appserver/admin/template/src/main/resources/config/wss-server-config-1.0.xml

<!--

    Copyright (c) 2004, 2018 Oracle and/or its affiliates. All rights reserved.

    This program and the accompanying materials are made available under the
    terms of the Eclipse Public License v. 2.0, which is available at
    http://www.eclipse.org/legal/epl-2.0.

    This Source Code may also be made available under the following Secondary
    Licenses when the conditions for such availability set forth in the
    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
    version 2 with the GNU Classpath Exception, which is available at
    https://www.gnu.org/software/classpath/license.html.

    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0

-->

<!--
 This server side config file pairs with wss-client-config-1.0.xml on the client
 and supports the following UseCases:
 Usecase 1: Authentication using Protected UsernameToken
 Usecase 3: Encrypted UsernameToken and MessageBody
 Usecase 4: Response Encryption Key Learnt from Incoming Message

 Certificate Alias Information :
 1. A certificateAlias under the <xwss:Encrypt> element signifies the certificate
    of the recipient of the message.
 2. A certificateAlias under the <xwss:Sign> element signifies the certificate of the
    sender.

 NOTE:

   1. the certificateAlias has the above meaning for all the Sign and Encrypt elements below
   2. there are several Sign and Encrypt elements below and similarly several RequireSignature and
      RequireEncryption elements. Which of them would be actually used at runtime will depend on
      the AuthPolicy passed to the module.

      For Example : if Auth-Source=Sender then only the <xwss:UsernameToken> elements will be used
      and none of the <xwss:Sign> elements will be used.
      If Auth-Source=Content then the <xwss:Sign> element will be used

   3.  The different variations of <xwss:Encrypt> elements in this configuration file are to accomodate
       default encryption of the UsernameToken.

   4.  The actual certificate alias to be used for any Signature operation can be modified during AuthModule
       initialization by setting the alias as the value of "signature.key.alias" property in the Module Options Map.
   5.  The actual certificate alias to be used for any Encrypt operation can be modified during AuthModule
       initialization by setting the alias as the value of "encryption.key.alias" property in the Module Options Map.

   6. Debug Dumping of Messages can be enabled by setting the "debug" property in the Module Options Map to "true" during
      AuthModule initialization.
   7. The Actual configuration file to be used by an Authmodule can be changed by setting the property "security.config" in
      the Module Options Map to point to the configuration file location.
   8. When the "security.config" property is not set during module initialization then a client auth module will use wss-client-config-2.0.xml
      by default.
   9. When the "security.config" property is not set during module initialization then a server auth module will use wss-server-config-2.0.xml
      by default.

-->

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"
                            dumpMessages="false">
    <xwss:Timestamp/>
    <xwss:RequireEncryption>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
    </xwss:RequireEncryption>
    <xwss:RequireEncryption>
        <xwss:Target type="qname">{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</xwss:Target>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
    </xwss:RequireEncryption>
    <xwss:RequireEncryption>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
        <xwss:Target type="qname">{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</xwss:Target>
    </xwss:RequireEncryption>
    <xwss:RequireSignature>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
    </xwss:RequireSignature>
    <xwss:RequireUsernameToken nonceRequired="false" passwordDigestRequired="false"/>
    <xwss:Encrypt>
        <xwss:X509Token certificateAlias="s1as"/>
        <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    </xwss:Encrypt>
    <xwss:Encrypt>
        <xwss:X509Token certificateAlias="s1as"/>
        <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
        <xwss:Target type="qname">{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</xwss:Target>
    </xwss:Encrypt>
    <xwss:Encrypt>
        <xwss:X509Token certificateAlias="s1as"/>
        <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <xwss:Target type="qname">{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</xwss:Target>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
    </xwss:Encrypt>
    <xwss:Sign>
        <xwss:X509Token certificateAlias="s1as"/>
    </xwss:Sign>
    <xwss:UsernameToken digestPassword="false" useNonce="false"/>
</xwss:SecurityConfiguration>