...
There are several extra properties that may need to be set to provide the additional bits of information to the runtime. Note that you should check that a particular property is supported in the version of CXF you are using.
User properties
ws-security.username | The username used for UsernameToken policy assertions user's name. It is used differently by each of the WS-Security functions, see here for more information. |
ws-security.password | The password used for UsernameToken policy assertions. If not specified, the callback handler will be called. user's password when "ws-security.callback-handler The WSS4J security CallbackHandler that will be used to retrieve passwords for keystores and UsernameTokens" is not defined. It is currently only used for the case of adding a password to a UsernameToken. |
ws-security.signature.properties username | The user's name for signature. It is used as the alias name in the keystore to get the user's cert and private key for signature. See here for more information. The properties file/object that contains the WSS4J properties for configuring the signature keystore and crypto objects |
ws-security.encryption.properties The properties file/object that contains the WSS4J properties for configuring the encryption keystore and crypto objects username | The user's name for encryption. It is used as the alias name in the keystore to get the user's public key for encryption. See here for more information. |
Callback Class and Crypto properties
ws-security.callback-handler | The CallbackHandler implementation class used to obtain passwords. |
ws-security.saml-callback-handler | The SAML CallbackHandler implementation class used to construct SAML Assertions. |
ws-security.signature.username properties | The username or alias for the key in the signature keystore that will be used. If not specified, it uses the the default alias set in the properties file. If that's also not set, and the keystore only contains a single key, that key will be usedCrypto property configuration to use for signature, if "ws-security.signature.crypto" is not set instead. |
ws-security.encryption.username properties | The username or alias for the key in the encryption keystore that will be used. If not specified, it uses the the default alias set in the properties file. If that's also not set, and the keystore only contains a single key, that key will be used. For the web service provider, the useReqSigCert keyword can be used to accept (encrypt to) any client whose public key is in the service's truststore (defined in Crypto property configuration to use for encryption, if "ws-security.encryption.properties.) crypto" is not set instead. |
ws-security.signature.crypto Instead | of specifying the signature properties, this can point to the full WSS4J Crypto object. This can allow easier "programmatic" configuration of the Crypto information." A Crypto object to be used for signature. If this is not defined then "ws-security.signature.properties" is used instead. |
ws-security.encryption.crypto Instead of specifying the encryption properties, this can point to the full WSS4J Crypto object. This can allow easier "programmatic" configuration of the Crypto information." | A Crypto object to be used for encryption. If this is not defined then "ws-security.encryption.properties" is used instead. |
Other properties
ws-security.subject.cert.constraints | This configuration tag is a comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust). |
ws-security.is-bsp-compliant | Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true". |
ws-security.timestamp.futureTimeToLive | This configuration tag specifies the time in seconds in the future within which the Created time of an incoming Timestamp is valid. WSS4J rejects by default any timestamp which is "Created" in the future, and so there could potentially be |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"> <jaxws:client name="{http://cxf.apache.org}MyPortName" createdFromAPI="true"> <jaxws:properties> <entry key="ws-security.callback-handler" value="interop.client.KeystorePasswordCallback"/> <entry key="ws-security.signature.properties" value="etc/client.properties"/> <entry key="ws-security.encryption.properties" value="etc/service.properties"/> <entry key="ws-security.encryption.username" value="servicekeyalias"/> </jaxws:properties> </jaxws:client> </beans> |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"> <jaxws:endpoint id="MyService" address="https://localhost:9001/MyService" serviceName="interop:MyService" endpointName="interop:MyServiceEndpoint" implementor="com.foo.MyService"> <jaxws:properties> <entry key="ws-security.callback-handler" value="interop.client.UTPasswordCallback"/> <entry key="ws-security.signature.properties" value="etc/keystore.properties"/> <entry key="ws-security.encryption.properties" value="etc/truststore.properties"/> <entry key="ws-security.encryption.username" value="useReqSigCert"/> </jaxws:properties> </jaxws:endpoint> </beans> |
See this blog entry for a more end-to-end example of using WS-SecurityPolicy with X.509 keys.
...