also possible but depend
-
* on the actual <code>Crypto</code> implementation.
-
* </li>
-
* <li><code>org.apache.ws.security.crypto.merlin.keystore.password</code>
-
* The password to read the keystore. If this property is not set, then
-
* the <code>pwcallback</code>property must be defined.
-
* </li>
-
* </ul>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.SIG_PROP_FILE, "myCrypto.properties");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
* <p/>
-
* If a property file is not set and a signature is requested,
-
* the handler throws an <code>AxisFault</code>.
-
*/
-
public static final String SIG_PROP_FILE = "signaturePropFile";
-
-
/**
-
* The WSDoAllReceiver handler stores a result <code>Vector</code>
-
* in this property.
-
* <p/>
-
* The vector contains <code>WSDoAllReceiverResult</code> objects
-
* for each chained WSDoAllReceiver handler.
-
*/
-
public static final String RECV_RESULTS = "RECV_RESULTS";
-
-
/**
-
* The name of the crypto propterty file to use for SOAP Decryption.
-
* <p/>
-
* Refer to documentation of {@link #SIG_PROP_FILE}.
-
* <p/>
-
* Refer to {@link #SIG_PROP_FILE} for a detail description
-
* about the format and how to use this property file.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.DEC_PROP_FILE, "myCrypto.properties");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
* <p/>
-
* If this parameter is not used, but the signature crypto property
-
* file is defined (combined Encryption/Signature action), then the
-
* encryption function uses that file. Otherwise the handler throws
-
* an <code>AxisFault</code>.
-
*/
-
public static final String DEC_PROP_FILE = "decryptionPropFile";
-
-
/**
-
* Specific parameter for UsernameToken action to define the encoding
-
* of the passowrd.
-
* <p/>
-
* The parameter can be set to either {@link WSConstants#PW_DIGEST}
-
* or to {@link WSConstants#PW_TEXT}.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST);
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
* <p/>
-
* The default setting is PW_DIGEST.
-
*/
-
public static final String PASSWORD_TYPE = "passwordType";
-
-
/**
-
* Parameter to generate additional elements in <code>UsernameToken</code>.
-
* <p/>
-
* The value of this parameter is a list of element names that are added
-
* to the UsernameToken. The names of the list a separated by spaces.
-
* <p/>
-
* The list may containe the names <code>nonce</code> and
-
* <code>created</code> only. Use this option if the password type is
-
* <code>passwordText</code> and the handler shall add the <code>Nonce</code>
-
* and/or <code>Created</code> elements.
-
*/
-
public static final String ADD_UT_ELEMENTS = "addUTElements";
-
-
/**
-
* Defines which key identifier type to use. The WS-Security specifications
-
* recommends to use the identifier type <code>IssuerSerial</code>. For
-
* possible signature key identifier types refer to
-
* {@link #keyIdentifier}. For signature <code>IssuerSerial</code>
-
* and <code>DirectReference</code> are valid only.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.SIG_KEY_ID, "DirectReference");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
*/
-
public static final String SIG_KEY_ID = "signatureKeyIdentifier";
-
-
/**
-
* Defines which signature algorithm to use. Currently this
-
* parameter is ignored - SHA1RSA is the only supported algorithm,
-
* will be enhanced soon.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.SIG_ALGO, "SHA1RSA");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
*/
-
public static final String SIG_ALGO = "signatureAlgorithm";
-
-
/**
-
* Parameter to define which parts of the request shall be signed.
-
* <p/>
-
* Refer to {@link #ENCRYPTION_PARTS} for a detailed description of
-
* the format of the value string.
-
* <p/>
-
* If this parameter is not specified the handler signs the SOAP Body
-
* by default.
-
* <p/>
-
* The WS Security specifications define several formats to transfer the
-
* signature tokens (certificates) or references to these tokens.
-
* Thus, the plain element name <code>Token</code>
-
* signs the token and takes care of the different format.
-
* <p/>
-
* To sign the SOAP body <b>and</b> the signature token the value of this
-
* parameter must contain:
-
* <pre>
-
* <parameter name="signatureParts"
-
* value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body; Token" />
-
* </pre>
-
* To specify an element without a namespace use the string
-
* <code>Null</code> as the namespace name (this is a case sensitive
-
* string)
-
* <p/>
-
* If there is no other element in the request with a local name of
-
* <code>Body</code> then the SOAP namespace identifier can be empty
-
* (<code>{}</code>).
-
*/
-
public static final String SIGNATURE_PARTS = "signatureParts";
-
-
/**
-
* The name of the crypto propterty file to use for SOAP Encryption.
-
* <p/>
-
* Refer to documentation of {@link #SIG_PROP_FILE}.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.ENC_PROP_FILE, "myCrypto.properties");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
* <p/>
-
* If this parameter is not used, but the signature crypto property
-
* file is defined (combined Encryption/Signature action), then the
-
* encryption function uses signature property file. Otherwise the
-
* handler throws an <code>AxisFault</code>.
-
*/
-
public static final String ENC_PROP_FILE = "encryptionPropFile";
-
-
/**
-
* Defines which key identifier type to use. The WS-Security specifications
-
* recommends to use the identifier type <code>IssuerSerial</code>. For
-
* possible encryption key identifier types refer to
-
* {@link #keyIdentifier}. For encryption <code>IssuerSerial</code>
-
* and <code>X509KeyIdentifier</code> are valid only.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.ENC_KEY_ID, "X509KeyIdentifier");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
*/
-
public static final String ENC_KEY_ID = "encryptionKeyIdentifier";
-
-
/**
-
* Defines which symmetric encryption algorithm to use. WSS4J supports the
-
* following alorithms: {@link WSConstants#TRIPLE_DES},
-
* {@link WSConstants#AES_128}, {@link WSConstants#AES_256},
-
* and {@link WSConstants#AES_192}. Except for AES 192 all of these
-
* algorithms are required by the XML Encryption specification.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.ENC_SYM_ALGO, "AES256");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
*/
-
public static final String ENC_SYM_ALGO = "encryptionSymAlgorithm";
-
-
/**
-
* Defines which algorithm to use to encrypt the generated symmetric key.
-
* Currently WSS4J supports {@link WSConstants#KEYTRANSPORT_RSA15} only.
-
* <p/>
-
* The application may set this parameter using the following method:
-
* <pre>
-
* call.setProperty(WSDoAllConstants.ENC_KEY_TRANSPORT, "RSA15");
-
* </pre>
-
* However, the parameter in the WSDD deployment file overwrites the
-
* property setting (deployment setting overwrites application setting).
-
*/
-
public static final String ENC_KEY_TRANSPORT =
-
"encryptionKeyTransportAlgorithm";
-
-
/**
-
* Parameter to define which parts of the request shall be encrypted.
-
* <p/>
-
* The value of this parameter is a list of semi-colon separated
-
* element names that identify the elements to encrypt. An encryption mode
-
* specifier and a namespace identification, each inside a pair of curly
-
* brackets, may preceed each element name.
-
* <p/>
-
* The encryption mode specifier is either <code>{Content}</code> or
-
* <code>{Element}</code>. Please refer to the W3C XML Encryption
-
* specification about the differences between Element and Content
-
* encryption. The encryption mode defaults to <code>Content</code>
-
* if it is omitted. Example of a list:
-
* <pre>
-
* <parameter name="encryptionParts"
-
* value="{Content}{http://example.org/paymentv2}CreditCard;
-
* {Element}{}UserName" />
-
* </pre>
-
* The the first entry of the list identifies the element
-
* <code>CreditCard</code> in the namespace
-
* <code>http://example.org/paymentv2</code>, and will encrypt its content.
-
* Be aware that the element name, the namespace identifier, and the
-
* encryption modifier are case sensitive.
-
* <p/>
-
* The encryption modifier and the namespace identifier can be ommited.
-
* In this case the encryption mode defaults to <code>Content</code> and
-
* the namespace is set to the SOAP namespace.
-
* <p/>
-
* An empty encryption mode defaults to <code>Content</code>, an empty
-
* namespace identifier defaults to the SOAP namespace.
-
* The second line of the example defines <code>Element</code> as
-
* encryption mode for an <code>UserName</code> element in the SOAP
-
* namespace.
-
* <p/>
-
* To specify an element without a namespace use the string
-
* <code>Null</code> as the namespace name (this is a case sensitive
-
* string)
-
* <p/>
-
* If no list is specified, the handler encrypts the SOAP Body in
-
* <code>Content</code> mode by default.
-
*/
-
public static final String ENCRYPTION_PARTS = "encryptionParts";
-
-
/**
-
* The name of the SAML Issuer factory property file.
-
* The classloader loads this file. Therefore it must be accessible
-
* via the classpath.
-
*/
-
public static final String SAML_PROP_FILE = "samlPropFile";
-
-
/**
-
* Time-To-Live is the time difference between creation and expiry time in
-
* the WSS Timestamp.
-
* The time-to-live in seconds. After this time the SOAP request is
-
* invalid (at least the security data shall be treated this way).
-
* <p/>
-
* If this parameter is not defined, contains a value less or equal
-
* zero, or an illegal format the handlers use a default TTL of
-
* 300 seconds (5 minutes).
-
*/
-
public static final String TTL_TIMESTAMP = "timeToLive";
-
/**
* Should timestamps have precision in milliseconds
*/
public static final String TIMESTAMP_PRECISION = "precisionInMilliseconds";
-
- public static final String SEND_SIGV = "_sendSignatureValues_";
/**
-
* Define the parameter values to set the key identifier types. These are:
-
* <ul>
-
* <li><code>DirectReference</code> for {@link WSConstants#BST_DIRECT_REFERENCE}
-
* </li>
-
* <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL}
-
* </li>
-
* <li><code>X509KeyIdentifier</code> for {@link WSConstants#X509_KEY_IDENTIFIER}
-
* </li>
-
* <li><code>SKIKeyIdentifier</code> for {@link WSConstants#SKI_KEY_IDENTIFIER}
-
* </li>
-
* <li><code>EmbeddedKeyName</code> for {@link WSConstants#EMBEDDED_KEYNAME}
-
* </li>
-
* </ul
-
* See {@link #SIG_KEY_ID} {@link #ENC_KEY_ID}.
-
*/
-
public static Map keyIdentifier = new Hashtable();
-
-
static {
-
keyIdentifier.put("DirectReference",
-
new Integer(WSConstants.BST_DIRECT_REFERENCE));
-
keyIdentifier.put("IssuerSerial",
-
new Integer(WSConstants.ISSUER_SERIAL));
-
keyIdentifier.put("X509KeyIdentifier",
-
new Integer(WSConstants.X509_KEY_IDENTIFIER));
-
keyIdentifier.put("SKIKeyIdentifier",
-
new Integer(WSConstants.SKI_KEY_IDENTIFIER));
-
keyIdentifier.put("EmbeddedKeyName",
-
new Integer(WSConstants.EMBEDDED_KEYNAME));
-
-
-
}
-
-
-
+ /*
+ * internally used property names to store values inside the message context
+ * that must have the same livetime as a message (request/response model).
+ */
+ public static final String SEND_SIGV = "_sendSignatureValues_";
+ public static final String SIG_CONF_DONE = "_sigConfDone_";
}
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org