| <!-- |
| |
| Copyright (c) 2004, 2018 Oracle and/or its affiliates. All rights reserved. |
| |
| This program and the accompanying materials are made available under the |
| terms of the Eclipse Public License v. 2.0, which is available at |
| http://www.eclipse.org/legal/epl-2.0. |
| |
| This Source Code may also be made available under the following Secondary |
| Licenses when the conditions for such availability set forth in the |
| Eclipse Public License v. 2.0 are satisfied: GNU General Public License, |
| version 2 with the GNU Classpath Exception, which is available at |
| https://www.gnu.org/software/classpath/license.html. |
| |
| SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 |
| |
| --> |
| |
| <!-- |
| This server side config file pairs with wss-client-config-1.0.xml on the client |
| and supports the following UseCases: |
| Usecase 1: Authentication using Protected UsernameToken |
| Usecase 3: Encrypted UsernameToken and MessageBody |
| Usecase 4: Response Encryption Key Learnt from Incoming Message |
| |
| Certificate Alias Information : |
| 1. A certificateAlias under the <xwss:Encrypt> element signifies the certificate |
| of the recipient of the message. |
| 2. A certificateAlias under the <xwss:Sign> element signifies the certificate of the |
| sender. |
| |
| NOTE: |
| |
| 1. the certificateAlias has the above meaning for all the Sign and Encrypt elements below |
| 2. there are several Sign and Encrypt elements below and similarly several RequireSignature and |
| RequireEncryption elements. Which of them would be actually used at runtime will depend on |
| the AuthPolicy passed to the module. |
| |
| For Example : if Auth-Source=Sender then only the <xwss:UsernameToken> elements will be used |
| and none of the <xwss:Sign> elements will be used. |
| If Auth-Source=Content then the <xwss:Sign> element will be used |
| |
| 3. The different variations of <xwss:Encrypt> elements in this configuration file are to accomodate |
| default encryption of the UsernameToken. |
| |
| 4. The actual certificate alias to be used for any Signature operation can be modified during AuthModule |
| initialization by setting the alias as the value of "signature.key.alias" property in the Module Options Map. |
| 5. The actual certificate alias to be used for any Encrypt operation can be modified during AuthModule |
| initialization by setting the alias as the value of "encryption.key.alias" property in the Module Options Map. |
| |
| 6. Debug Dumping of Messages can be enabled by setting the "debug" property in the Module Options Map to "true" during |
| AuthModule initialization. |
| 7. The Actual configuration file to be used by an Authmodule can be changed by setting the property "security.config" in |
| the Module Options Map to point to the configuration file location. |
| 8. When the "security.config" property is not set during module initialization then a client auth module will use wss-client-config-2.0.xml |
| by default. |
| 9. When the "security.config" property is not set during module initialization then a server auth module will use wss-server-config-2.0.xml |
| by default. |
| |
| --> |
| |
| <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" |
| dumpMessages="false"> |
| <xwss:Timestamp/> |
| <xwss:RequireEncryption> |
| <xwss:Target type="qname">SOAP-BODY</xwss:Target> |
| </xwss:RequireEncryption> |
| <xwss:RequireEncryption> |
| <xwss:Target type="qname">{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</xwss:Target> |
| <xwss:Target type="qname">SOAP-BODY</xwss:Target> |
| </xwss:RequireEncryption> |
| <xwss:RequireEncryption> |
| <xwss:Target type="qname">SOAP-BODY</xwss:Target> |
| <xwss:Target type="qname">{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</xwss:Target> |
| </xwss:RequireEncryption> |
| <xwss:RequireSignature> |
| <xwss:Target type="qname">SOAP-BODY</xwss:Target> |
| </xwss:RequireSignature> |
| <xwss:RequireUsernameToken nonceRequired="false" passwordDigestRequired="false"/> |
| <xwss:Encrypt> |
| <xwss:X509Token certificateAlias="s1as"/> |
| <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> |
| </xwss:Encrypt> |
| <xwss:Encrypt> |
| <xwss:X509Token certificateAlias="s1as"/> |
| <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> |
| <xwss:Target type="qname">SOAP-BODY</xwss:Target> |
| <xwss:Target type="qname">{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</xwss:Target> |
| </xwss:Encrypt> |
| <xwss:Encrypt> |
| <xwss:X509Token certificateAlias="s1as"/> |
| <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> |
| <xwss:Target type="qname">{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</xwss:Target> |
| <xwss:Target type="qname">SOAP-BODY</xwss:Target> |
| </xwss:Encrypt> |
| <xwss:Sign> |
| <xwss:X509Token certificateAlias="s1as"/> |
| </xwss:Sign> |
| <xwss:UsernameToken digestPassword="false" useNonce="false"/> |
| </xwss:SecurityConfiguration> |