...
constant | default | definition |
ws-security.validate.token | true | Whether to validate the password of a received UsernameToken or not. |
ws-security.enableRevocation | false | Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. |
ws-security.username-token.always.encrypted | true | Whether to always encrypt UsernameTokens that are defined as a SupportingToken. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire. |
ws-security.is-bsp-compliant | true | Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. |
ws-security.self-sign-saml-assertion | false | Whether to self-sign a SAML Assertion or not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion is constructed. Only applies up to CXF 2.7.x. |
ws-security.enable.nonce.cache | (varies) | Whether to cache UsernameToken nonces. See here for more information. |
ws-security.enable.timestamp.cache | (varies) | Whether to cache Timestamp Created Strings. See here for more information. |
ws-security.enable.saml.cache | (varies) | Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition. |
ws-security.validate.saml.subject.conf | true | Whether to validate the SubjectConfirmation requirements of a received SAML Token. |
ws-security.enable.streaming | false | Whether to enable streaming WS-Security. |
ws-security.return.security.error | false | Whether to return the security error message to the client, and not one of the default error QNames. |
ws-security.must-understand | true | Set this to "false" in order to remove the SOAP mustUnderstand header from security headers generated based on a WS-SecurityPolicy. |
ws-security.sc.jaas-subject | true | Set this to "false" if security context must not be created from JAAS Subject. |
ws-security.validate.audience-restriction | (varies) | If this is set to "true", then IF the SAML Token contains Audience Restriction URIs, one of them must match either the request URL or the Service QName. The default is "true" for CXF 3.0.x, and "false" for 2.7.x. |
Non-boolean WS-Security Configuration parameters
...