You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/08/07 12:33:02 UTC
svn commit: r1370161 -
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Author: coheigea
Date: Tue Aug 7 10:33:02 2012
New Revision: 1370161
URL: http://svn.apache.org/viewvc?rev=1370161&view=rev
Log:
Updated SecurityPolicy documentation.
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1370161&r1=1370160&r2=1370161&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Tue Aug 7 10:33:02 2012
@@ -142,7 +142,9 @@ public final class SecurityConstants {
//Be default, we will encrypt as well for interop reasons. However, this
//setting can be set to false to turn that off.
/**
- * Whether to always encrypt UsernameTokens whenever possible. The default is true.
+ * Whether to always encrypt UsernameTokens that are defined as a SupportingToken. The default
+ * is true. This should not be set to false in a production environment, as it exposes the
+ * password (or the digest of the password) on the wire.
*/
public static final String ALWAYS_ENCRYPT_UT = "ws-security.username-token.always.encrypted";
@@ -177,8 +179,8 @@ public final class SecurityConstants {
//
/**
- * The time in seconds after Creation that an incoming Timestamp is valid for. The default
- * value is 300 seconds (5 minutes).
+ * The time in seconds to append to the Creation value of an incoming Timestamp to determine
+ * whether to accept the Timestamp as valid or not. The default value is 300 seconds (5 minutes).
*/
public static final String TIMESTAMP_TTL = "ws-security.timestamp.timeToLive";