Software AG Infrasructure 10.7 | Working with Web Services | Configuring Web Service Security | Setting Up Message-Level Security | Configuring the Client Side
 
Configuring the Client Side
When you use the client API to invoke web services that require security, you can specify security configuration settings through a properties file. The security configuration settings are loaded only if the web service policy contains security assertions.
Open the axis2.xml file in a text editor and set the securityConfigFile parameter to the file name and path to the custom properties file, as follows:
<parametername="securityConfigFile">D:/wsdev/SampleWSClient/wsclientsec.
properties</parameter>
If you do not define such a parameter, the client implementation looks for a wsclientsec.properties file in the current working directory. If a securityConfigFile parameter exists but the file specified cannot be found, you get an exception. If the parameter is not defined or a wsclientsec.properties file is not present in the current working directory, the configuration loading routine does not throw any exceptions.
The following table lists the supported configuration parameters that you can include in the custom security configuration properties file.
Parameter
Description
USERNAME
User name used by:
*Web Services Stack UsernameToken function in the UsernameToken.
*Web Services Stack signing function as the alias name in the keystore to get the user's certificate and the private key to perform signing.
*Web Services Stack encryption function if ENCRYPTION_USER is not set.
ENCRYPTION_USER
Encryption user name. The encryption function uses the public key of this user certificate to encrypt the generated symmetric key. If this parameter is not set, then the encryption function uses the USERNAME parameter value to get the certificate.
USER_ CERTIFICATE_ ALIAS
Alias of the key pair in the keystore used to get the private key for the signature. If this parameter is not set, the signature function uses the USERNAME parameter value.
STS_ALIAS
STS alias used as an encryption user in case of a STS authentication.
POLICY_ VALIDATOR_ CLASS
Policy validator callback class responsible for validating the security header against the security policy. The default callback class is org.apache.rampart.PolicyBasedResultsValidator.
TIMESTAMP_ PRECISION_ IN_MS
Defines whether time stamp precision is in milliseconds. The setting concerns the Timestamp element that may be required/ included in the security header. This parameter is passed to wss4j WSSConfig.
*true (default) - time stamp precision is in milliseconds.
*false - time stamp precision is in the format yyyy-MM-dd'T'HH:mm:ss'Z'.
TIMESTAMP_ TTL
Time stamp time-to-live in seconds. Default value is 300. Valid value is any integer.
TIMESTAMP_ MAX_SKEW
Used in time stamp validation where the creation time stamp must not be later than current time plus the time skew in seconds. Default value is 300. Valid value is any integer.
USERNAME_ TOKEN_TTL
UsernameToken time to live in seconds. This is the time difference between the creation and the expiry of the UsernameToken. Default value is 300. Valid value is any integer.
USERNAME_ TOKEN_ FUTURE_TTL
UsernameToken future time to live in seconds. The time in seconds in the future, during which the Created time of an incoming UsernameToken is valid. Default value is 60. Valid value is any integer.
PASSWORD_ CALLBACK_ HANDLER_ CLASS
Class that implements the javax.security.auth.callback.CallbackHandler callback interface. The security module loads the class and calls the callback method to get the password. The class must have a public default constructor with no parameters.
OPTIMIZE_ PARTS_ EXPRESSIONS
List of Xpath expressions that refer to nodes that must be MTOM-optimized. The configured value is a semicolon delimited list of Xpath expressions.
Important:
If this property is set, it overwrites any previously configured list of expressions and does not add them to the list.
OPTIMIZE_ PARTS_ NAMESPACES
List of namespaces taken into consideration when searching for the nodes that are to be MTOM-optimized. The optimizing utility must recognize the namespace prefixes in the OPTIMIZE_PARTS_EXPRESSIONS list to be able to retrieve correctly the nodes from the document. By default, the following namespaces are registered:
 
xmlns:ds=http://www.w3.org/2000/09/xmldsig#
xmlns:xenc=http://www.w3.org/2001/04/xmlenc#
xmlns:wsse=http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd
xmlns:wsu=http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-
wssecurity-utility-1.0.xsd
The expected value for this property is a semicolon delimited list of XML namespace declarations, for example:
 
OPTIMIZE_PARTS_NAMESPACES=
xmlns:ns1=http://myns1;
xmlns:ns2=http://myns2
Note:
If this property is set, it overwrites any previously configured list of namespaces and does not add them to the list.
CRYPTO_ PROVIDER_ SIGN
WSS4J-specific Crypto implementation to use to generate the signature. It can be set to either of the following:
*org.apache.ws.security.components.crypto.Merlin (default)
*org.apache.ws.security.components.crypto.BouncyCastle
KEYSTORE_ PROVIDER_ SIGN
Signature keystore provider. If not set the JVM uses the default keystore provider, usually Oracle. For more information, see the java.security.Provider Java doc.
KEYSTORE_ TYPE_SIGN
Signature keystore type. If not set, the JVM uses the default keystore type, usually JKS. For more information, see the java.security.KeyStore#getDefaultType() method Java doc.
KEYSTORE_ FILE_SIGN
Signature keystore file.
KEYSTORE_ PASSWORD_ SIGN
Signature keystore password.
CRYPTO_ PROVIDER_ ENCRYPT
WSS4J-specific Crypto implementation to use for encryption. It can be set to either of the following:
*org.apache.ws.security.components.crypto.Merlin (default)
*org.apache.ws.security.components.crypto.BouncyCastle
KEYSTORE_ PROVIDER_ ENCRYPT
Encryption keystore provider. If not set the JVM uses the default keystore provider, usually Oracle. For more information, see the java.security.Provider Java doc.
KEYSTORE_ TYPE_ ENCRYPT
Encryption keystore type. If not set, the JVM uses the default keystore type, usually JKS. For more information, see the java.security.Provider Java doc.
KEYSTORE_ FILE_ENCRYPT
Encryption keystore file.
KEYSTORE_ PASSWORD_ ENCRYPT
Encryption keystore password.
CRYPTO_ PROVIDER_STS
WSS4J-specific Crypto implementation to use for protection in case of a STS authentication. It can be set to either of the following:
*org.apache.ws.security.components.crypto.Merlin (default)
*org.apache.ws.security.components.crypto.BouncyCastle
KEYSTORE_ PROVIDER_STS
Keystore provider to use in case of a STS authentication. If not set the JVM uses the default keystore provider, usually Oracle. For more information, see the java.security.Provider Java doc.
KEYSTORE_ TYPE_STS
Keystore type to use in case of a STS authentication. If not set the JVM uses the default keystore type, usually JKS. For more information, see the java.security.KeyStore#getDefaultType() method javadocs.
KEYSTORE_ FILE_STS
Keystore file to use in case of a STS authentication.
KEYSTORE_ PASSWORD_ STS
Keystore password to use in case of a STS authentication.
The configuration loading routine puts all those entries in the client options. You can overwrite any of the parameters next time Rampart is to be executed. For example, all security parameters can be specified programmatically using the Web Services Stack client options:
//create the WS Stack client:IWSStaxClient client = ......
IWSOptions options =
client.getWSOptions();options.setProperty(WSClientConstants.KEYSTORE_PASSWORD_
SIGN,
"changeit");options.setProperty(WSClientConstants.KEYSTORE_FILE_SIGN,
"C:\\client.jks");//execute the clientclient.sendReceive(...);
The Rampart is afterwards configured through a Rampart assertion that is generated by the RampartConfigLoader handler. The Web Services Stack client takes care of engaging that handler if Rampart itself is engaged. The function of the RampartConfigHandler is basically to gather all the security configuration keys, build up the Rampart configuration assertion, and put it as a property in the message context options where Rampart can find it.