You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/05/15 13:49:09 UTC
svn commit: r1679548 - in /webservices/website/wss4j: ./
apidocs/org/apache/wss4j/binding/wss11/runtime/
apidocs/org/apache/wss4j/dom/bsp/ apidocs/org/w3/ migration/
testapidocs/org/apache/wss4j/integration/test/common/
xref-test/org/apache/wss4j/integ...
Author: coheigea
Date: Fri May 15 11:49:09 2015
New Revision: 1679548
URL: http://svn.apache.org/r1679548
Log:
More website stuff
Added:
webservices/website/wss4j/migration/
webservices/website/wss4j/migration/migration.html
webservices/website/wss4j/migration/newfeatures20.html
webservices/website/wss4j/migration/wss4j16.html
webservices/website/wss4j/migration/wss4j20.html
webservices/website/wss4j/migration/wss4j21.html
Removed:
webservices/website/wss4j/apidocs/org/apache/wss4j/binding/wss11/runtime/
webservices/website/wss4j/apidocs/org/apache/wss4j/dom/bsp/
webservices/website/wss4j/apidocs/org/w3/
webservices/website/wss4j/migration.html
webservices/website/wss4j/newfeatures20.html
webservices/website/wss4j/testapidocs/org/apache/wss4j/integration/test/common/
webservices/website/wss4j/wss4j16.html
webservices/website/wss4j/xref-test/org/apache/wss4j/integration/test/common/
webservices/website/wss4j/xref/org/apache/wss4j/common/crypto/X509NameTokenizer.html
webservices/website/wss4j/xref/org/apache/wss4j/common/util/RFC2253Parser.html
webservices/website/wss4j/xref/org/apache/wss4j/dom/bsp/
webservices/website/wss4j/xref/org/apache/wss4j/dom/message/token/BinarySecurity.html
Added: webservices/website/wss4j/migration/migration.html
URL: http://svn.apache.org/viewvc/webservices/website/wss4j/migration/migration.html?rev=1679548&view=auto
==============================================================================
--- webservices/website/wss4j/migration/migration.html (added)
+++ webservices/website/wss4j/migration/migration.html Fri May 15 11:49:09 2015
@@ -0,0 +1,120 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-15 -->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>Apache WSS4J – </title>
+ <style type="text/css" media="all">
+ @import url("../css/maven-base.css");
+ @import url("../css/maven-theme.css");
+ @import url("../css/site.css");
+ </style>
+ <link rel="stylesheet" href="../css/print.css" type="text/css" media="print" />
+ <meta name="Date-Revision-yyyymmdd" content="20150515" />
+ <meta http-equiv="Content-Language" content="en" />
+
+ </head>
+ <body class="composite">
+ <div id="banner">
+ <a href=".././" id="bannerLeft">
+ Apache WSS4J
+ </a>
+ <a href="http://www.apache.org" id="bannerRight">
+ <img src="http://activemq.apache.org/images/asf-logo.png" alt="$alt" />
+ </a>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="breadcrumbs">
+
+
+ <div class="xleft">
+ <span id="publishDate">Last Published: 2015-05-15</span>
+ | <span id="projectVersion">Version: 2.1.1-SNAPSHOT</span>
+ </div>
+ <div class="xright">
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="leftColumn">
+ <div id="navcolumn">
+
+
+ <h5>Apache WSS4J</h5>
+ <ul>
+ <li class="none">
+ <a href="../index.html" title="Home">Home</a>
+ </li>
+ <li class="none">
+ <a href="../download.html" title="Download">Download</a>
+ </li>
+ <li class="none">
+ <a href="../user_guide.html" title="User Guide">User Guide</a>
+ </li>
+ <li class="none">
+ <a href="../security_advisories.html" title="Security Advisories">Security Advisories</a>
+ </li>
+ </ul>
+ <h5>Project Documentation</h5>
+ <ul>
+ <li class="collapsed">
+ <a href="../project-info.html" title="Project Information">Project Information</a>
+ </li>
+ <li class="collapsed">
+ <a href="../project-reports.html" title="Project Reports">Project Reports</a>
+ </li>
+ </ul>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="poweredBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
+ </a>
+
+
+ </div>
+ </div>
+ <div id="bodyColumn">
+ <div id="contentBox">
+
+
+<div class="section">
+<h2><a name="Apache_WSS4J_Migration_Guides"></a>Apache WSS4J Migration Guides</h2>
+
+<p>
+Click on the links below for more information about migrating to various
+new versions of WSS4J.
+</p>
+
+<ul>
+
+<li><a href="wss4j21.html">WSS4J 2.1.0 Migration Guide</a></li>
+
+<li><a href="wss4j20.html">WSS4J 2.0.0 Migration Guide</a></li>
+
+<li><a href="newfeatures20.html">WSS4J 2.0.0 New Features</a></li>
+
+<li><a href="wss4j16.html">WSS4J 1.6.0 Migration Guide</a></li>
+</ul>
+</div>
+
+
+ </div>
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ <div id="footer">
+ <div class="xright">
+ Copyright © 2004–2015
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All rights reserved.
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ </body>
+</html>
Added: webservices/website/wss4j/migration/newfeatures20.html
URL: http://svn.apache.org/viewvc/webservices/website/wss4j/migration/newfeatures20.html?rev=1679548&view=auto
==============================================================================
--- webservices/website/wss4j/migration/newfeatures20.html (added)
+++ webservices/website/wss4j/migration/newfeatures20.html Fri May 15 11:49:09 2015
@@ -0,0 +1,335 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-15 -->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>Apache WSS4J – </title>
+ <style type="text/css" media="all">
+ @import url("../css/maven-base.css");
+ @import url("../css/maven-theme.css");
+ @import url("../css/site.css");
+ </style>
+ <link rel="stylesheet" href="../css/print.css" type="text/css" media="print" />
+ <meta name="Date-Revision-yyyymmdd" content="20150515" />
+ <meta http-equiv="Content-Language" content="en" />
+
+ </head>
+ <body class="composite">
+ <div id="banner">
+ <a href=".././" id="bannerLeft">
+ Apache WSS4J
+ </a>
+ <a href="http://www.apache.org" id="bannerRight">
+ <img src="http://activemq.apache.org/images/asf-logo.png" alt="$alt" />
+ </a>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="breadcrumbs">
+
+
+ <div class="xleft">
+ <span id="publishDate">Last Published: 2015-05-15</span>
+ | <span id="projectVersion">Version: 2.1.1-SNAPSHOT</span>
+ </div>
+ <div class="xright">
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="leftColumn">
+ <div id="navcolumn">
+
+
+ <h5>Apache WSS4J</h5>
+ <ul>
+ <li class="none">
+ <a href="../index.html" title="Home">Home</a>
+ </li>
+ <li class="none">
+ <a href="../download.html" title="Download">Download</a>
+ </li>
+ <li class="none">
+ <a href="../user_guide.html" title="User Guide">User Guide</a>
+ </li>
+ <li class="none">
+ <a href="../security_advisories.html" title="Security Advisories">Security Advisories</a>
+ </li>
+ </ul>
+ <h5>Project Documentation</h5>
+ <ul>
+ <li class="collapsed">
+ <a href="../project-info.html" title="Project Information">Project Information</a>
+ </li>
+ <li class="collapsed">
+ <a href="../project-reports.html" title="Project Reports">Project Reports</a>
+ </li>
+ </ul>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="poweredBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
+ </a>
+
+
+ </div>
+ </div>
+ <div id="bodyColumn">
+ <div id="contentBox">
+
+
+<div class="section">
+<h2><a name="New_features_available_in_Apache_WSS4J_2.0.0"></a>New features available in Apache WSS4J 2.0.0</h2>
+
+
+<div class="section">
+<h3><a name="Overview_of_new_features"></a>Overview of new features</h3>
+
+<p>
+Apache WSS4J 2.0.0 delivers the following major new features:
+</p>
+
+<ul>
+
+<li>Support for a streaming (StAX) based WS-Security implementation that
+covers all of the main specifications.</li>
+
+<li>A WS-SecurityPolicy model that can be shared between both DOM + StAX
+implementations.</li>
+
+<li>Support for "real-time" WS-SecurityPolicy validation for the StAX
+implementation.</li>
+
+<li>Support for the SOAP with Attachments (SWA) Profile 1.1 specification.</li>
+
+<li>Support for caching based on EhCache.</li>
+
+<li>Support for encrypting passwords in Crypto properties files using Jasypt.
+</li>
+</ul>
+</div>
+
+
+<div class="section">
+<h3><a name="Streaming_StAX_based_WS-Security_implementation"></a>Streaming (StAX) based WS-Security implementation</h3>
+
+<p>
+WSS4J 2.0.0 introduces a new streaming (StAX) based WS-Security implementation.
+Please see the dedicated <a href="streaming.html">page</a> for more
+information.
+</p>
+</div>
+
+
+<div class="section">
+<h3><a name="WS-SecurityPolicy_support"></a>WS-SecurityPolicy support</h3>
+
+<p>
+WSS4J 2.0.0 introduces a new WS-SecurityPolicy model as part of the
+"wss4j-policy" module. This model can be shared between both the DOM and StAX
+WS-Security implementations. Web service stacks such as Apache CXF and
+Apache Axis/Rampart that use WSS4J for WS-Security no longer need to maintain
+their own model. In this way any bug fixes to the model will get picked up
+by all web service stacks that rely on WSS4J.
+</p>
+
+<p>
+In addition to the new WS-SecurityPolicy model, a significant new feature of
+WSS4J 2.0.0 is that the new streaming WS-Security implementation has the
+ability to perform "real-time" validation of a request against the set of
+applicable WS-SecurityPolicy policies. The DOM-based code in WSS4J does not
+have any concept of WS-SecurityPolicy, but instead processes an inbound
+request, and relies on the web service stack to compare the results against
+the applicable policies. The advantage of the streaming approach in WSS4J
+2.0.0 is that bogus requests can be rejected quicker, which may help to avoid
+DoS based scenarios.
+</p>
+</div>
+
+
+<div class="section">
+<h3><a name="Support_for_signing_and_encrypting_message_attachments"></a>Support for signing and encrypting message attachments</h3>
+
+<p>
+WSS4J 2.0.0 introduces support for signing and encrypting SOAP message
+attachments, via the the SOAP with Attachments (SWA) Profile 1.1 specification.
+Please see the dedicated <a href="attachments.html">page</a> for more
+information.
+</p>
+</div>
+
+
+
+<div class="section">
+<h3><a name="Replay_Attack_detection_using_EhCache"></a>Replay Attack detection using EhCache</h3>
+
+<p>
+In WSS4J 1.6.x, a "ReplayCache" interface was introduced to cache tokens to
+guard against replay attacks for the following scenarios:
+</p>
+
+<ul>
+
+<li>Signed Timestamps</li>
+
+<li>UsernameToken nonces</li>
+
+<li>SAML OneTimeUse Assertions</li>
+</ul>
+
+<p>
+However, replay attack detection was not "switched on" by default in WSS4J
+1.6.x. In WSS4J 2.0.x, replay attack detection is enabled by default using
+an implementation of the "ReplayCache" interface based on EhCache. The
+following configuration tags can be used to configure caching:
+</p>
+
+<ul>
+
+<li>ConfigurationConstants.TIMESTAMP_CACHE_INSTANCE ("timestampCacheInstance"):
+This holds a reference to a ReplayCache instance used to cache Timestamp
+Created Strings. The default instance that is used is the EHCacheReplayCache.
+</li>
+
+<li>ConfigurationConstants.ENABLE_TIMESTAMP_CACHE ("enableTimestampCache"):
+Whether to cache Timestamp Created Strings (these are only cached in
+conjunction with a message Signature). The default value is "true".</li>
+
+<li>ConfigurationConstants.NONCE_CACHE_INSTANCE ("nonceCacheInstance"): This
+holds a reference to a ReplayCache instance used to cache UsernameToken
+nonces. The default instance that is used is the EHCacheReplayCache.</li>
+
+<li>ConfigurationConstants.ENABLE_NONCE_CACHE ("enableNonceCache"): Whether to
+cache UsernameToken nonces. The default value is "true".</li>
+
+<li>ConfigurationConstants. SAML_ONE_TIME_USE_CACHE_INSTANCE
+("samlOneTimeUseCacheInstance"): This holds a reference to a ReplayCache
+instance used to cache SAML2 Token Identifier Strings (if the token contains a
+OneTimeUse Condition). The default instance that is used is the
+EHCacheReplayCache.</li>
+
+<li>ConfigurationConstants.ENABLE_SAML_ONE_TIME_USE_CACHE
+("enableSamlOneTimeUseCache"): Whether to cache SAML2 Token Identifiers, if
+the token contains a "OneTimeUse" Condition. The default value is "true".</li>
+</ul>
+</div>
+
+
+<div class="section">
+<h3><a name="Encrypting_passwords_in_Crypto_property_files"></a>Encrypting passwords in Crypto property files</h3>
+
+<p>
+A typical example of the contents of a Crypto properties file (for Signature
+creation) is as follows:
+</p>
+
+<ul>
+
+<li>org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin</li>
+
+<li>org.apache.wss4j.crypto.merlin.keystore.type=jks</li>
+
+<li>org.apache.wss4j.crypto.merlin.keystore.password=security</li>
+
+<li>org.apache.wss4j.crypto.merlin.keystore.alias=wss40</li>
+
+<li>org.apache.wss4j.crypto.merlin.keystore.file=keys/wss40.jks</li>
+</ul>
+
+<p>
+Note that the password used to load the keystore is in cleartext. One of the
+new features of Apache WSS4J 2.0.0 is the ability to instead store a (BASE-64
+encoded) encrypted version of the keystore password in the Crypto properties
+file. A new PasswordEncryptor interface is defined to allow for the
+encryption/decryption of passwords. A default implementation is now provided
+based on Jasypt called JasyptPasswordEncryptor, which uses
+"PBEWithMD5AndTripleDES".
+</p>
+
+<p>
+The WSPasswordCallback class has an additional "usage" called
+WSPasswordCallback.PASSWORD_ENCRYPTOR_PASSWORD, which is used to return the
+master password for use with the PasswordEncryptor implementation. When WSS4J
+is loading a Crypto implementation via a properties file, and it encounters a
+password encrypted in the format "ENC(encoded encrypted password)", it queries
+a CallbackHandler for a password via this WSPasswordCallback usage tag. It is
+possible to pass a custom PasswordEncryptor implementation to WSS4J via the
+new configuration tag ConfigurationConstants.PASSWORD_ENCRYPTOR_INSTANCE
+("passwordEncryptorInstance").
+</p>
+
+</div>
+
+
+<div class="section">
+<h3><a name="Miscellaneous_new_features"></a>Miscellaneous new features</h3>
+
+<p>
+Support was added in WSS4J 1.6.x to obtain a Kerberos ticket from a KDC (Key
+Distribution Center) and include it in the security header of a request, as
+well as to process the received token. However, there was no built-in way to
+extract the secret key from the ticket to secure the request. Instead it was
+up to the user to plug in a custom "KerberosTokenDecoder" implementation to
+support this behaviour. In WSS4J 2.0.0, a default KerberosTokenDecoder
+implementation is provided, and so WSS4J now supports signing/encrypting using
+Kerberos tokens by default.
+</p>
+
+<p>
+A new "CustomToken" Action is defined in WSS4J 2.0.0. If this action is
+defined, a token (DOM Element) will be retrieved from a CallbackHandler via
+WSPasswordCallback.Usage.CUSTOM_TOKEN and written out as is in the security
+header. This provides for an easy way to write out tokens that have been
+retrieved out of band. Another related new feature is the ability to associate
+an action with a particular set of keys/algorithms. This means that it is now
+possible to configure two different Signature actions, that use different
+keys/algorithms.
+</p>
+
+<p>
+Support for enforcing the Basic Security Profile (BSP) 1.1 specification was
+added in WSS4J 1.6.x. In WSS4J 2.0.0, it is possible to disable individual
+BSP Rules for a non-compliant request, instead of having to disable BSP
+enforcement altogether as for WSS4J 1.6.x. The RequestData class has a
+setIgnoredBSPRules method, that takes a list of BSPRule Objects as an argument.
+The BSPRule class contains a complete list of Basic Security Profile rules
+that are enforced in WSS4J.
+</p>
+
+<p>
+WSS4J 2.0.0 now enforces the SubjectConfirmation requirements of an inbound
+SAML Token, instead of leaving it to the web services stack. For
+sender-vouches, a Signature must be present that covers both the SOAP Body and
+the SAML Assertion. For holder-of-key, a Signature must be present that signs
+some part of the SOAP request using the key information contained in the SAML
+Subject. Note that a Signature can be either a message or transport level
+Signature (i.e. using TLS is acceptable). A new configuration tag is defined
+that allows the user to switch off this validation if required
+(ConfigurationConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION -
+"validateSamlSubjectConfirmation").
+</p>
+
+</div>
+
+</div>
+
+
+ </div>
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ <div id="footer">
+ <div class="xright">
+ Copyright © 2004–2015
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All rights reserved.
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ </body>
+</html>
Added: webservices/website/wss4j/migration/wss4j16.html
URL: http://svn.apache.org/viewvc/webservices/website/wss4j/migration/wss4j16.html?rev=1679548&view=auto
==============================================================================
--- webservices/website/wss4j/migration/wss4j16.html (added)
+++ webservices/website/wss4j/migration/wss4j16.html Fri May 15 11:49:09 2015
@@ -0,0 +1,309 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-15 -->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>Apache WSS4J – </title>
+ <style type="text/css" media="all">
+ @import url("../css/maven-base.css");
+ @import url("../css/maven-theme.css");
+ @import url("../css/site.css");
+ </style>
+ <link rel="stylesheet" href="../css/print.css" type="text/css" media="print" />
+ <meta name="Date-Revision-yyyymmdd" content="20150515" />
+ <meta http-equiv="Content-Language" content="en" />
+
+ </head>
+ <body class="composite">
+ <div id="banner">
+ <a href=".././" id="bannerLeft">
+ Apache WSS4J
+ </a>
+ <a href="http://www.apache.org" id="bannerRight">
+ <img src="http://activemq.apache.org/images/asf-logo.png" alt="$alt" />
+ </a>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="breadcrumbs">
+
+
+ <div class="xleft">
+ <span id="publishDate">Last Published: 2015-05-15</span>
+ | <span id="projectVersion">Version: 2.1.1-SNAPSHOT</span>
+ </div>
+ <div class="xright">
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="leftColumn">
+ <div id="navcolumn">
+
+
+ <h5>Apache WSS4J</h5>
+ <ul>
+ <li class="none">
+ <a href="../index.html" title="Home">Home</a>
+ </li>
+ <li class="none">
+ <a href="../download.html" title="Download">Download</a>
+ </li>
+ <li class="none">
+ <a href="../user_guide.html" title="User Guide">User Guide</a>
+ </li>
+ <li class="none">
+ <a href="../security_advisories.html" title="Security Advisories">Security Advisories</a>
+ </li>
+ </ul>
+ <h5>Project Documentation</h5>
+ <ul>
+ <li class="collapsed">
+ <a href="../project-info.html" title="Project Information">Project Information</a>
+ </li>
+ <li class="collapsed">
+ <a href="../project-reports.html" title="Project Reports">Project Reports</a>
+ </li>
+ </ul>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="poweredBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
+ </a>
+
+
+ </div>
+ </div>
+ <div id="bodyColumn">
+ <div id="contentBox">
+
+
+<div class="section">
+<h2><a name="Apache_WSS4J_1.6.0_Migration_Guide"></a>Apache WSS4J 1.6.0 Migration Guide</h2>
+
+<p>
+This page describes the new features of WSS4J 1.6.0, and the things to be
+aware of when upgrading from WSS4J 1.5.x. Note that WSS4J 1.6.x has now been
+replaced by WSS4J 2.0.x, please see the WSS4J 2.0.0 <a href="wss4j20.html">migration guide</a> for more information.
+</p>
+
+<div class="section">
+<h3><a name="New_features"></a>New features</h3>
+
+<p>
+This section describes the main new features that have been implemented in
+WSS4J 1.6. For more information on the changes, please click on the links. You
+can also review the
+<a class="externalLink" href="https://issues.apache.org/jira/browse/WSS/fixforversion/12313718">list of JIRAs</a>
+that have been fixed in WSS4J 1.6.
+</p>
+
+<ul>
+
+<li>
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/03/wss4j-16-jsr-105-support.html">JSR-105 support</a>:
+WSS4J 1.6 has been ported to use the JSR 105 API for XML Digital Signature.
+</li>
+
+<li>
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/02/support-for-saml2-assertions-in-wss4j.html">
+SAML2 support</a>: WSS4J 1.6 includes full support for creating, manipulating and parsing SAML2
+assertions, via the Opensaml2 library.
+</li>
+
+<li>
+Performance work: A general code-rewrite has been done with a focus on improving performance,
+e.g. the <a class="externalLink" href="http://coheigea.blogspot.com/2011/01/wss4j-16-actionprocessor-loading-change.html">
+changes</a> that have been made to processor loading.
+</li>
+
+<li>
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/03/wss4j-16-basic-security-profile-11.html">
+Basic Security Profile 1.1 compliance</a>: WSS4J 1.6 provides support for the BSP 1.1 specification.
+</li>
+
+<li>
+JDK 1.5 port: The JDK 1.4 requirement of WSS4J 1.5.x has been dropped as part of this work.
+</li>
+
+<li>
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/01/wss4j-16-crypto-property-change.html">
+Support for Crypto trust-stores</a>: WSS4J 1.6 separates the concept of keystore and truststores for
+Crypto implementations.
+</li>
+
+<li>
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/04/wss4j-16-introducing-validators.html">
+New Validator interface</a>: WSS4J 1.6 moves all validation of security tokens into a new Validator
+interface, which allows for custom validation of specific tokens.
+</li>
+
+<li>
+Support for the Kerberos Token Profile (in WSS4J 1.6.2 and 1.6.3).
+</li>
+</ul>
+</div>
+
+<div class="section">
+<h3><a name="Upgrade_notes"></a>Upgrade notes</h3>
+
+<p>
+This section describes the changes that have been made in WSS4J 1.6 that will impact on an existing
+user of WSS4J 1.5.x. Although WSS4J 1.6 is not 100% backwards compatible with 1.5.x, a general goal for
+the release was to restrict the API changes to those that were strictly necessary.
+</p>
+
+<ul>
+
+<li>
+All Axis1 dependencies have been removed. Any user wishing to use WSS4J with Axis1 must use the
+WSS4J 1.5.x library. As Axis1 has been replaced by Axis2, this is unlikely to be an issue.
+</li>
+
+<li>
+A number of changes have been made to the Crypto interface. See
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/01/wss4j-16-crypto-property-change.html">here</a>,
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/02/wss4j-16-changes-to-crypto-interface.html">here</a>
+and <a class="externalLink" href="http://coheigea.blogspot.com/2011/02/wss4j-16-change-to-publickey-validation.html">here</a>
+for an indepth explanation. In a nutshell, these changes are:
+
+<ol style="list-style-type: decimal">
+
+<li>
+The BouncyCastle crypto implementation has been removed (replaced by Merlin)
+</li>
+
+<li>
+A new set of Merlin "truststore" configuration tags have been added. The behaviour of the old Merlin
+configuration tags will work exactly the same way in WSS4J 1.6.
+</li>
+
+<li>
+The CA certs are now <b>not</b> loaded by default.
+</li>
+
+<li>
+PublicKeys (from KeyValues) are now not handled by a PublicKeyCallback, but by the Crypto implementation
+directly.
+</li>
+</ol>
+</li>
+
+<li>
+If the WSEncryptionPart used to point to an element for signature or encryption does not either store
+the element directly, or store the wsu:Id, <b>all</b> DOM Elements that match the stored
+localname/namespace will be processed. See the
+<a class="externalLink" href="http://ws.apache.org/wss4j/topics.html#Specifying_elements_to_sign_or_encrypt">Special Topics page</a>
+for more information.
+</li>
+
+<li>
+WSS4J 1.5.x used Opensaml1 to provide extremely limited support for SAML 1 assertions. WSS4J 1.6 has
+been upgraded to Opensaml2, and provides far more comprehensive support for SAML. See
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/02/support-for-saml2-assertions-in-wss4j.html">here</a> for
+more information on this. Some changes to be aware of are:
+
+<ol style="list-style-type: decimal">
+
+<li>
+The way of creating SAML assertions via a properties file has completely changed. For example, see a
+<a href="xref-test/org/apache/ws/security/saml/SamlTokenTest.html">SAML Token Test</a>.
+</li>
+
+<li>
+WSS4J 1.5.x ignored (enveloped) signatures on SAML (1.1) assertions - this is no longer the case, so
+deployments which do not set the correct keystore/truststore config for dealing with signature
+verification will fail.
+</li>
+
+<li>
+The SAMLTokenProcessor no longer saves all tokens as an "WSConstants.ST_UNSIGNED" action. It saves
+tokens that do not have an enveloped signature as this action, and token which <b>do</b> have an enveloped
+signature are saved as a "WSConstants.ST_SIGNED" action.
+</li>
+
+<li>
+The object that is saved as part of the action above has changed, from an Opensaml1 specific Assertion
+object, to an AssertionWrapper instance, which is a WSS4J specific object which encapsulates an
+Assertion, as well as some information corresponding to signature verification, etc.
+</li>
+</ol>
+</li>
+
+<li>
+The way that UsernameTokens are processed has been changed. See
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/02/usernametoken-processing-changes-in.html">here</a> for
+more information. Some important changes are:
+
+<ol style="list-style-type: decimal">
+
+<li>
+The plaintext password case has exactly the same behaviour as the digest case. The identifier is now
+WSPasswordCallback.USERNAME_TOKEN and not WSPasswordCallback.USERNAME_TOKEN_UNKNOWN, and the
+CallbackHandler does not do any authentication, but must set the password on the callback.
+</li>
+
+<li>
+The custom password type case defaults to the same behaviour as the plaintext case, assuming
+wssConfig.getHandleCustomPasswordTypes() returns true.
+</li>
+
+<li>
+For the case of a username token with no password element, the default behaviour is simply to ignore it,
+and to store it as a new result of type WSConstants.UT_NOPASSWORD.
+</li>
+</ol>
+</li>
+
+<li>
+Some changes have been made to the WSPasswordCallback identifiers, used to obtain passwords for various
+actions. For more information see
+<a class="externalLink" href="http://coheigea.blogspot.com/2011/02/wspasswordcallback-changes-in-wss4j-16.html">here</a>. In
+a nutshell, these changes consist of:
+
+<ol style="list-style-type: decimal">
+
+<li>
+The WSPasswordCallback KEY_NAME, USERNAME_TOKEN_UNKNOWN and WSPasswordCallback.ENCRYPTED_KEY_TOKEN
+identifiers have been removed.
+</li>
+
+<li>
+CUSTOM_TOKEN is not longer used in the processors to get a secret key.
+</li>
+
+<li>
+SECRET_KEY is a new identifier for finding secret keys. It replaces the occasionally incorrect use of
+CUSTOM_TOKEN, as well as KEY_NAME and ENCRYPTED_KEY_TOKEN.
+</li>
+</ol>
+</li>
+
+<li>
+Timestamp validation and signature trust verification is not done by the WSHandler implementation
+any more, but is performed when the security header is processed.
+</li>
+</ul>
+</div>
+</div>
+
+
+ </div>
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ <div id="footer">
+ <div class="xright">
+ Copyright © 2004–2015
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All rights reserved.
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ </body>
+</html>
Added: webservices/website/wss4j/migration/wss4j20.html
URL: http://svn.apache.org/viewvc/webservices/website/wss4j/migration/wss4j20.html?rev=1679548&view=auto
==============================================================================
--- webservices/website/wss4j/migration/wss4j20.html (added)
+++ webservices/website/wss4j/migration/wss4j20.html Fri May 15 11:49:09 2015
@@ -0,0 +1,773 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-15 -->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>Apache WSS4J – </title>
+ <style type="text/css" media="all">
+ @import url("../css/maven-base.css");
+ @import url("../css/maven-theme.css");
+ @import url("../css/site.css");
+ </style>
+ <link rel="stylesheet" href="../css/print.css" type="text/css" media="print" />
+ <meta name="Date-Revision-yyyymmdd" content="20150515" />
+ <meta http-equiv="Content-Language" content="en" />
+
+ </head>
+ <body class="composite">
+ <div id="banner">
+ <a href=".././" id="bannerLeft">
+ Apache WSS4J
+ </a>
+ <a href="http://www.apache.org" id="bannerRight">
+ <img src="http://activemq.apache.org/images/asf-logo.png" alt="$alt" />
+ </a>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="breadcrumbs">
+
+
+ <div class="xleft">
+ <span id="publishDate">Last Published: 2015-05-15</span>
+ | <span id="projectVersion">Version: 2.1.1-SNAPSHOT</span>
+ </div>
+ <div class="xright">
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="leftColumn">
+ <div id="navcolumn">
+
+
+ <h5>Apache WSS4J</h5>
+ <ul>
+ <li class="none">
+ <a href="../index.html" title="Home">Home</a>
+ </li>
+ <li class="none">
+ <a href="../download.html" title="Download">Download</a>
+ </li>
+ <li class="none">
+ <a href="../user_guide.html" title="User Guide">User Guide</a>
+ </li>
+ <li class="none">
+ <a href="../security_advisories.html" title="Security Advisories">Security Advisories</a>
+ </li>
+ </ul>
+ <h5>Project Documentation</h5>
+ <ul>
+ <li class="collapsed">
+ <a href="../project-info.html" title="Project Information">Project Information</a>
+ </li>
+ <li class="collapsed">
+ <a href="../project-reports.html" title="Project Reports">Project Reports</a>
+ </li>
+ </ul>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="poweredBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
+ </a>
+
+
+ </div>
+ </div>
+ <div id="bodyColumn">
+ <div id="contentBox">
+
+
+<div class="section">
+<h2><a name="Apache_WSS4J_2.0.0_Migration_Guide"></a>Apache WSS4J 2.0.0 Migration Guide</h2>
+
+<p>
+This page is a migration guide for helping Apache WSS4J 1.6.x users to migrate
+to the 2.0.x releases. Also see the <a href="newfeatures20.html">new
+features</a> page for more information about the new functionality available in
+WSS4J 2.0.x.
+</p>
+
+<div class="section">
+<h3><a name="Migrating_to_using_the_streaming_StAX_code"></a>Migrating to using the streaming (StAX) code</h3>
+
+<p>
+WSS4J 2.0.0 introduces a streaming (StAX-based) WS-Security implementation to
+complement the existing DOM-based implementation. The DOM-based implementation
+is quite performant and flexible, but having to read the entire request into
+memory carries performance penalties. The StAX-based code offers largely the
+same functionality as that available as part of the DOM code, and is
+configured in mostly the same way (via configuration tags that are shared
+between both stacks).
+</p>
+
+<p>
+As of the time of writing, Apache CXF is the only web services stack to
+integrate the new WS-Security streaming functionality. To switch to use the
+streaming code for the manual "Action" based approach, simply change the
+outbound and inbound interceptors as follows:
+</p>
+
+<ul>
+
+<li>"org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor" to
+"org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor".</li>
+
+<li>"org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor" to
+"org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor".</li>
+</ul>
+
+<p>
+For the WS-SecurityPolicy based approach of configuring WS-Security, simply
+set the JAX-WS property SecurityConstants.ENABLE_STREAMING_SECURITY
+("ws-security.enable.streaming") to "true".
+</p>
+
+<p>
+For more information on the streaming functionality available in WSS4J 2.0.0,
+please see the <a href="streaming.html">streaming documentation</a> page.
+</p>
+</div>
+
+
+<div class="section">
+<h3><a name="CryptoCallbackHandler_changes"></a>Crypto/CallbackHandler changes</h3>
+
+<p>
+Typically, a user configures Signature and Encryption keys via a Crypto
+properties file. In WSS4J 1.6.x, the property names all start with
+"org.apache.ws.security.crypto.*". In WSS4J 2.0.0, the new prefix is
+"org.apache.wss4j.crypto.*". However, WSS4J 2.0.0 will accept the older
+prefix value. No other changes are necessary for migrating Crypto properties.
+</p>
+
+<p>
+In WSS4J 1.6.x, it was only possible to specify a Crypto implementation for
+both Signature Creation + Verification. In WSS4J 2.0.0, there is now a
+separate Signature Verification Crypto instance, that can be configured via
+the following configuration tags:
+</p>
+
+<ul>
+
+<li>signatureVerificationPropFile - The path of the crypto property file to
+use for Signature verification.</li>
+
+<li>signatureVerificationPropRefId - The key that holds a reference to the
+object holding complete information about the signature verification Crypto
+implementation.</li>
+</ul>
+
+<p>
+In WSS4J, you need to define a CallbackHandler to supply a password to a
+WSPasswordCallback Object when dealing with UsernameTokens, or to unlock
+private keys for Signature creation, etc. In WSS4J 2.0.0, the functionality is
+exactly the same, except that the package of the WSPasswordCallback Object has
+changed from "org.apache.ws.security" to "org.apache.wss4j.common.ext". Any
+CallbackHandler implementation will need to be updated to use the new package.
+</p>
+</div>
+
+<div class="section">
+<h3><a name="SAML_Assertion_changes"></a>SAML Assertion changes</h3>
+
+<p>
+A CallbackHandler implementation is required to create a SAML Assertion, by
+populating various beans. Similar to the WSPasswordCallback package change,
+there are also some package changes for SAML. The base package for the
+SAMLCallback class, and of the various "bean" classes, has changed from
+"org.apache.ws.security.saml.ext" to "org.apache.wss4j.common.saml".
+</p>
+
+<p>
+Apache WSS4J 1.6.x uses the SAMLIssuer interface to configure the creation and
+signing of a SAML Assertion. In Apache WSS4J 2.0.0, the SAMLIssuer
+functionality has been moved to the SAMLCallback, so that the CallbackHandler
+used to create a SAML Assertion is responsible for all of the signing
+configuration as well. Therefore, the properties file that is used in
+WSS4J 1.6.x to sign a SAML Assertion is no longer used in WSS4J 2.0.0, and
+the "samlPropFile" and "samlPropRefId" configuration tags have been removed.
+</p>
+
+<p>
+The SAMLCallback Object contains the additional properties in WSS4J 2.0.0 that
+can be set to sign the Assertion:
+</p>
+
+<ul>
+
+<li>boolean signAssertion - Whether to sign the assertion or not (default
+"false").</li>
+
+<li>String issuerKeyName - The keystore alias for signature</li>
+
+<li>String issuerKeyPassword - The keystore password for the alias</li>
+
+<li>Crypto issuerCrypto - The Crypto instance used for signature</li>
+
+<li>boolean sendKeyValue - Whether to send the keyvalue or the X509Certificate
+(default "false").</li>
+
+<li>String canonicalizationAlgorithm - The C14n algorithm to use for signature.
+</li>
+
+<li>String signatureAlgorithm - The Signature algorithm.</li>
+</ul>
+</div>
+
+<div class="section">
+<h3><a name="Configuration_tag_changes"></a>Configuration tag changes</h3>
+
+<p>
+In WSS4J 1.6.x, configuration tags were configured in the WSHandlerConstants
+class. In WSS4J 2.0.0, both the DOM and StAX-based code largely share the
+same configuration options, and so the configuration tags are defined in
+<a class="externalLink" href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java?view=markup">ConfigurationConstants</a>. Note that the WSS4J 1.6.x configuration class
+(WSHandlerConstants) extends this class in WSS4J 2.0.0, so there is no need to
+change any configuration code when upgrading.
+</p>
+
+<p>
+The configuration tags that have been removed and added are detailed below.
+The non-standard key derivation and UsernameToken Signature functionality that
+was optional in WSS4J 1.6.x has been removed. Some new actions are added for
+the streaming code, as well as some options surrounding caching. An important
+migration point is that there is now a separate configuration tag used for
+verifying signatures. In WSS4J 1.6.x, there was only one tag used for both
+signature creation and verification.
+</p>
+
+</div>
+<div class="section">
+<h3><a name="Removed_Configuration_tags_in_WSS4J_2.0.0"></a>
+<p>Removed Configuration tags in WSS4J 2.0.0</p></h3>
+
+<p>
+This section details the Configuration tags that are no longer present in
+WSS4J 2.0.0.
+</p>
+
+<table border="0" class="bodyTable">
+
+<tr class="a">
+
+<th>Tag name</th>
+
+<th>Tag value</th>
+
+<th>Tag meaning</th>
+</tr>
+
+<tr class="b">
+
+<td>SIGN_WITH_UT_KEY</td>
+
+<td>UsernameTokenSignature</td>
+
+<td>Perform a .NET specific signature using a Username Token action. Removed
+as it was not standard compliant.</td>
+</tr>
+
+<tr class="a">
+
+<td>PASSWORD_TYPE_STRICT</td>
+
+<td>passwordTypeStrict</td>
+
+<td>Whether to enable strict Username Token password type handling. In WSS4J
+2.0.0 this functionality can be enabled by just setting the required
+PASSWORD_TYPE.</td>
+</tr>
+
+<tr class="b">
+
+<td>USE_DERIVED_KEY</td>
+
+<td>useDerivedKey</td>
+
+<td>Whether to use the standard UsernameToken Key Derivation algorithm. Removed
+as only the standard algorithm is used in WSS4J 2.0.0.</td>
+</tr>
+
+<tr class="a">
+
+<td>ENC_KEY_NAME</td>
+
+<td>embeddedKeyName</td>
+
+<td>The text of the key name to be sent in the KeyInfo for encryption. Embedded
+KeyNames are not supported in WSS4J 2.0.0.</td>
+</tr>
+
+<tr class="b">
+
+<td>ADD_UT_ELEMENTS</td>
+
+<td>addUTElements</td>
+
+<td>Additional elements to add to a Username Token, i.e. "nonce" and "created".
+See the ADD_USERNAMETOKEN_NONCE and ADD_USERNAMETOKEN_CREATED properties below.
+</td>
+</tr>
+
+<tr class="a">
+
+<td>WSE_SECRET_KEY_LENGTH</td>
+
+<td>wseSecretKeyLength</td>
+
+<td>The length of the secret (derived) key to use for the WSE UT_SIGN
+functionality. Removed as it is not standard compliant.</td>
+</tr>
+
+<tr class="b">
+
+<td>ENC_CALLBACK_CLASS</td>
+
+<td>embeddedKeyCallbackClass</td>
+
+<td>The CallbackHandler implementation class used to get the key associated
+with a key name. KeyName is not supported in WSS4J 2.0.0.</td>
+</tr>
+
+<tr class="a">
+
+<td>ENC_CALLBACK_REF</td>
+
+<td>embeddedKeyCallbackRef</td>
+
+<td>The CallbackHandler implementation object used to get the key associated
+with a key name. KeyName is not supported in WSS4J 2.0.0.</td>
+</tr>
+
+</table>
+
+</div>
+<div class="section">
+<h3><a name="New_Configuration_tags_in_WSS4J_2.0.0"></a>
+<p>New Configuration tags in WSS4J 2.0.0</p></h3>
+
+<p>
+This section details the new Configuration tags in WSS4J 2.0.0.
+</p>
+
+<table border="0" class="bodyTable">
+
+<tr class="a">
+
+<th>Tag name</th>
+
+<th>Tag value</th>
+
+<th>Tag meaning</th>
+</tr>
+
+<tr class="b">
+
+<td>USERNAME_TOKEN_SIGNATURE</td>
+
+<td>UsernameTokenSignature</td>
+
+<td>Perform a UsernameTokenSignature action.</td>
+</tr>
+
+<tr class="a">
+
+<td>SIGNATURE_DERIVED</td>
+
+<td>SignatureDerived</td>
+
+<td>Perform a Signature action with derived keys.</td>
+</tr>
+
+<tr class="b">
+
+<td>ENCRYPT_DERIVED</td>
+
+<td>EncryptDerived</td>
+
+<td>Perform a Encryption action with derived keys.</td>
+</tr>
+
+<tr class="a">
+
+<td>SIGNATURE_WITH_KERBEROS_TOKEN</td>
+
+<td>SignatureWithKerberosToken</td>
+
+<td>Perform a Signature action with a kerberos token. Only for StAX code.</td>
+</tr>
+
+<tr class="b">
+
+<td>ENCRYPT_WITH_KERBEROS_TOKEN</td>
+
+<td>EncryptWithKerberosToken</td>
+
+<td>Perform a Encryption action with a kerberos token. Only for StAX code.</td>
+</tr>
+
+<tr class="a">
+
+<td>KERBEROS_TOKEN</td>
+
+<td>KerberosToken</td>
+
+<td>Add a kerberos token.</td>
+</tr>
+
+<tr class="b">
+
+<td>CUSTOM_TOKEN</td>
+
+<td>CustomToken</td>
+
+<td>Add a "Custom" token from a CallbackHandler</td>
+</tr>
+
+<tr class="a">
+
+<td>SIG_VER_PROP_FILE</td>
+
+<td>signatureVerificationPropFile</td>
+
+<td>The path of the crypto property file to use for Signature verification.</td>
+</tr>
+
+<tr class="b">
+
+<td>SIG_VER_PROP_REF_ID</td>
+
+<td>signatureVerificationPropRefId</td>
+
+<td>The String ID that is used to store a reference to the Crypto object or
+the Crypto Properties object for Signature verification.
+</td>
+</tr>
+
+<tr class="a">
+
+<td>ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM</td>
+
+<td>allowRSA15KeyTransportAlgorithm</td>
+
+<td>Whether to allow the RSA v1.5 Key Transport Algorithm or not. Default is
+"false".</td>
+</tr>
+
+<tr class="b">
+
+<td>ADD_INCLUSIVE_PREFIXES</td>
+
+<td>addInclusivePrefixes</td>
+
+<td> Whether to add an InclusiveNamespaces PrefixList as a
+CanonicalizationMethod child when generating Signatures using
+WSConstants.C14N_EXCL_OMIT_COMMENTS. Default is "true".</td>
+</tr>
+
+<tr class="a">
+
+<td>ADD_USERNAMETOKEN_NONCE</td>
+
+<td>addUsernameTokenNonce</td>
+
+<td>Whether to add a Nonce Element to a UsernameToken (for plaintext). Default
+is "false"</td>
+</tr>
+
+<tr class="b">
+
+<td>ADD_USERNAMETOKEN_CREATED</td>
+
+<td>addUsernameTokenCreated</td>
+
+<td>Whether to add a Created Element to a UsernameToken (for plaintext).
+Default is "false"</td>
+</tr>
+
+<tr class="a">
+
+<td>ALLOW_USERNAMETOKEN_NOPASSWORD</td>
+
+<td>allowUsernameTokenNoPassword</td>
+
+<td>Whether a UsernameToken with no password element is allowed. Default is
+"false".</td>
+</tr>
+
+<tr class="b">
+
+<td>VALIDATE_SAML_SUBJECT_CONFIRMATION</td>
+
+<td>validateSamlSubjectConfirmation</td>
+
+<td>Whether to validate the SubjectConfirmation requirements of a received
+SAML Token (sender-vouches or holder-of-key). Default is "true".</td>
+</tr>
+
+<tr class="a">
+
+<td>INCLUDE_SIGNATURE_TOKEN</td>
+
+<td>includeSignatureToken</td>
+
+<td>Whether to include the Signature Token in the security header as well or
+not (for IssuerSerial + Thumbprint cases). Default is "false"</td>
+</tr>
+
+<tr class="b">
+
+<td>INCLUDE_ENCRYPTION_TOKEN</td>
+
+<td>includeEncryptionToken</td>
+
+<td>Whether to include the Encryption Token in the security header as well or
+not (for IssuerSerial, Thumbprint, SKI cases). Default is "false"</td>
+</tr>
+
+<tr class="a">
+
+<td>ENABLE_NONCE_CACHE</td>
+
+<td>enableNonceCache</td>
+
+<td>Whether to cache UsernameToken nonces. Default is "true"</td>
+</tr>
+
+<tr class="b">
+
+<td>ENABLE_TIMESTAMP_CACHE</td>
+
+<td>enableTimestampCache</td>
+
+<td>Whether to cache Timestamp Created Strings (these are only cached in
+conjunction with a message Signature). Default is "true"</td>
+</tr>
+
+<tr class="a">
+
+<td>ENABLE_SAML_ONE_TIME_USE_CACHE</td>
+
+<td>enableSamlOneTimeUseCache</td>
+
+<td>Whether to cache SAML2 Token Identifiers, if the token contains a
+"OneTimeUse" Condition. Default is "true". </td>
+</tr>
+
+<tr class="b">
+
+<td>USE_2005_12_NAMESPACE</td>
+
+<td>use200512Namespace</td>
+
+<td>Whether to use the 2005/12 namespace for SecureConveration + DerivedKeys,
+or the older namespace. The default is "true"</td>
+</tr>
+
+<tr class="a">
+
+<td>OPTIONAL_SIGNATURE_PARTS</td>
+
+<td>optionalSignatureParts</td>
+
+<td>Parameter to define which parts of the request shall be signed, if they
+exist in the request.</td>
+</tr>
+
+<tr class="b">
+
+<td>OPTIONAL_ENCRYPTION_PARTS</td>
+
+<td>optionalEncryptionParts</td>
+
+<td>Parameter to define which parts of the request shall be encrypted, if they
+exist in the request.</td>
+</tr>
+
+<tr class="a">
+
+<td>ENC_MGF_ALGO</td>
+
+<td>encryptionMGFAlgorithm</td>
+
+<td>Defines which encryption mgf algorithm to use with the RSA OAEP Key
+Transport algorithm for encryption. The default is mgfsha1.</td>
+</tr>
+
+<tr class="b">
+
+<td>VALIDATOR_MAP</td>
+
+<td>validatorMap</td>
+
+<td>A map of QName, Object (Validator) instances to be used to validate
+tokens identified by their QName.</td>
+</tr>
+
+<tr class="a">
+
+<td>NONCE_CACHE_INSTANCE</td>
+
+<td>nonceCacheInstance</td>
+
+<td>A ReplayCache instance used to cache UsernameToken nonces. The default
+instance that is used is the EHCacheReplayCache.</td>
+</tr>
+
+<tr class="b">
+
+<td>TIMESTAMP_CACHE_INSTANCE</td>
+
+<td>timestampCacheInstance</td>
+
+<td>A ReplayCache instance used to cache Timestamp Created Strings. The default
+instance that is used is the EHCacheReplayCache.</td>
+</tr>
+
+<tr class="a">
+
+<td>SAML_ONE_TIME_USE_CACHE_INSTANCE</td>
+
+<td>samlOneTimeUseCacheInstance</td>
+
+<td>A ReplayCache instance used to cache SAML2 Token Identifier Strings (if
+the token contains a OneTimeUse Condition). The default instance that is used
+is the EHCacheReplayCache.</td>
+</tr>
+
+<tr class="b">
+
+<td>PASSWORD_ENCRYPTOR_INSTANCE</td>
+
+<td>passwordEncryptorInstance</td>
+
+<td>A PasswordEncryptor instance used to decrypt encrypted passwords in Crypto
+properties files. The default is the JasyptPasswordEncryptor.</td>
+</tr>
+
+<tr class="a">
+
+<td>DERIVED_TOKEN_REFERENCE</td>
+
+<td>derivedTokenReference</td>
+
+<td>This controls how deriving tokens are referenced.</td>
+</tr>
+
+<tr class="b">
+
+<td>DERIVED_TOKEN_KEY_ID</td>
+
+<td>derivedTokenKeyIdentifier</td>
+
+<td>This controls the key identifier of Derived Tokens.</td>
+</tr>
+
+<tr class="a">
+
+<td>DERIVED_SIGNATURE_KEY_LENGTH</td>
+
+<td>derivedSignatureKeyLength</td>
+
+<td>The length to use (in bytes) when deriving a key for Signature.</td>
+</tr>
+
+<tr class="b">
+
+<td>DERIVED_ENCRYPTION_KEY_LENGTH</td>
+
+<td>derivedEncryptionKeyLength</td>
+
+<td>The length to use (in bytes) when deriving a key for Encryption.</td>
+</tr>
+</table>
+</div>
+
+
+<div class="section">
+<h3><a name="Derived_Key_and_Secure_Conversation_namespace_change"></a>Derived Key and Secure Conversation namespace change</h3>
+
+<p>
+In WSS4J 1.6.x, the default namespace used for Derived Key and Secure
+Conversation was the older "http://schemas.xmlsoap.org/ws/2005/02/sc"
+namespace. In WSS4J 2.0.0, the default namespace is now
+"http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512". To switch
+back to use the older namespace, you can set the new configuration property
+"USE_2005_12_NAMESPACE" to "false".
+</p>
+</div>
+
+
+<div class="section">
+<h3><a name="Caching_changes"></a>Caching changes</h3>
+
+<p>
+WSS4J 2.0.0 uses three EhCache-based caches by default for the following
+scenarios, to prevent replay attacks:
+</p>
+
+<ul>
+
+<li>UsernameToken nonces</li>
+
+<li>Signed Timestamps</li>
+
+<li>SAML 2.0 OneTimeUse Assertions</li>
+</ul>
+
+<p>
+If you are seeing a error about "replay attacks" after upgrade, then you may
+need to disable a particular cache.
+</p>
+</div>
+
+
+<div class="section">
+<h3><a name="RSA_v1.5_Key_Transport_algorithm_not_allowed_by_default"></a>RSA v1.5 Key Transport algorithm not allowed by default</h3>
+
+<p>
+WSS4J supports two key transport algorithms, RSA v1.5 and RSA-OAEP. A number
+of attacks exist on RSA v1.5. Therefore, you should always use RSA-OAEP as the
+key transport algorithm. In WSS4J 2.0.0, the RSA v1.5 Key Transport algorithm
+is not allowed by default (as opposed to previous versions of WSS4J, where it
+is allowed). If you wish to allow it, then you must set the
+WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM property to "true".
+</p>
+</div>
+
+
+<div class="section">
+<h3><a name="InclusiveNamespaces_PrefixList_change"></a>InclusiveNamespaces PrefixList change</h3>
+
+<p>
+In WSS4J 1.6.x, when BSP Compliance was switched off on the outbound side, it
+had the effect that an InclusiveNamespaces PrefixList was not generated as a
+CanonicalizationMethod child of a Signature Element (as required by the BSP
+specification). In WSS4J 2.0.0, this is now controlled by a separate
+configuration tag "addInclusivePrefixes", which defaults to true.
+</p>
+</div>
+
+</div>
+
+
+ </div>
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ <div id="footer">
+ <div class="xright">
+ Copyright © 2004–2015
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All rights reserved.
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ </body>
+</html>
Added: webservices/website/wss4j/migration/wss4j21.html
URL: http://svn.apache.org/viewvc/webservices/website/wss4j/migration/wss4j21.html?rev=1679548&view=auto
==============================================================================
--- webservices/website/wss4j/migration/wss4j21.html (added)
+++ webservices/website/wss4j/migration/wss4j21.html Fri May 15 11:49:09 2015
@@ -0,0 +1,153 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-15 -->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <title>Apache WSS4J – </title>
+ <style type="text/css" media="all">
+ @import url("../css/maven-base.css");
+ @import url("../css/maven-theme.css");
+ @import url("../css/site.css");
+ </style>
+ <link rel="stylesheet" href="../css/print.css" type="text/css" media="print" />
+ <meta name="Date-Revision-yyyymmdd" content="20150515" />
+ <meta http-equiv="Content-Language" content="en" />
+
+ </head>
+ <body class="composite">
+ <div id="banner">
+ <a href=".././" id="bannerLeft">
+ Apache WSS4J
+ </a>
+ <a href="http://www.apache.org" id="bannerRight">
+ <img src="http://activemq.apache.org/images/asf-logo.png" alt="$alt" />
+ </a>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="breadcrumbs">
+
+
+ <div class="xleft">
+ <span id="publishDate">Last Published: 2015-05-15</span>
+ | <span id="projectVersion">Version: 2.1.1-SNAPSHOT</span>
+ </div>
+ <div class="xright">
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ <div id="leftColumn">
+ <div id="navcolumn">
+
+
+ <h5>Apache WSS4J</h5>
+ <ul>
+ <li class="none">
+ <a href="../index.html" title="Home">Home</a>
+ </li>
+ <li class="none">
+ <a href="../download.html" title="Download">Download</a>
+ </li>
+ <li class="none">
+ <a href="../user_guide.html" title="User Guide">User Guide</a>
+ </li>
+ <li class="none">
+ <a href="../security_advisories.html" title="Security Advisories">Security Advisories</a>
+ </li>
+ </ul>
+ <h5>Project Documentation</h5>
+ <ul>
+ <li class="collapsed">
+ <a href="../project-info.html" title="Project Information">Project Information</a>
+ </li>
+ <li class="collapsed">
+ <a href="../project-reports.html" title="Project Reports">Project Reports</a>
+ </li>
+ </ul>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="poweredBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
+ </a>
+
+
+ </div>
+ </div>
+ <div id="bodyColumn">
+ <div id="contentBox">
+
+
+<div class="section">
+<h2><a name="Apache_WSS4J_2.1.0_Migration_Guide"></a>Apache WSS4J 2.1.0 Migration Guide</h2>
+
+<p>
+This page is a migration guide for helping Apache WSS4J 2.0.x users to migrate
+to the 2.1.x releases.
+</p>
+
+
+<div class="section">
+<h3><a name="JDK7_minimum_requirement"></a>JDK7 minimum requirement</h3>
+
+<p>
+WSS4J 2.0.x required JDK6 as a minimum requirement. WSS4J 2.1.x requires at
+least JDK7. The Xerces and xml-api dependencies have been removed from the DOM
+code, as they are no longer required due to the JDK7 minimum requirement.
+</p>
+</div>
+
+
+<div class="section">
+<h3><a name="OpenSAML_3.x_migration"></a>OpenSAML 3.x migration</h3>
+
+<p>
+A key dependency change in WSS4J 2.1.0 is the upgrade from OpenSAML 2.x to
+3.x (currently 3.1.0). OpenSAML 3.x contains a large number of package
+changes. Therefore if you have any OpenSAML dependencies in a CallbackHandler
+used to create SAML Assertions in WSS4J, code changes will be required.
+</p>
+
+<p>
+The most common OpenSAML dependency is to include a "SAMLVersion" to tell
+the SAMLCallback whether to create a SAML 2.0 or 1.1 Assertion. WSS4J 2.1
+provides an alternative way of specifying the SAML Version, via a <a class="externalLink" href="https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/bean/Version.java">Version</a> bean. See
+<a class="externalLink" href="https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/SAML2CallbackHandler.java">here</a> for an example.
+</p>
+</div>
+
+
+<div class="section">
+<h3><a name="Custom_processor_changes"></a>Custom processor changes</h3>
+
+<p>
+If you have a custom Processor instance to process a token in the security
+header in some custom way, you must add the WSSecurityEngineResult that is
+generated by the processing, to the WSDocInfo Object via the "addResult"
+method. Otherwise, it will not be available when security results are
+retrieved and processed.
+</p>
+</div>
+
+</div>
+
+
+ </div>
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ <div id="footer">
+ <div class="xright">
+ Copyright © 2004–2015
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All rights reserved.
+
+ </div>
+ <div class="clear">
+ <hr/>
+ </div>
+ </div>
+ </body>
+</html>