WS-Security

Stable • Since 0.14.0

Provides CXF framework’s WS-Security implementation allowing you to:

  • Pass authentication tokens between services

  • Encrypt messages or parts of messages

  • Sign messages

  • Timestamp messages

Maven coordinates

Create a new project using quarkus-cxf-rt-ws-security on code.quarkus.io or add these coordinates to your existing project:

<dependency>
    <groupId>io.quarkiverse.cxf</groupId>
    <artifactId>quarkus-cxf-rt-ws-security</artifactId>
</dependency>

Check the User guide and especially its Dependency management section for more information about writing applications with Quarkus CXF.

Supported standards

Usage

The CXF framework’s WS-Security (WSS) implementation is based on WSS4J. It can be activated in two ways:

  • By using WS-SecurityPolicy

  • By adding WSS4J interceptors to your clients and service endpoints.

WS-SecurityPolicy is preferable because in that way, the security requirements become a part of the WSDL contract. That in turn greatly simplifies not only the implementation of clients and service endpoints but also the interoperability between vendors.

Nevertheless, if you leverage WS-SecurityPolicy, CXF sets up the WSS4J interceptors under the hood for you.

We won’t explain the manual approach with WSS4J interceptors in detail here, but you can still refer to our WS-Security integration test as an example.

WS-Security via WS-SecurityPolicy

The sample code snippets used in this section come from the WS-SecurityPolicy integration test in the source tree of Quarkus CXF

Let’s say our aim is to ensure that the communication between the client and service is confidential (through encryption) and that the message has not been tampered with (through digital signatures). We also want to assure that the clients are who they claim to be by authenticating themselves by X.509 certificates.

We can express all these requirements in a single WS-SecurityPolicy document:

encrypt-sign-policy.xml
<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="SecurityServiceEncryptThenSignPolicy"
    xmlns:wsp="http://www.w3.org/ns/ws-policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
    <wsp:ExactlyOne>
        <wsp:All>
            (1)
            <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                <wsp:Policy>
                    (2)
                    <sp:InitiatorToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:WssX509V3Token11/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorToken>
                    <sp:RecipientToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                                <wsp:Policy>
                                    <sp:WssX509V3Token11/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                    <sp:ProtectTokens/>
                    <sp:OnlySignEntireHeadersAndBody/>
                    <sp:EncryptBeforeSigning/>
                </wsp:Policy>
            </sp:AsymmetricBinding>
            (3)
            <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <sp:Body/>
            </sp:SignedParts>
            (4)
            <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <sp:Body/>
            </sp:EncryptedParts>
            <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:MustSupportRefIssuerSerial/>
                </wsp:Policy>
            </sp:Wss10>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>
1 AsymmetricBinding specifies the use of asymmetric (public/private key) cryptography for securing the communication between two parties
2 InitiatorToken indicates that the initiator (sender) of the message will use an X.509 certificate token that must always be provided to the recipient.
3 SignedParts specifies which parts of the SOAP message must be signed to ensure their integrity.
4 EncryptedParts specifies the parts of the SOAP message that must be encrypted to ensure their confidentiality.

We set this policy on the Service Endpoint Interface (SEI) EncryptSignPolicyHelloService using @org.apache.cxf.annotations.Policy annotation:

EncryptSignPolicyHelloService.java
@WebService(serviceName = "EncryptSignPolicyHelloService")
@Policy(placement = Policy.Placement.BINDING, uri = "encrypt-sign-policy.xml")
public interface EncryptSignPolicyHelloService extends AbstractHelloService {
...
}

On the first sight, setting the policy on the SEI should suffice to enforce it on both the service and all clients generated from the SEI or from the WSDL served by the service. However, that’s not all. Security keys, usernames, passwords and other kinds of confidental information cannot be exposed in a public policy.

Those have to be set in the configuration. Let’s do it for the service first:

application.properties
# A service with encrypt-sign-policy.xml set
quarkus.cxf.endpoint."/helloEncryptSign".implementor = io.quarkiverse.cxf.it.security.policy.EncryptSignPolicyHelloServiceImpl
# can be jks or pkcs12 - set from Maven profiles in this test
keystore.type = ${keystore.type}
# Signature settings
quarkus.cxf.endpoint."/helloEncryptSign".security.signature.username = bob
quarkus.cxf.endpoint."/helloEncryptSign".security.signature.password = password
quarkus.cxf.endpoint."/helloEncryptSign".security.signature.properties."org.apache.ws.security.crypto.provider" = org.apache.ws.security.components.crypto.Merlin
quarkus.cxf.endpoint."/helloEncryptSign".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.type" = ${keystore.type}
quarkus.cxf.endpoint."/helloEncryptSign".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
quarkus.cxf.endpoint."/helloEncryptSign".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
quarkus.cxf.endpoint."/helloEncryptSign".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}
# Encryption settings
quarkus.cxf.endpoint."/helloEncryptSign".security.encryption.username = alice
quarkus.cxf.endpoint."/helloEncryptSign".security.encryption.properties."org.apache.ws.security.crypto.provider" = org.apache.ws.security.components.crypto.Merlin
quarkus.cxf.endpoint."/helloEncryptSign".security.encryption.properties."org.apache.ws.security.crypto.merlin.keystore.type" = ${keystore.type}
quarkus.cxf.endpoint."/helloEncryptSign".security.encryption.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
quarkus.cxf.endpoint."/helloEncryptSign".security.encryption.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
quarkus.cxf.endpoint."/helloEncryptSign".security.encryption.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}

Similar setup is necessary on the client side:

application.properties
# A client with encrypt-sign-policy.xml set
quarkus.cxf.client.helloEncryptSign.client-endpoint-url = https://localhost:${quarkus.http.test-ssl-port}/services/helloEncryptSign
quarkus.cxf.client.helloEncryptSign.service-interface = io.quarkiverse.cxf.it.security.policy.EncryptSignPolicyHelloService
quarkus.cxf.client.helloEncryptSign.features = #messageCollector
# The client-endpoint-url above is HTTPS, so we have to setup the server's SSL certificates
quarkus.cxf.client.helloEncryptSign.trust-store = client-truststore.${keystore.type}
quarkus.cxf.client.helloEncryptSign.trust-store-password = password
# Signature settings
quarkus.cxf.client.helloEncryptSign.security.signature.username = alice
quarkus.cxf.client.helloEncryptSign.security.signature.password = password
quarkus.cxf.client.helloEncryptSign.security.signature.properties."org.apache.ws.security.crypto.provider" = org.apache.ws.security.components.crypto.Merlin
quarkus.cxf.client.helloEncryptSign.security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.type" = pkcs12
quarkus.cxf.client.helloEncryptSign.security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
quarkus.cxf.client.helloEncryptSign.security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = alice
quarkus.cxf.client.helloEncryptSign.security.signature.properties."org.apache.ws.security.crypto.merlin.file" = alice.${keystore.type}
# Encryption settings
quarkus.cxf.client.helloEncryptSign.security.encryption.username = bob
quarkus.cxf.client.helloEncryptSign.security.encryption.properties."org.apache.ws.security.crypto.provider" = org.apache.ws.security.components.crypto.Merlin
quarkus.cxf.client.helloEncryptSign.security.encryption.properties."org.apache.ws.security.crypto.merlin.keystore.type" = pkcs12
quarkus.cxf.client.helloEncryptSign.security.encryption.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
quarkus.cxf.client.helloEncryptSign.security.encryption.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = alice
quarkus.cxf.client.helloEncryptSign.security.encryption.properties."org.apache.ws.security.crypto.merlin.file" = alice.${keystore.type}

To inspect the flow of the messages, you can execute the EncryptSignPolicyTest as follows:

# Clone the repository
$ git clone https://github.com/quarkiverse/quarkus-cxf.git -o upstream
$ cd quarkus-cxf
# Build the whole source tree
$ mvn clean install -DskipTests -Dquarkus.build.skip
# Run the test
$ cd integration-tests/ws-security-policy
$ mvn clean test -Dtest=EncryptSignPolicyTest

You should see some messages containing Signature elements and encrypted bodies in the console output.

Configuration

Configuration property fixed at build time. All other configuration properties are overridable at runtime.

Configuration property Type Default

quarkus.cxf.client."clients".security.username

string

The user’s name. It is used as follows:

  • As the name in the UsernameToken for WS-Security

  • As the alias name in the keystore to get the user’s cert and private key for signature if signature.username is not set

  • As the alias name in the keystore to get the user’s public key for encryption if encryption.username is not set

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_USERNAME
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.password

string

The user’s password when a callback-handler is not defined. This is only used for the password in a WS-Security UsernameToken.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_PASSWORD
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.signature.username

string

The user’s name for signature. It is used as the alias name in the keystore to get the user’s cert and private key for signature. If this is not defined, then username is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by signature.properties. If that’s also not set, and the keystore only contains a single key, that key will be used.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SIGNATURE_USERNAME
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.signature.password

string

The user’s password for signature when a callback-handler is not defined.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SIGNATURE_PASSWORD
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.encryption.username

string

The user’s name for encryption. It is used as the alias name in the keystore to get the user’s public key for encryption. If this is not defined, then username is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by encrypt.properties. If that’s also not set, and the keystore only contains a single key, that key will be used.

For the WS-Security web service provider, the useReqSigCert value can be used to accept (encrypt to) any client whose public key is in the service’s truststore (defined in encrypt.properties).

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENCRYPTION_USERNAME
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.callback-handler

string

A reference to a javax.security.auth.callback.CallbackHandler bean used to obtain passwords, for both outbound and inbound requests.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_CALLBACK_HANDLER
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.saml-callback-handler

string

A reference to a javax.security.auth.callback.CallbackHandler implementation used to construct SAML Assertions.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SAML_CALLBACK_HANDLER
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.signature.properties

Map<String,String>

The Crypto property configuration to use for signing, if signature.crypto is not set.

Example

[prefix].signature.properties."org.apache.ws.security.crypto.provider" =
org.apache.ws.security.components.crypto.Merlin
[prefix].signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
[prefix].signature.properties."org.apache.ws.security.crypto.merlin.file" = certs/alice.jks

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SIGNATURE_PROPERTIES
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.encryption.properties

Map<String,String>

The Crypto property configuration to use for encryption, if encryption.crypto is not set.

Example

[prefix].encryption.properties."org.apache.ws.security.crypto.provider" =
org.apache.ws.security.components.crypto.Merlin
[prefix].encryption.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
[prefix].encryption.properties."org.apache.ws.security.crypto.merlin.file" = certs/alice.jks

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENCRYPTION_PROPERTIES
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.signature.crypto

string

A reference to a org.apache.wss4j.common.crypto.Crypto bean to be used for signature. If not set, signature.properties will be used to configure a Crypto instance.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SIGNATURE_CRYPTO
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.encryption.crypto

string

A reference to a org.apache.wss4j.common.crypto.Crypto to be used for encryption. If not set, encryption.properties will be used to configure a Crypto instance.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENCRYPTION_CRYPTO
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.encryption.certificate

string

A message property for prepared X509 certificate to be used for encryption. If this is not defined, then the certificate will be either loaded from the keystore encryption.properties or extracted from request (when WS-Security is used and if encryption.username has value useReqSigCert.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENCRYPTION_CERTIFICATE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.enable-revocation

boolean

false

If true, Certificate Revocation List (CRL) checking is enabled when verifying trust in a certificate; otherwise it is not enabled.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENABLE_REVOCATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.enable-unsigned-saml-assertion-principal

boolean

false

If true, unsigned SAML assertions will be allowed as SecurityContext Principals; otherwise they won’t be allowed as SecurityContext Principals.

Signature

The label "unsigned" refers to an internal signature. Even if the token is signed by an external signature (as per the "sender-vouches" requirement), this boolean must still be configured if you want to use the token to set up the security context.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.validate-saml-subject-confirmation

boolean

true

If true, the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key) will be validated; otherwise they won’t be validated.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_VALIDATE_SAML_SUBJECT_CONFIRMATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.sc-from-jaas-subject

boolean

true

If true, security context can be created from JAAS Subject; otherwise it must not be created from JAAS Subject.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SC_FROM_JAAS_SUBJECT
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.audience-restriction-validation

boolean

true

If true, then if the SAML Token contains Audience Restriction URIs, one of them must match one of the values in audience.restrictions; otherwise the SAML AudienceRestriction validation is disabled.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_AUDIENCE_RESTRICTION_VALIDATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.saml-role-attributename

string

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role

The attribute URI of the SAML AttributeStatement where the role information is stored.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SAML_ROLE_ATTRIBUTENAME
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.subject-cert-constraints

string

A String of regular expressions (separated by the value specified in security.cert.constraints.separator) which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SUBJECT_CERT_CONSTRAINTS
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.cert-constraints-separator

string

,

The separator that is used to parse certificate constraints configured in security.subject.cert.constraints

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_CERT_CONSTRAINTS_SEPARATOR
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.actor

string

The actor or role name of the wsse:Security header. If this parameter is omitted, the actor name is not set.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ACTOR
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.validate.token

boolean

true

If true, the password of a received UsernameToken will be validated; otherwise it won’t be validated.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_VALIDATE_TOKEN
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.username-token.always.encrypted

boolean

true

Whether to always encrypt UsernameTokens that are defined as a SupportingToken. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_USERNAME_TOKEN_ALWAYS_ENCRYPTED
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.is-bsp-compliant

boolean

true

If true, the compliance with the Basic Security Profile (BSP) 1.1 will be ensured; otherwise it will not be ensured.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_IS_BSP_COMPLIANT
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.enable.nonce.cache

boolean

If true, the UsernameToken nonces will be cached for both message initiators and recipients; otherwise they won’t be cached for neither message initiators nor recipients. The default is true for message recipients, and false for message initiators.

Caching

Caching only applies when either a UsernameToken WS-SecurityPolicy is in effect, or the UsernameToken action has been configured for the non-security-policy case.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENABLE_NONCE_CACHE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.enable.timestamp.cache

boolean

If true, the Timestamp Created Strings (these are only cached in conjunction with a message Signature) will be cached for both message initiators and recipients; otherwise they won’t be cached for neither message initiators nor recipients. The default is true for message recipients, and false for message initiators.

Caching

Caching only applies when either a IncludeTimestamp policy is in effect, or the Timestamp action has been configured for the non-security-policy case.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENABLE_TIMESTAMP_CACHE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.enable.streaming

boolean

false

If true, the new streaming (StAX) implementation of WS-Security is used; otherwise the old DOM implementation is used.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENABLE_STREAMING
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.return.security.error

boolean

false

If true, detailed security error messages are sent to clients; otherwise the details are omitted and only a generic error message is sent.

The "real" security errors should not be returned to the client in production, as they may leak information about the deployment, or otherwise provide an "oracle" for attacks.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_RETURN_SECURITY_ERROR
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.must-understand

boolean

true

If true, the SOAP mustUnderstand header is included in security headers based on a WS-SecurityPolicy; otherwise the header is always omitted.

Works only with enable.streaming = true - see CXF-8940

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_MUST_UNDERSTAND
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.enable.saml.cache

boolean

If true and in case the token contains a OneTimeUse Condition, the SAML2 Token Identifiers will be cached for both message initiators and recipients; otherwise they won’t be cached for neither message initiators nor recipients. The default is true for message recipients, and false for message initiators.

Caching only applies when either a SamlToken policy is in effect, or a SAML action has been configured for the non-security-policy case.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ENABLE_SAML_CACHE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.store.bytes.in.attachment

boolean

Whether to store bytes (CipherData or BinarySecurityToken) in an attachment. The default is true if MTOM is enabled. Set it to false to BASE-64 encode the bytes and "inlined" them in the message instead. Setting this to true is more efficient, as it means that the BASE-64 encoding step can be skipped. This only applies to the DOM WS-Security stack.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STORE_BYTES_IN_ATTACHMENT
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.swa.encryption.attachment.transform.content

boolean

false

If true, Attachment-Content-Only transform will be used when an Attachment is encrypted via a WS-SecurityPolicy expression; otherwise Attachment-Complete transform will be used when an Attachment is encrypted via a WS-SecurityPolicy expression.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SWA_ENCRYPTION_ATTACHMENT_TRANSFORM_CONTENT
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.use.str.transform

boolean

true

If true, the STR (Security Token Reference) Transform will be used when (externally) signing a SAML Token; otherwise the STR (Security Token Reference) Transform will not be used.

Some frameworks cannot process the SecurityTokenReference. You may set this false in such cases.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_USE_STR_TRANSFORM
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.add.inclusive.prefixes

boolean

true

If true, an InclusiveNamespaces PrefixList will be added as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS; otherwise the PrefixList will not be added.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ADD_INCLUSIVE_PREFIXES
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.disable.require.client.cert.check

boolean

false

If true, the enforcement of the WS-SecurityPolicy RequireClientCertificate policy will be disabled; otherwise the enforcement of the WS-SecurityPolicy RequireClientCertificate policy is enabled.

Some servers may not do client certificate verification at the start of the SSL handshake, and therefore the client certificates may not be available to the WS-Security layer for policy verification.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_DISABLE_REQUIRE_CLIENT_CERT_CHECK
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.expand.xop.include

boolean

If true, the xop:Include elements will be searched for encryption and signature (on the outbound side) or for signature verification (on the inbound side); otherwise the search won’t happen. This ensures that the actual bytes are signed, and not just the reference. The default is true if MTOM is enabled, otherwise the default is false.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_EXPAND_XOP_INCLUDE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.timestamp.timeToLive

string

300

The time in seconds to add to the Creation value of an incoming Timestamp to determine whether to accept it as valid or not.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_TIMESTAMP_TIMETOLIVE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.timestamp.futureTimeToLive

string

60

The time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default is greater than zero to avoid problems where clocks are slightly askew. Set this to 0 to reject all future-created `Timestamp`s.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_TIMESTAMP_FUTURETIMETOLIVE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.usernametoken.timeToLive

string

300

The time in seconds to append to the Creation value of an incoming UsernameToken to determine whether to accept it as valid or not.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_USERNAMETOKEN_TIMETOLIVE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.usernametoken.futureTimeToLive

string

60

The time in seconds in the future within which the Created time of an incoming UsernameToken is valid. The default is greater than zero to avoid problems where clocks are slightly askew. Set this to 0 to reject all future-created `UsernameToken`s.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_USERNAMETOKEN_FUTURETIMETOLIVE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.spnego.client.action

string

A reference to a org.apache.wss4j.common.spnego.SpnegoClientAction bean to use for SPNEGO. This allows the user to plug in a different implementation to obtain a service ticket.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SPNEGO_CLIENT_ACTION
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.nonce.cache.instance

string

A reference to a org.apache.wss4j.common.cache.ReplayCache bean used to cache UsernameToken nonces. A org.apache.wss4j.common.cache.EHCacheReplayCache instance is used by default.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_NONCE_CACHE_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.timestamp.cache.instance

string

A reference to a org.apache.wss4j.common.cache.ReplayCache bean used to cache Timestamp Created Strings. A org.apache.wss4j.common.cache.EHCacheReplayCache instance is used by default.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_TIMESTAMP_CACHE_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.saml.cache.instance

string

A reference to a org.apache.wss4j.common.cache.ReplayCache bean used to cache SAML2 Token Identifier Strings (if the token contains a OneTimeUse condition). A org.apache.wss4j.common.cache.EHCacheReplayCache instance is used by default.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SAML_CACHE_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.cache.config.file

string

Set this property to point to a configuration file for the underlying caching implementation for the TokenStore. The default configuration file that is used is cxf-ehcache.xml in org.apache.cxf:cxf-rt-security JAR.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_CACHE_CONFIG_FILE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.token-store-cache-instance

string

A reference to a org.apache.cxf.ws.security.tokenstore.TokenStore bean to use for caching security tokens. By default this uses a instance.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_TOKEN_STORE_CACHE_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.cache.identifier

string

The Cache Identifier to use with the TokenStore. CXF uses the following key to retrieve a token store: org.apache.cxf.ws.security.tokenstore.TokenStore-<identifier>. This key can be used to configure service-specific cache configuration. If the identifier does not match, then it falls back to a cache configuration with key org.apache.cxf.ws.security.tokenstore.TokenStore.

The default <identifier> is the QName of the service in question. However to pick up a custom cache configuration (for example, if you want to specify a TokenStore per-client proxy), it can be configured with this identifier instead.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_CACHE_IDENTIFIER
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.role.classifier

string

The Subject Role Classifier to use. If one of the WSS4J Validators returns a JAAS Subject from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on this Subject. If this value is not specified, then it tries to get roles using the DefaultSecurityContext in org.apache.cxf:cxf-core. Otherwise it uses this value in combination with the role.classifier.type to get the roles from the Subject.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ROLE_CLASSIFIER
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.role.classifier.type

string

prefix

The Subject Role Classifier Type to use. If one of the WSS4J Validators returns a JAAS Subject from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on this Subject. Currently accepted values are prefix or classname. Must be used in conjunction with the role.classifier.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ROLE_CLASSIFIER_TYPE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.asymmetric.signature.algorithm

string

This configuration tag allows the user to override the default Asymmetric Signature algorithm (RSA-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification does not allow the use of other algorithms at present.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_ASYMMETRIC_SIGNATURE_ALGORITHM
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.symmetric.signature.algorithm

string

This configuration tag allows the user to override the default Symmetric Signature algorithm (HMAC-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification does not allow the use of other algorithms at present.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SYMMETRIC_SIGNATURE_ALGORITHM
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.password.encryptor.instance

string

A reference to a org.apache.wss4j.common.crypto.PasswordEncryptor bean, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations).

By default, WSS4J uses the org.apache.wss4j.common.crypto.JasyptPasswordEncryptor which must be instantiated with a password to use to decrypt keystore passwords in the Merlin Crypto definition. This password is obtained via the CallbackHandler defined via callback-handler

The encrypted passwords must be stored in the format "ENC(encoded encrypted password)".

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_PASSWORD_ENCRYPTOR_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.delegated.credential

string

A reference to a Kerberos org.ietf.jgss.GSSCredential bean to use for WS-Security. This is used to retrieve a service ticket instead of using the client credentials.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_DELEGATED_CREDENTIAL
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.security.context.creator

string

A reference to a org.apache.cxf.ws.security.wss4j.WSS4JSecurityContextCreator bean that is used to create a CXF SecurityContext from the set of WSS4J processing results. The default implementation is org.apache.cxf.ws.security.wss4j.DefaultWSS4JSecurityContextCreator.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SECURITY_CONTEXT_CREATOR
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.security.token.lifetime

long

300000

The security token lifetime value (in milliseconds).

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_SECURITY_TOKEN_LIFETIME
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.kerberos.request.credential.delegation

boolean

false

If true, credential delegation is requested in the KerberosClient; otherwise the credential delegation is not in the KerberosClient.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_KERBEROS_REQUEST_CREDENTIAL_DELEGATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.kerberos.use.credential.delegation

boolean

false

If true, GSSCredential bean is retrieved from the Message Context using the delegated.credential property and then it is used to obtain a service ticket.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_KERBEROS_USE_CREDENTIAL_DELEGATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.kerberos.is.username.in.servicename.form

boolean

false

If true, the Kerberos username is in servicename form; otherwise the Kerberos username is not in servicename form.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.kerberos.jaas.context

string

The JAAS Context name to use for Kerberos.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_KERBEROS_JAAS_CONTEXT
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.kerberos.spn

string

The Kerberos Service Provider Name (spn) to use.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_KERBEROS_SPN
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.kerberos.client

string

A reference to a org.apache.cxf.ws.security.kerberos.KerberosClient bean used to obtain a service ticket.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_KERBEROS_CLIENT
Since Quarkus CXF: 2.5.0

quarkus.cxf.client."clients".security.sts.client

string

A reference to a fully configured org.apache.cxf.ws.security.trust.STSClient bean to communicate with the STS. If not set, the STS client will be created and configured based on other [prefix].security.sts.client.* properties as long as they are available.

To workaround the fact that org.apache.cxf.ws.security.trust.STSClient does not have a no-args constructor and cannot thus be used as a CDI bean type, you can use the wrapper class io.quarkiverse.cxf.ws.security.sts.client.STSClientBean instead.

Tip: Check the Security Token Service (STS) extension page for more information about WS-Trust.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.wsdl

string

A URL, resource path or local filesystem path pointing to a WSDL document to use when generating the service proxy of the STS client.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_WSDL
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.service-name

string

A fully qualified name of the STS service. Common values include:

  • WS-Trust 1.0: {http://schemas.xmlsoap.org/ws/2005/02/trust/}SecurityTokenService

  • WS-Trust 1.3: {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService

  • WS-Trust 1.4: {http://docs.oasis-open.org/ws-sx/ws-trust/200802/}SecurityTokenService

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_SERVICE_NAME
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.endpoint-name

string

A fully qualified name of the STS endpoint name. Common values include:

  • {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}X509_Port

  • {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port

  • {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}UT_Port

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_ENDPOINT_NAME
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.username

string

The user name to use when authenticating against the STS. It is used as follows:

  • As the name in the UsernameToken for WS-Security

  • As the alias name in the keystore to get the user’s cert and private key for signature if signature.username is not set

  • As the alias name in the keystore to get the user’s public key for encryption if encryption.username is not set

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_USERNAME
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.password

string

The password associated with the username.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_PASSWORD
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.encryption.username

string

The user’s name for encryption. It is used as the alias name in the keystore to get the user’s public key for encryption. If this is not defined, then username is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by encrypt.properties. If that’s also not set, and the keystore only contains a single key, that key will be used.

For the WS-Security web service provider, the useReqSigCert value can be used to accept (encrypt to) any client whose public key is in the service’s truststore (defined in encrypt.properties).

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_ENCRYPTION_USERNAME
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.encryption.properties

Map<String,String>

The Crypto property configuration to use for encryption, if encryption.crypto is not set.

Example

[prefix].encryption.properties."org.apache.ws.security.crypto.provider" =
org.apache.ws.security.components.crypto.Merlin
[prefix].encryption.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
[prefix].encryption.properties."org.apache.ws.security.crypto.merlin.file" = certs/alice.jks

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_ENCRYPTION_PROPERTIES
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.encryption.crypto

string

A reference to a org.apache.wss4j.common.crypto.Crypto to be used for encryption. If not set, encryption.properties will be used to configure a Crypto instance.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_ENCRYPTION_CRYPTO
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.token.crypto

string

A reference to a org.apache.wss4j.common.crypto.Crypto to be used for the STS. If not set, token.properties will be used to configure a Crypto instance.

WCF’s trust server sometimes will encrypt the token in the response IN ADDITION TO the full security on the message. These properties control the way the STS client will decrypt the EncryptedData elements in the response.

These are also used by the token.properties to send/process any RSA/DSAKeyValue tokens used if the KeyType is PublicKey

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_TOKEN_CRYPTO
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.token.properties

Map<String,String>

The Crypto property configuration to use for encryption, if encryption.crypto is not set.

Example

[prefix].token.properties."org.apache.ws.security.crypto.provider" = org.apache.ws.security.components.crypto.Merlin
[prefix].token.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
[prefix].token.properties."org.apache.ws.security.crypto.merlin.file" = certs/alice.jks

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_TOKEN_PROPERTIES
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.token.username

string

The alias name in the keystore to get the user’s public key to send to the STS for the PublicKey KeyType case.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_TOKEN_USERNAME
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.token.usecert

boolean

false

Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_TOKEN_USECERT
Since Quarkus CXF: 3.8.0

quarkus.cxf.client."clients".security.sts.client.soap12-binding

boolean

false

If true the STS client will be set to send Soap 1.2 messages; otherwise it will send SOAP 1.1 messages.

Environment variable: QUARKUS_CXF_CLIENT__CLIENTS__SECURITY_STS_CLIENT_SOAP12_BINDING
Since Quarkus CXF: 3.8.0

quarkus.cxf.endpoint."endpoints".security.username

string

The user’s name. It is used as follows:

  • As the name in the UsernameToken for WS-Security

  • As the alias name in the keystore to get the user’s cert and private key for signature if signature.username is not set

  • As the alias name in the keystore to get the user’s public key for encryption if encryption.username is not set

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_USERNAME
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.password

string

The user’s password when a callback-handler is not defined. This is only used for the password in a WS-Security UsernameToken.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_PASSWORD
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.signature.username

string

The user’s name for signature. It is used as the alias name in the keystore to get the user’s cert and private key for signature. If this is not defined, then username is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by signature.properties. If that’s also not set, and the keystore only contains a single key, that key will be used.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SIGNATURE_USERNAME
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.signature.password

string

The user’s password for signature when a callback-handler is not defined.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SIGNATURE_PASSWORD
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.encryption.username

string

The user’s name for encryption. It is used as the alias name in the keystore to get the user’s public key for encryption. If this is not defined, then username is used instead. If that is also not specified, it uses the the default alias set in the properties file referenced by encrypt.properties. If that’s also not set, and the keystore only contains a single key, that key will be used.

For the WS-Security web service provider, the useReqSigCert value can be used to accept (encrypt to) any client whose public key is in the service’s truststore (defined in encrypt.properties).

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENCRYPTION_USERNAME
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.callback-handler

string

A reference to a javax.security.auth.callback.CallbackHandler bean used to obtain passwords, for both outbound and inbound requests.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_CALLBACK_HANDLER
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.saml-callback-handler

string

A reference to a javax.security.auth.callback.CallbackHandler implementation used to construct SAML Assertions.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SAML_CALLBACK_HANDLER
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.signature.properties

Map<String,String>

The Crypto property configuration to use for signing, if signature.crypto is not set.

Example

[prefix].signature.properties."org.apache.ws.security.crypto.provider" =
org.apache.ws.security.components.crypto.Merlin
[prefix].signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
[prefix].signature.properties."org.apache.ws.security.crypto.merlin.file" = certs/alice.jks

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SIGNATURE_PROPERTIES
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.encryption.properties

Map<String,String>

The Crypto property configuration to use for encryption, if encryption.crypto is not set.

Example

[prefix].encryption.properties."org.apache.ws.security.crypto.provider" =
org.apache.ws.security.components.crypto.Merlin
[prefix].encryption.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
[prefix].encryption.properties."org.apache.ws.security.crypto.merlin.file" = certs/alice.jks

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENCRYPTION_PROPERTIES
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.signature.crypto

string

A reference to a org.apache.wss4j.common.crypto.Crypto bean to be used for signature. If not set, signature.properties will be used to configure a Crypto instance.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SIGNATURE_CRYPTO
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.encryption.crypto

string

A reference to a org.apache.wss4j.common.crypto.Crypto to be used for encryption. If not set, encryption.properties will be used to configure a Crypto instance.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENCRYPTION_CRYPTO
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.encryption.certificate

string

A message property for prepared X509 certificate to be used for encryption. If this is not defined, then the certificate will be either loaded from the keystore encryption.properties or extracted from request (when WS-Security is used and if encryption.username has value useReqSigCert.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENCRYPTION_CERTIFICATE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.enable-revocation

boolean

false

If true, Certificate Revocation List (CRL) checking is enabled when verifying trust in a certificate; otherwise it is not enabled.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENABLE_REVOCATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.enable-unsigned-saml-assertion-principal

boolean

false

If true, unsigned SAML assertions will be allowed as SecurityContext Principals; otherwise they won’t be allowed as SecurityContext Principals.

Signature

The label "unsigned" refers to an internal signature. Even if the token is signed by an external signature (as per the "sender-vouches" requirement), this boolean must still be configured if you want to use the token to set up the security context.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.validate-saml-subject-confirmation

boolean

true

If true, the SubjectConfirmation requirements of a received SAML Token (sender-vouches or holder-of-key) will be validated; otherwise they won’t be validated.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_VALIDATE_SAML_SUBJECT_CONFIRMATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.sc-from-jaas-subject

boolean

true

If true, security context can be created from JAAS Subject; otherwise it must not be created from JAAS Subject.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SC_FROM_JAAS_SUBJECT
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.audience-restriction-validation

boolean

true

If true, then if the SAML Token contains Audience Restriction URIs, one of them must match one of the values in audience.restrictions; otherwise the SAML AudienceRestriction validation is disabled.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_AUDIENCE_RESTRICTION_VALIDATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.saml-role-attributename

string

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role

The attribute URI of the SAML AttributeStatement where the role information is stored.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SAML_ROLE_ATTRIBUTENAME
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.subject-cert-constraints

string

A String of regular expressions (separated by the value specified in security.cert.constraints.separator) which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SUBJECT_CERT_CONSTRAINTS
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.cert-constraints-separator

string

,

The separator that is used to parse certificate constraints configured in security.subject.cert.constraints

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_CERT_CONSTRAINTS_SEPARATOR
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.actor

string

The actor or role name of the wsse:Security header. If this parameter is omitted, the actor name is not set.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ACTOR
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.validate.token

boolean

true

If true, the password of a received UsernameToken will be validated; otherwise it won’t be validated.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_VALIDATE_TOKEN
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.username-token.always.encrypted

boolean

true

Whether to always encrypt UsernameTokens that are defined as a SupportingToken. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_USERNAME_TOKEN_ALWAYS_ENCRYPTED
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.is-bsp-compliant

boolean

true

If true, the compliance with the Basic Security Profile (BSP) 1.1 will be ensured; otherwise it will not be ensured.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_IS_BSP_COMPLIANT
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.enable.nonce.cache

boolean

If true, the UsernameToken nonces will be cached for both message initiators and recipients; otherwise they won’t be cached for neither message initiators nor recipients. The default is true for message recipients, and false for message initiators.

Caching

Caching only applies when either a UsernameToken WS-SecurityPolicy is in effect, or the UsernameToken action has been configured for the non-security-policy case.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENABLE_NONCE_CACHE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.enable.timestamp.cache

boolean

If true, the Timestamp Created Strings (these are only cached in conjunction with a message Signature) will be cached for both message initiators and recipients; otherwise they won’t be cached for neither message initiators nor recipients. The default is true for message recipients, and false for message initiators.

Caching

Caching only applies when either a IncludeTimestamp policy is in effect, or the Timestamp action has been configured for the non-security-policy case.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENABLE_TIMESTAMP_CACHE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.enable.streaming

boolean

false

If true, the new streaming (StAX) implementation of WS-Security is used; otherwise the old DOM implementation is used.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENABLE_STREAMING
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.return.security.error

boolean

false

If true, detailed security error messages are sent to clients; otherwise the details are omitted and only a generic error message is sent.

The "real" security errors should not be returned to the client in production, as they may leak information about the deployment, or otherwise provide an "oracle" for attacks.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_RETURN_SECURITY_ERROR
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.must-understand

boolean

true

If true, the SOAP mustUnderstand header is included in security headers based on a WS-SecurityPolicy; otherwise the header is always omitted.

Works only with enable.streaming = true - see CXF-8940

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_MUST_UNDERSTAND
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.enable.saml.cache

boolean

If true and in case the token contains a OneTimeUse Condition, the SAML2 Token Identifiers will be cached for both message initiators and recipients; otherwise they won’t be cached for neither message initiators nor recipients. The default is true for message recipients, and false for message initiators.

Caching only applies when either a SamlToken policy is in effect, or a SAML action has been configured for the non-security-policy case.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ENABLE_SAML_CACHE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.store.bytes.in.attachment

boolean

Whether to store bytes (CipherData or BinarySecurityToken) in an attachment. The default is true if MTOM is enabled. Set it to false to BASE-64 encode the bytes and "inlined" them in the message instead. Setting this to true is more efficient, as it means that the BASE-64 encoding step can be skipped. This only applies to the DOM WS-Security stack.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_STORE_BYTES_IN_ATTACHMENT
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.swa.encryption.attachment.transform.content

boolean

false

If true, Attachment-Content-Only transform will be used when an Attachment is encrypted via a WS-SecurityPolicy expression; otherwise Attachment-Complete transform will be used when an Attachment is encrypted via a WS-SecurityPolicy expression.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SWA_ENCRYPTION_ATTACHMENT_TRANSFORM_CONTENT
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.use.str.transform

boolean

true

If true, the STR (Security Token Reference) Transform will be used when (externally) signing a SAML Token; otherwise the STR (Security Token Reference) Transform will not be used.

Some frameworks cannot process the SecurityTokenReference. You may set this false in such cases.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_USE_STR_TRANSFORM
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.add.inclusive.prefixes

boolean

true

If true, an InclusiveNamespaces PrefixList will be added as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS; otherwise the PrefixList will not be added.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ADD_INCLUSIVE_PREFIXES
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.disable.require.client.cert.check

boolean

false

If true, the enforcement of the WS-SecurityPolicy RequireClientCertificate policy will be disabled; otherwise the enforcement of the WS-SecurityPolicy RequireClientCertificate policy is enabled.

Some servers may not do client certificate verification at the start of the SSL handshake, and therefore the client certificates may not be available to the WS-Security layer for policy verification.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_DISABLE_REQUIRE_CLIENT_CERT_CHECK
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.expand.xop.include

boolean

If true, the xop:Include elements will be searched for encryption and signature (on the outbound side) or for signature verification (on the inbound side); otherwise the search won’t happen. This ensures that the actual bytes are signed, and not just the reference. The default is true if MTOM is enabled, otherwise the default is false.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_EXPAND_XOP_INCLUDE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.timestamp.timeToLive

string

300

The time in seconds to add to the Creation value of an incoming Timestamp to determine whether to accept it as valid or not.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_TIMESTAMP_TIMETOLIVE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.timestamp.futureTimeToLive

string

60

The time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default is greater than zero to avoid problems where clocks are slightly askew. Set this to 0 to reject all future-created `Timestamp`s.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_TIMESTAMP_FUTURETIMETOLIVE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.usernametoken.timeToLive

string

300

The time in seconds to append to the Creation value of an incoming UsernameToken to determine whether to accept it as valid or not.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_USERNAMETOKEN_TIMETOLIVE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.usernametoken.futureTimeToLive

string

60

The time in seconds in the future within which the Created time of an incoming UsernameToken is valid. The default is greater than zero to avoid problems where clocks are slightly askew. Set this to 0 to reject all future-created `UsernameToken`s.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_USERNAMETOKEN_FUTURETIMETOLIVE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.spnego.client.action

string

A reference to a org.apache.wss4j.common.spnego.SpnegoClientAction bean to use for SPNEGO. This allows the user to plug in a different implementation to obtain a service ticket.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SPNEGO_CLIENT_ACTION
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.nonce.cache.instance

string

A reference to a org.apache.wss4j.common.cache.ReplayCache bean used to cache UsernameToken nonces. A org.apache.wss4j.common.cache.EHCacheReplayCache instance is used by default.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_NONCE_CACHE_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.timestamp.cache.instance

string

A reference to a org.apache.wss4j.common.cache.ReplayCache bean used to cache Timestamp Created Strings. A org.apache.wss4j.common.cache.EHCacheReplayCache instance is used by default.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_TIMESTAMP_CACHE_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.saml.cache.instance

string

A reference to a org.apache.wss4j.common.cache.ReplayCache bean used to cache SAML2 Token Identifier Strings (if the token contains a OneTimeUse condition). A org.apache.wss4j.common.cache.EHCacheReplayCache instance is used by default.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SAML_CACHE_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.cache.config.file

string

Set this property to point to a configuration file for the underlying caching implementation for the TokenStore. The default configuration file that is used is cxf-ehcache.xml in org.apache.cxf:cxf-rt-security JAR.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_CACHE_CONFIG_FILE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.token-store-cache-instance

string

A reference to a org.apache.cxf.ws.security.tokenstore.TokenStore bean to use for caching security tokens. By default this uses a instance.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_TOKEN_STORE_CACHE_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.cache.identifier

string

The Cache Identifier to use with the TokenStore. CXF uses the following key to retrieve a token store: org.apache.cxf.ws.security.tokenstore.TokenStore-<identifier>. This key can be used to configure service-specific cache configuration. If the identifier does not match, then it falls back to a cache configuration with key org.apache.cxf.ws.security.tokenstore.TokenStore.

The default <identifier> is the QName of the service in question. However to pick up a custom cache configuration (for example, if you want to specify a TokenStore per-client proxy), it can be configured with this identifier instead.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_CACHE_IDENTIFIER
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.role.classifier

string

The Subject Role Classifier to use. If one of the WSS4J Validators returns a JAAS Subject from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on this Subject. If this value is not specified, then it tries to get roles using the DefaultSecurityContext in org.apache.cxf:cxf-core. Otherwise it uses this value in combination with the role.classifier.type to get the roles from the Subject.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ROLE_CLASSIFIER
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.role.classifier.type

string

prefix

The Subject Role Classifier Type to use. If one of the WSS4J Validators returns a JAAS Subject from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext based on this Subject. Currently accepted values are prefix or classname. Must be used in conjunction with the role.classifier.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ROLE_CLASSIFIER_TYPE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.asymmetric.signature.algorithm

string

This configuration tag allows the user to override the default Asymmetric Signature algorithm (RSA-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification does not allow the use of other algorithms at present.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_ASYMMETRIC_SIGNATURE_ALGORITHM
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.symmetric.signature.algorithm

string

This configuration tag allows the user to override the default Symmetric Signature algorithm (HMAC-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification does not allow the use of other algorithms at present.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SYMMETRIC_SIGNATURE_ALGORITHM
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.password.encryptor.instance

string

A reference to a org.apache.wss4j.common.crypto.PasswordEncryptor bean, which is used to encrypt or decrypt passwords in the Merlin Crypto implementation (or any custom Crypto implementations).

By default, WSS4J uses the org.apache.wss4j.common.crypto.JasyptPasswordEncryptor which must be instantiated with a password to use to decrypt keystore passwords in the Merlin Crypto definition. This password is obtained via the CallbackHandler defined via callback-handler

The encrypted passwords must be stored in the format "ENC(encoded encrypted password)".

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_PASSWORD_ENCRYPTOR_INSTANCE
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.delegated.credential

string

A reference to a Kerberos org.ietf.jgss.GSSCredential bean to use for WS-Security. This is used to retrieve a service ticket instead of using the client credentials.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_DELEGATED_CREDENTIAL
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.security.context.creator

string

A reference to a org.apache.cxf.ws.security.wss4j.WSS4JSecurityContextCreator bean that is used to create a CXF SecurityContext from the set of WSS4J processing results. The default implementation is org.apache.cxf.ws.security.wss4j.DefaultWSS4JSecurityContextCreator.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SECURITY_CONTEXT_CREATOR
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.security.token.lifetime

long

300000

The security token lifetime value (in milliseconds).

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_SECURITY_TOKEN_LIFETIME
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.kerberos.request.credential.delegation

boolean

false

If true, credential delegation is requested in the KerberosClient; otherwise the credential delegation is not in the KerberosClient.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_KERBEROS_REQUEST_CREDENTIAL_DELEGATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.kerberos.use.credential.delegation

boolean

false

If true, GSSCredential bean is retrieved from the Message Context using the delegated.credential property and then it is used to obtain a service ticket.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_KERBEROS_USE_CREDENTIAL_DELEGATION
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.kerberos.is.username.in.servicename.form

boolean

false

If true, the Kerberos username is in servicename form; otherwise the Kerberos username is not in servicename form.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.kerberos.jaas.context

string

The JAAS Context name to use for Kerberos.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_KERBEROS_JAAS_CONTEXT
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.kerberos.spn

string

The Kerberos Service Provider Name (spn) to use.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_KERBEROS_SPN
Since Quarkus CXF: 2.5.0

quarkus.cxf.endpoint."endpoints".security.kerberos.client

string

A reference to a org.apache.cxf.ws.security.kerberos.KerberosClient bean used to obtain a service ticket.

This option is experimental, because it is not covered by tests yet.

Environment variable: QUARKUS_CXF_ENDPOINT__ENDPOINTS__SECURITY_KERBEROS_CLIENT
Since Quarkus CXF: 2.5.0