...
There are several extra properties that may need to be set to provide the additional bits of information to the runtime. Note that you should check that a particular property is supported in the version of CXF you are using. First, see the Security Configuration page for information on the configuration tags that are shared with the JAX-RS XML Security component. Here are configuration tags that only apply to the WS-SecurityPolicy layer, and hence all start with "ws-security" (as opposed to the common tags which now start with "security-").
Boolean WS-Security configuration tags, e.g. the value should be "true" or "false".
constant | default | definition |
ws-security.validate.token | true | Whether to validate the password of a received UsernameToken or not. |
ws-security.username-token.always.encrypted | true | Whether to always encrypt UsernameTokens that are defined as a SupportingToken. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire. |
ws-security.is-bsp-compliant | true | Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. |
ws-security.self-sign-saml-assertion | false | Whether to self-sign a SAML Assertion or not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion is constructed. Only applies up to CXF 2.7.x. |
ws-security.enable.nonce.cache | (varies) | Whether to cache UsernameToken nonces. See here for more information. |
ws-security.enable.timestamp.cache | (varies) | Whether to cache Timestamp Created Strings. See here for more information. |
| ws-security.enable.saml.cache | (varies) | Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition. |
| ws-security.enable.streaming | false | Whether to enable streaming WS-Security. |
| ws-security.return.security.error | false | Whether to return the security error message to the client, and not one of the default error QNames. |
| ws-security.must-understand | true | Set this to "false" in order to remove the SOAP mustUnderstand header from security headers generated based on a WS-SecurityPolicy. |
| ws-security.store.bytes.in.attachment | (varies) | CXF 3.1.3/3.0.6 Whether to store bytes (CipherData or BinarySecurityToken) in an attachment if MTOM is enabled. True by default in CXF 3.1.x, false for CXF 3.0.x. |
| ws-security.use.str.transform | true | CXF 3.1.5/3.0.8 Whether to use the STR (Security Token Reference) Transform when (externally) signing a SAML Token. The default is true. |
| ws-security.add.inclusive.prefixes | true | CXF 3.1.7 Whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. |
| ws-security.expand.xop.include | (varies) | CXF 3.3.3 Whether to search for and expand xop:Include Elements for encryption and signature (on the outbound side) or for signature verification (on the inbound side). This ensures that the actual bytes are signed, and not just the reference. The default is "true" if MTOM is enabled, false otherwise. |
Non-boolean WS-Security Configuration parameters
...