Background to common security configuration
From Apache CXF 3.1.0, the WS-SecurityPolicy and the XML Security (JAX-RS) components in CXF share a common set of configuration tags. Previously, the configuration tags were all defined in the SecurityConstants class in the cxf-rt-ws-security module. The JAX-RS XML Security component then referenced these configuration tags directly, which meant that the XML Security component had to have a dependency on a SOAP module, which was not ideal.
New configuration tags in Apache CXF 3.1.0
From Apache CXF 3.1.0, the cxf-rt-security module is now shared between both the WS-Security and JAX-RS XML Security modules, and contains a SecurityConstants class that defines security constants used by both stacks. These configuration tags are exactly the same as a set of previous configuration tags found in the WS-Security SecurityConstants class in previous releases, except that the prefix is now "security" (was "ws-security"). Here are the new set of configuration tags:
User properties
security.username | The user's name. It is used differently by each of the Security functions, see here for more information. |
security.password | The user's password when "security.callback-handler" is not defined. It is currently only used for the case of adding a password to a UsernameToken. |
security.signature.username | The user's name for signature. It is used as the alias name in the keystore to get the user's cert and private key for signature. See here for more information. |
security.encryption.username | The user's name for encryption. It is used as the alias name in the keystore to get the user's public key for encryption. See here for more information. |
Callback Class and Crypto properties
security.callback-handler | The CallbackHandler implementation class used to obtain passwords. |
security.saml-callback-handler | The SAML CallbackHandler implementation class used to construct SAML Assertions. |
security.signature.properties | The Crypto property configuration to use for signature, if "security.signature.crypto" is not set instead. |
security.encryption.properties | The Crypto property configuration to use for encryption, if "security.encryption.crypto" is not set instead. |
security.signature.crypto | A Crypto object to be used for signature. If this is not defined then "security.signature.properties" is used instead. |
security.encryption.crypto | A Crypto object to be used for encryption. If this is not defined then "security.encryption.properties" is used instead. |
Note: for Symmetric bindings that specify a protection token, the security-encryption properties are used.
Boolean WS-Security configuration tags, e.g. the value should be "true" or "false".
constant | default | definition |
security.enableRevocation | false | Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. |
security.enable.unsigned-saml-assertion.principal | false | Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false. |
security.validate.saml.subject.conf | true | Whether to validate the SubjectConfirmation requirements of a received SAML Token. |
security.sc.jaas-subject | true | Set this to "false" if security context must not be created from JAAS Subject. |
security.validate.audience-restriction | (varies) | If this is set to "true", then IF the SAML Token contains Audience Restriction URIs, one of them must match either the request URL or the Service QName. The default is "true" for CXF 3.0.x, and "false" for 2.7.x. |
Non-boolean WS-Security Configuration parameters
security.saml-role-attributename | The attribute URI of the SAML AttributeStatement where the role information is stored. The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role". |
security.subject.cert.constraints | A comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust). |
Backwards compatibility
Users of Apache CXF prior to 3.1.0 do not need to make any adjustment to their code or spring files. The older "ws-" prefix associated with the configuration tags above will continue to be accepted.