THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
security.saml-role-attributename | The attribute URI of the SAML AttributeStatement where the role information is stored. The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role". |
security.subject.cert.constraints | A comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust). |
STS Client Configuration tags
Note: From CXF 3.1.3 onwards. Prior to CXF 3.1.3 these tags had a "ws-" prefix. The older tags will still work for backwards compatibility reasons.
security.sts.client | A reference to the STSClient class used to communicate with the STS. |
security.sts.applies-to | The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider. |
security.sts.token.usecert | If true, writes out an X509Certificate structure in UseKey/KeyInfo. If false (the default), writes out a KeyValue structure instead. |
security.sts.token.do.cancel | Whether to cancel a token when using SecureConversation after successful invocation. The default is "false". |
| security.issue.after.failed.renew | Whether to fall back to calling "issue" after failing to renew an expired token. The default is "true". |
security.cache.issued.token.in.endpoint | Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true". |
-security.sts.disable-wsmex-call-using-epr-address | Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false". |
security.sts.token.crypto | A Crypto object to be used for the STS. See here for more information. |
security.sts.token.properties | The Crypto property configuration to use for the STS. See here for more information. |
security.sts.token.username | The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case. |
security.sts.token.act-as | The token to be sent to the STS in an "ActAs" field. See here for more information. |
security.sts.token.on-behalf-of | The token to be sent to the STS in an "OnBehalfOf" field. See here for more information. |
| security.issue.after.failed.renew | Whether to call "Issue" if a token "Renew" fails. Some STSs do not support the renew binding. Defaults to "true". |
| security.sts.token.imminent-expiry-value | The value in seconds within which a token is considered to be expired by the client, i.e. it is considered to be expired if it will expire in a time less than the value specified by this tag. The default value is "10" for CXF 3.0.2+, and "0" for CXF 2.7.13+. |
Backwards compatibility
Users of Apache CXF prior to 3.1.0 do not need to make any adjustment to their code or spring files. The older "ws-" prefix associated with the configuration tags above will continue to be accepted.