You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2014/02/06 12:29:05 UTC
svn commit: r1565175 - /webservices/wss4j/site/src/site/xdoc/config.xml
Author: coheigea
Date: Thu Feb 6 11:29:04 2014
New Revision: 1565175
URL: http://svn.apache.org/r1565175
Log:
Updating website configuration page
Modified:
webservices/wss4j/site/src/site/xdoc/config.xml
Modified: webservices/wss4j/site/src/site/xdoc/config.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/site/src/site/xdoc/config.xml?rev=1565175&r1=1565174&r2=1565175&view=diff
==============================================================================
--- webservices/wss4j/site/src/site/xdoc/config.xml (original)
+++ webservices/wss4j/site/src/site/xdoc/config.xml Thu Feb 6 11:29:04 2014
@@ -3,23 +3,37 @@
<body>
<section name="WSS4J configuration">
<p>
-This page describes how to use configure Apache WSS4J. This page only applies to WSS4J 1.6, a lot of the
-properties have changed since WSS4J 1.5.x.
+This page describes how to use configure Apache WSS4J. This page only applies
+to WSS4J 2.0.x and 1.6.x, a lot of the properties have changed since WSS4J
+1.5.x.
</p>
<subsection name="Crypto properties">
<p>
-Apache WSS4J uses the Crypto interface to get keys and certificates for encryption/decryption and for
-signature creation/verification. WSS4J ships with three implementations:
+Apache WSS4J uses the Crypto interface to get keys and certificates for
+encryption/decryption and for signature creation/verification. WSS4J ships
+with three implementations:
</p>
<ul>
-<li><a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java?view=markup">Merlin</a>: The standard implementation, based around two JDK keystores for key/cert retrieval, and trust verification.</li>
-<li><a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java?view=markup">CertificateStore</a>: Holds an array of X509 Certificates. Can only be used for encryption and signature verification.</li>
-<li><a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/MerlinDevice.java?view=markup">MerlinDevice</a>: Based on Merlin, allows loading of keystores using a null InputStream - for example on a smart-card device.</li>
+<li><a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java?view=markup">
+Merlin</a>: The standard implementation, based around two JDK keystores for
+key/cert retrieval, and trust verification.</li>
+<li><a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java?view=markup">
+CertificateStore</a>: Holds an array of X509 Certificates. Can only be used
+for encryption and signature verification.</li>
+<li><a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/MerlinDevice.java?view=markup">
+MerlinDevice</a>: Based on Merlin, allows loading of keystores using a null
+InputStream - for example on a smart-card device.</li>
</ul>
<p>
For more information on the Crypto implementations see the
-<a href="http://ws.apache.org/wss4j/topics.html#Crypto_Interface">Special Topics page</a>. It is possible to instantiate a Crypto implementation directly, but it can also be loaded via a
-properties file. For Apache WSS4J 2.0.0 the property names ${PREFIX} below is "org.apache.wss4j.crypto". For Apache WSS4J 1.6.X, the property names ${PREFIX} below is "org.apache.ws.security.crypto". WSS4J 2.0.0 will also accept the older ${PREFIX} value. The property values for the standard Merlin implementation are as follows:
+<a href="http://ws.apache.org/wss4j/topics.html#Crypto_Interface">Special
+Topics page</a>. It is possible to instantiate a Crypto implementation
+directly, but it can also be loaded via a properties file. For Apache WSS4J
+2.0.0 the property names ${PREFIX} below is "org.apache.wss4j.crypto". For
+Apache WSS4J 1.6.X, the property names ${PREFIX} below is
+"org.apache.ws.security.crypto". WSS4J 2.0.0 will also accept the older
+${PREFIX} value. The property values for the standard Merlin implementation
+are as follows:
</p>
<p>
General properties:
@@ -105,10 +119,16 @@ TrustStore properties:
</subsection>
<subsection name="SAML properties">
<p>
-Apache WSS4J uses the SAMLIssuer interface to configure the creation and signing of a SAML
-Assertion. WSS4J ships with a default "SAMLIssuerImpl" implementation. It is possible to
-instantiate a SAMLIssuer implementation directly, but it can also be loaded via a properties file.
-The property values are as follows:
+<b>WSS4J 1.6.x only</b> Apache WSS4J 1.6.x uses the SAMLIssuer interface to
+configure the creation and signing of a SAML Assertion. In Apache WSS4J 2.0.0,
+the SAMLIssuer functionality has been moved to the SAMLCallback, so that the
+CallbackHandler used to create a SAML Assertion is responsible for all of the
+signing configuration as well.
+</p>
+<p>
+WSS4J 1.6.x ships with a default "SAMLIssuerImpl" implementation. It is
+possible to instantiate a SAMLIssuer implementation directly, but it can also
+be loaded via a properties file. The property values are as follows:
</p>
<table name="SAMLIssuer properties">
<tr>
@@ -151,16 +171,20 @@ be signed.</td>
</tr>
</table>
</subsection>
-<subsection name="WSHandler configuration tags">
+<subsection name="Configuration tags">
<p>
-Apache WSS4J provides a set of configuration tags for the WSHandler object used for the creation
-and processing of WS-Security enabled messages. For more information see the
-<a href="apidocs/org/apache/ws/security/handler/WSHandlerConstants.html">WSHandlerConstants Javadoc</a>.
+Apache WSS4J provides a set of configuration tags that can be used to configure
+both the DOM-based and StAX-based (WSS4J 2.0.0 onwards) outbound and inbound
+processing. As both DOM and StAX code are very similar, both approaches share
+a set of common configuration tags given in <a href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java?view=markup">ConfigurationConstants</a>. Note
+that the WSS4J 1.6.x configuration class (WSHandlerConstants) extends this
+class in WSS4J 2.0.0, so there is no need to change any configuration code
+when upgrading.
</p>
<p>
-The configuration tags for WSHandler Actions are as follows:
+The configuration tags for Actions are as follows:
</p>
-<table name="WSHandler Action configuration tags">
+<table name="Action configuration tags">
<tr>
<th>Tag name</th>
<th>Tag value</th>
@@ -169,12 +193,12 @@ The configuration tags for WSHandler Act
<tr>
<td>ACTION</td>
<td>action</td>
-<td>The action to perform, e.g. WSHandlerConstants.TIMESTAMP</td>
+<td>The action to perform, e.g. ConfigurationConstants.TIMESTAMP</td>
</tr>
<tr>
<td>NO_SECURITY</td>
<td>NoSecurity</td>
-<td>Do not perform any action, do nothing.</td>
+<td>Do not perform any action, do nothing. Only applies to DOM code.</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> USERNAME_TOKEN_SIGNATURE</td>
@@ -246,6 +270,11 @@ The configuration tags for WSHandler Act
<td>CustomToken</td>
<td>Add a "Custom" token from a CallbackHandler</td>
</tr>
+<tr>
+<td><b>WSS4J 1.6.X only</b> SIGN_WITH_UT_KEY</td>
+<td>UsernameTokenSignature</td>
+<td>Perform a .NET specific signature using a Username Token action.</td>
+</tr>
</table>
<p>
The configuration tags for WSHandler user properties are as follows:
@@ -264,30 +293,33 @@ The configuration tags for WSHandler use
<tr>
<td>USER</td>
<td>"user"</td>
-<td>The user's name. Consult the Javadoc for an explanation of this property.</td>
+<td>The user's name. Consult the Javadoc for an explanation of this property.
+</td>
</tr>
<tr>
<td>ENCRYPTION_USER</td>
<td>"encryptionUser"</td>
-<td>The user's name for encryption. Consult the Javadoc for an explanation of this property.</td>
+<td>The user's name for encryption. Consult the Javadoc for an explanation of
+this property.</td>
</tr>
<tr>
<td>SIGNATURE_USER</td>
<td>"signatureUser"</td>
-<td>The user's name for signature. Consult the Javadoc for an explanation of this property.</td>
+<td>The user's name for signature. Consult the Javadoc for an explanation of
+this property.</td>
</tr>
<tr>
<td>USE_REQ_SIG_CERT</td>
<td>"useReqSigCert"</td>
-<td>A special value for ENCRYPTION_USER. Consult the Javadoc for an explanation of this
-property.</td>
+<td>A special value for ENCRYPTION_USER. Consult the Javadoc for an
+explanation of this property.</td>
</tr>
</table>
<p>
-The configuration tags for WSHandler callback class and property file configuration are
+The configuration tags for callback class and property file configuration are
summarised here:
</p>
-<table name="WSHandler Callback class and Property File configuration tags">
+<table name="Callback class and Property File configuration tags">
<tr>
<th>Tag name</th>
<th>Tag value</th>
@@ -306,7 +338,8 @@ summarised here:
<tr>
<td>SAML_CALLBACK_CLASS</td>
<td>samlCallbackClass</td>
-<td>The CallbackHandler implementation class used to construct SAML Assertions.</td>
+<td>The CallbackHandler implementation class used to construct SAML Assertions.
+</td>
</tr>
<tr>
<td>SAML_CALLBACK_REF</td>
@@ -316,12 +349,14 @@ summarised here:
<tr>
<td>ENC_CALLBACK_CLASS</td>
<td>embeddedKeyCallbackClass</td>
-<td>The CallbackHandler implementation class used to get the key associated with a key name.</td>
+<td>The CallbackHandler implementation class used to get the key associated
+with a key name.</td>
</tr>
<tr>
<td>ENC_CALLBACK_REF</td>
<td>embeddedKeyCallbackRef</td>
-<td>The CallbackHandler implementation object used to get the key associated with a key name.</td>
+<td>The CallbackHandler implementation object used to get the key associated
+with a key name.</td>
</tr>
<tr>
<td>SIG_PROP_FILE</td>
@@ -331,8 +366,8 @@ summarised here:
<tr>
<td>SIG_PROP_REF_ID</td>
<td>signaturePropRefId</td>
-<td>The String ID that is used to store a reference to the Crypto object or the Crypto Properties
-object for Signature.
+<td>The String ID that is used to store a reference to the Crypto object or
+the Crypto Properties object for Signature.
</td>
</tr>
<tr>
@@ -343,8 +378,8 @@ object for Signature.
<tr>
<td><b>WSS4J 2.0.0</b> SIG_VER_PROP_REF_ID</td>
<td>signatureVerificationPropRefId</td>
-<td>The String ID that is used to store a reference to the Crypto object or the Crypto Properties
-object for Signature verification.
+<td>The String ID that is used to store a reference to the Crypto object or
+the Crypto Properties object for Signature verification.
</td>
</tr>
<tr>
@@ -355,8 +390,8 @@ object for Signature verification.
<tr>
<td>DEC_PROP_REF_ID</td>
<td>decryptionPropRefId</td>
-<td>The String ID that is used to store a reference to the Crypto object or the Crypto Properties
-object for decryption.</td>
+<td>The String ID that is used to store a reference to the Crypto object or
+the Crypto Properties object for decryption.</td>
</tr>
<tr>
<td>ENC_PROP_FILE</td>
@@ -366,8 +401,8 @@ object for decryption.</td>
<tr>
<td>ENC_PROP_REF_ID</td>
<td>encryptionPropRefId</td>
-<td>The String ID that is used to store a reference to the Crypto object or the Crypto Properties
-object for encryption.</td>
+<td>The String ID that is used to store a reference to the Crypto object or
+the Crypto Properties object for encryption.</td>
</tr>
<tr>
<td>SAML_PROP_FILE</td>
@@ -376,10 +411,10 @@ object for encryption.</td>
</tr>
</table>
<p>
-The configuration tags for WSHandler properties that are configured via a boolean parameter
-(i.e. "true" or "false") are as follows:
+The configuration tags for properties that are configured via a boolean
+parameter (i.e. "true" or "false") are as follows:
</p>
-<table name="WSHandler boolean configuration tags">
+<table name="Boolean configuration tags">
<tr>
<th>Tag name</th>
<th>Tag value</th>
@@ -398,71 +433,93 @@ The configuration tags for WSHandler pro
<tr>
<td>IS_BSP_COMPLIANT</td>
<td>isBSPCompliant</td>
-<td>Whether or not to ensure compliance with the BSP 1.1 spec. Default is "true".</td>
+<td>Whether or not to ensure compliance with the BSP 1.1 spec. Default is
+"true".</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> ADD_INCLUSIVE_PREFIXES</td>
<td>addInclusivePrefixes</td>
-<td> Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. Default is "true".</td>
+<td> Whether to add an InclusiveNamespaces PrefixList as a
+CanonicalizationMethod child when generating Signatures using
+WSConstants.C14N_EXCL_OMIT_COMMENTS. Default is "true".</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> ADD_USERNAMETOKEN_NONCE</td>
<td>addUsernameTokenNonce</td>
-<td>Whether to add a Nonce Element to a UsernameToken (for plaintext). Default is "false"</td>
+<td>Whether to add a Nonce Element to a UsernameToken (for plaintext). Default
+is "false"</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> ADD_USERNAMETOKEN_CREATED</td>
<td>addUsernameTokenCreated</td>
-<td>Whether to add a Created Element to a UsernameToken (for plaintext). Default is "false"</td>
+<td>Whether to add a Created Element to a UsernameToken (for plaintext).
+Default is "false"</td>
</tr>
<tr>
<td>HANDLE_CUSTOM_PASSWORD_TYPES</td>
<td>handleCustomPasswordTypes</td>
-<td>Whether to allow non-standard password types in a UsernameToken. Default is "false".</td>
+<td>Whether to allow non-standard password types in a UsernameToken. Default
+is "false".</td>
+</tr>
+<tr>
+<td><b>WSS4J 1.6.X only</b> PASSWORD_TYPE_STRICT</td>
+<td>passwordTypeStrict</td>
+<td>Whether to enable strict Username Token password type handling. Default is
+"false".</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> ALLOW_USERNAMETOKEN_NOPASSWORD</td>
<td>allowUsernameTokenNoPassword</td>
-<td>Whether a UsernameToken with no password element is allowed. Default is "false".</td>
+<td>Whether a UsernameToken with no password element is allowed. Default is
+"false".</td>
</tr>
<tr>
<td>REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS</td>
<td>requireSignedEncryptedDataElements</td>
-<td>Whether the engine needs to enforce EncryptedData elements are in a signed subtree of the document.
-Default is "false".</td>
+<td>Whether the engine needs to enforce EncryptedData elements are in a signed
+subtree of the document. Default is "false".</td>
+</tr>
+<tr>
+<td><b>WSS4J 1.6.X only</b> USE_DERIVED_KEY</td>
+<td>useDerivedKey</td>
+<td>Whether to use the standard UsernameToken Key Derivation algorithm.
+Default is "true".</td>
</tr>
<tr>
<td>ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES</td>
<td>allowNamespaceQualifiedPasswordTypes</td>
-<td>Whether (wsse) namespace qualified password types are accepted when processing UsernameTokens.
-Default is "false".</td>
+<td>Whether (wsse) namespace qualified password types are accepted when
+processing UsernameTokens. Default is "false".</td>
</tr>
<tr>
<td>ENABLE_REVOCATION</td>
<td>enableRevocation</td>
-<td>Whether to enable Certificate Revocation List (CRL) checking when verifying trust in a
-certificate. Default is "false".</td>
+<td>Whether to enable Certificate Revocation List (CRL) checking when
+verifying trust in a certificate. Default is "false".</td>
</tr>
<tr>
<td>USE_ENCODED_PASSWORDS</td>
<td>useEncodedPasswords</td>
-<td>Set whether to treat passwords as binary values for Username Tokens. Default is "false".</td>
+<td>Set whether to treat passwords as binary values for Username Tokens.
+Default is "false".</td>
</tr>
<tr>
<td>USE_SINGLE_CERTIFICATE</td>
<td>useSingleCertificate</td>
-<td>Whether to use a single certificate or a whole certificate chain to construct a
-BinarySecurityToken. Default is "true".</td>
+<td>Whether to use a single certificate or a whole certificate chain to
+construct a BinarySecurityToken. Default is "true".</td>
</tr>
<tr>
<td>USE_DERIVED_KEY_FOR_MAC</td>
<td>useDerivedKeyForMAC</td>
-<td>Whether to use the Username Token derived key for a MAC. Default is "true".</td>
+<td>Whether to use the Username Token derived key for a MAC. Default is
+"true".</td>
</tr>
<tr>
<td>TIMESTAMP_PRECISION</td>
<td>precisionInMilliseconds</td>
-<td>Set whether outbound timestamps have precision in milliseconds. Default is "true".</td>
+<td>Set whether outbound timestamps have precision in milliseconds. Default is
+"true".</td>
</tr>
<tr>
<td>TIMESTAMP_STRICT</td>
@@ -472,22 +529,26 @@ BinarySecurityToken. Default is "true".<
<tr>
<td>ENC_SYM_ENC_KEY</td>
<td>encryptSymmetricEncryptionKey</td>
-<td>Set whether to encrypt the symmetric encryption key or not. Default is "true".</td>
+<td>Set whether to encrypt the symmetric encryption key or not. Default is
+"true".</td>
</tr>
<tr>
<td>ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM</td>
<td>allowRSA15KeyTransportAlgorithm</td>
-<td>Whether to allow the RSA v1.5 Key Transport Algorithm or not. Default is "false".</td>
+<td>Whether to allow the RSA v1.5 Key Transport Algorithm or not. Default is
+"false".</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> VALIDATE_SAML_SUBJECT_CONFIRMATION</td>
<td>validateSamlSubjectConfirmation</td>
-<td>Whether to validate the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key). Default is "true".</td>
+<td>Whether to validate the SubjectConfirmation requirements of a received
+SAML Token (sender-vouches or holder-of-key). Default is "true".</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> INCLUDE_SIGNATURE_TOKEN</td>
<td>includeSignatureToken</td>
-<td>Whether to include the Signature Token in the security header as well or not (for IssuerSerial + Thumbprint cases). Default is "false"</td>
+<td>Whether to include the Signature Token in the security header as well or
+not (for IssuerSerial + Thumbprint cases). Default is "false"</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> ENABLE_NONCE_CACHE</td>
@@ -497,24 +558,27 @@ BinarySecurityToken. Default is "true".<
<tr>
<td><b>WSS4J 2.0.0</b> ENABLE_TIMESTAMP_CACHE</td>
<td>enableTimestampCache</td>
-<td>Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message Signature). Default is "true"</td>
+<td>Whether to cache Timestamp Created Strings (these are only cached in
+conjunction with a message Signature). Default is "true"</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> ENABLE_SAML_ONE_TIME_USE_CACHE</td>
<td>enableSamlOneTimeUseCache</td>
-<td>Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition. Default is "true". </td>
+<td>Whether to cache SAML2 Token Identifiers, if the token contains a
+"OneTimeUse" Condition. Default is "true". </td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> USE_2005_12_NAMESPACE</td>
<td>use200512Namespace</td>
-<td>Whether to use the 2005/12 namespace for SecureConveration + DerivedKeys, or the older namespace. The default is "true"</td>
+<td>Whether to use the 2005/12 namespace for SecureConveration + DerivedKeys,
+or the older namespace. The default is "true"</td>
</tr>
</table>
<p>
-The configuration tags for WSHandler properties that are configured via a non-boolean parameter
-are as follows:
+The configuration tags for properties that are configured via a non-boolean
+parameter are as follows:
</p>
-<table name="WSHandler non-boolean configuration tags">
+<table name="Non-boolean configuration tags">
<tr>
<th>Tag name</th>
<th>Tag value</th>
@@ -523,7 +587,19 @@ are as follows:
<tr>
<td>PASSWORD_TYPE</td>
<td>passwordType</td>
-<td>The encoding of the password for a Username Token. The default is WSConstants.PW_DIGEST.</td>
+<td>The encoding of the password for a Username Token. The default is
+WSConstants.PW_DIGEST.</td>
+</tr>
+<tr>
+<td><b>WSS4J 1.6.X only</b> ENC_KEY_NAME</td>
+<td>embeddedKeyName</td>
+<td>The text of the key name to be sent in the KeyInfo for encryption</td>
+</tr>
+<tr>
+<td><b>WSS4J 1.6.X only</b> ADD_UT_ELEMENTS</td>
+<td>addUTElements</td>
+<td>Additional elements to add to a Username Token, i.e. "nonce" and "created".
+</td>
</tr>
<tr>
<td>SIG_KEY_ID</td>
@@ -533,40 +609,50 @@ are as follows:
<tr>
<td>SIG_ALGO</td>
<td>signatureAlgorithm</td>
-<td>The signature algorithm to use. The default is set by the data in the certificate.
+<td>The signature algorithm to use. The default is set by the data in the
+certificate.
</td>
</tr>
<tr>
<td>SIG_DIGEST_ALGO</td>
<td>signatureDigestAlgorithm</td>
-<td>The signature digest algorithm to use. The default is SHA-1.</td>
+<td>The signature digest algorithm to use. The default is SHA-1.</td>
</tr>
<tr>
<td>SIG_C14N_ALGO</td>
<td>signatureC14nAlgorithm</td>
-<td>Defines which signature c14n (canonicalization) algorithm to use. The default is: "http://www.w3.org/2001/10/xml-exc-c14n#".</td>
+<td>Defines which signature c14n (canonicalization) algorithm to use. The
+default is: "http://www.w3.org/2001/10/xml-exc-c14n#".</td>
+</tr>
+<tr>
+<td><b>WSS4J 1.6.X only</b> WSE_SECRET_KEY_LENGTH</td>
+<td>wseSecretKeyLength</td>
+<td>The length of the secret (derived) key to use for the WSE UT_SIGN
+functionality.</td>
</tr>
<tr>
<td>SIGNATURE_PARTS</td>
<td>signatureParts</td>
-<td>Parameter to define which parts of the request shall be signed. The SOAP body is signed
-by default.</td>
+<td>Parameter to define which parts of the request shall be signed. The SOAP
+body is signed by default.</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> OPTIONAL_SIGNATURE_PARTS</td>
<td>optionalSignatureParts</td>
-<td>Parameter to define which parts of the request shall be signed, if they exist in the request.</td>
+<td>Parameter to define which parts of the request shall be signed, if they
+exist in the request.</td>
</tr>
<tr>
<td>DERIVED_KEY_ITERATIONS</td>
<td>derivedKeyIterations</td>
-<td>The number of iterations to use when deriving a key from a Username Token. The default is
-1000.</td>
+<td>The number of iterations to use when deriving a key from a Username Token.
+The default is 1000.</td>
</tr>
<tr>
<td>ENC_KEY_ID</td>
<td>encryptionKeyIdentifier</td>
-<td>The key identifier type to use for encryption. The default is "IssuerSerial".</td>
+<td>The key identifier type to use for encryption. The default is
+"IssuerSerial".</td>
</tr>
<tr>
<td>ENC_SYM_ALGO</td>
@@ -581,64 +667,119 @@ by default.</td>
<tr>
<td>ENC_DIGEST_ALGO</td>
<td>encryptionDigestAlgorithm</td>
-<td>The encryption digest algorithm to use with the RSA-OAEP key transport algorithm. The default
-is SHA-1.</td>
+<td>The encryption digest algorithm to use with the RSA-OAEP key transport
+algorithm. The default is SHA-1.</td>
</tr>
<tr>
<td>ENCRYPTION_PARTS</td>
<td>encryptionParts</td>
-<td>Parameter to define which parts of the request shall be encrypted. The SOAP body is encrypted
-in "Content" mode by default.</td>
+<td>Parameter to define which parts of the request shall be encrypted. The
+SOAP body is encrypted in "Content" mode by default.</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> OPTIONAL_ENCRYPTION_PARTS</td>
<td>optionalEncryptionParts</td>
-<td>Parameter to define which parts of the request shall be encrypted, if they exist in the request.</td>
+<td>Parameter to define which parts of the request shall be encrypted, if they
+exist in the request.</td>
</tr>
<tr>
<td><b>WSS4J 2.0.0</b> ENC_MGF_ALGO</td>
<td>encryptionMGFAlgorithm</td>
-<td>Defines which encryption mgf algorithm to use with the RSA OAEP Key Transport algorithm for encryption. The default is mgfsha1.</td>
+<td>Defines which encryption mgf algorithm to use with the RSA OAEP Key
+Transport algorithm for encryption. The default is mgfsha1.</td>
</tr>
<tr>
<td>TTL_TIMESTAMP</td>
<td>timeToLive</td>
-<td>The time difference between creation and expiry time in seconds in the WSS Timestamp. The
-default is "300".</td>
+<td>The time difference between creation and expiry time in seconds in the WSS
+Timestamp. The default is "300".</td>
</tr>
<tr>
<td>TTL_FUTURE_TIMESTAMP</td>
<td>futureTimeToLive</td>
-<td>The time in seconds in the future within which the Created time of an incoming Timestamp is
-valid. The default is "60".</td>
+<td>The time in seconds in the future within which the Created time of an
+incoming Timestamp is valid. The default is "60".</td>
</tr>
<tr>
<td>TTL_USERNAMETOKEN</td>
<td>utTimeToLive</td>
-<td>The time difference between creation and expiry time in seconds in the WSS UsernameToken created element. The
-default is "300".</td>
+<td>The time difference between creation and expiry time in seconds in the WSS
+UsernameToken created element. The default is "300".</td>
</tr>
<tr>
<td>TTL_FUTURE_USERNAMETOKEN</td>
<td>utFutureTimeToLive</td>
-<td>The time in seconds in the future within which the Created time of an incoming UsernameToken is
-valid. The default is "60".</td>
+<td>The time in seconds in the future within which the Created time of an
+incoming UsernameToken is valid. The default is "60".</td>
</tr>
<tr>
<td>SIG_SUBJECT_CERT_CONSTRAINTS</td>
<td>sigSubjectCertConstraints</td>
-<td>A comma separated String of regular expressions which will be applied to the subject DN of the
-certificate used for signature validation, after trust verification of the certificate chain associated
-with the certificate. </td>
+<td>A comma separated String of regular expressions which will be applied to
+the subject DN of the certificate used for signature validation, after trust
+verification of the certificate chain associated with the certificate. </td>
+</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> VALIDATOR_MAP</td>
+<td>validatorMap</td>
+<td>A map of QName, Object (Validator) instances to be used to validate
+tokens identified by their QName.</td>
+</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> NONCE_CACHE_INSTANCE</td>
+<td>nonceCacheInstance</td>
+<td>A ReplayCache instance used to cache UsernameToken nonces. The default
+instance that is used is the EHCacheReplayCache.</td>
+</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> TIMESTAMP_CACHE_INSTANCE</td>
+<td>timestampCacheInstance</td>
+<td>A ReplayCache instance used to cache Timestamp Created Strings. The default
+instance that is used is the EHCacheReplayCache.</td>
+</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> SAML_ONE_TIME_USE_CACHE_INSTANCE</td>
+<td>samlOneTimeUseCacheInstance</td>
+<td>A ReplayCache instance used to cache SAML2 Token Identifier Strings (if
+the token contains a OneTimeUse Condition). The default instance that is used
+is the EHCacheReplayCache.</td>
+</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> PASSWORD_ENCRYPTOR_INSTANCE</td>
+<td>passwordEncryptorInstance</td>
+<td>A PasswordEncryptor instance used to decrypt encrypted passwords in Crypto
+properties files. The default is the JasyptPasswordEncryptor.</td>
+</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> DERIVED_TOKEN_REFERENCE</td>
+<td>derivedTokenReference</td>
+<td>This controls how deriving tokens are referenced. Only used by StAX code.</td>
+</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> DERIVED_TOKEN_KEY_ID</td>
+<td>derivedTokenKeyIdentifier</td>
+<td>This controls the key identifier of Derived Tokens. Only used by StAX
+code.</td>
+</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> DERIVED_SIGNATURE_KEY_LENGTH</td>
+<td>derivedSignatureKeyLength</td>
+<td>The length to use (in bytes) when deriving a key for Signature. Only used
+by StAX code.</td>
+</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> DERIVED_ENCRYPTION_KEY_LENGTH</td>
+<td>derivedEncryptionKeyLength</td>
+<td>The length to use (in bytes) when deriving a key for Encryption. Only used
+by StAX code.</td>
</tr>
</table>
<p>
-The configuration values for setting the KeyIdentifiers for signature or encryption
-are shown below. See the <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html">Javadoc</a>
-for SIG_KEY_ID and ENC_KEY_ID for more details. For an in depth explanation
+The configuration values for setting the KeyIdentifiers for signature or
+encryption are shown below. For an in depth explanation
with examples, see this blog <a href="http://coheigea.blogspot.com/2013/03/signature-and-encryption-key.html">entry</a>.
</p>
-<table name="WSHandler KeyIdentifier values">
+<table name="KeyIdentifier values">
<tr>
<th>Value</th>
</tr>
@@ -666,6 +807,9 @@ with examples, see this blog <a href="ht
<tr>
<td>KeyValue</td>
</tr>
+<tr>
+<td><b>WSS4J 2.0.0</b> KerberosSHA1</td>
+</tr>
</table>
</subsection>
</section>