...
security.sts.client | A reference to the STSClient class used to communicate with the STS. |
security.sts.applies-to | The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider. |
security.sts.token.usecert | If true, writes out an X509Certificate structure in UseKey/KeyInfo. If false (the default), writes out a KeyValue structure instead. |
security.sts.token.do.cancel | Whether to cancel a token when using SecureConversation after successful invocation. The default is "false". |
security.issue.after.failed.renew | Whether to fall back to calling "issue" after failing to renew an expired token. The default is "true". |
security.cache.issued.token.in.endpoint | Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true". |
security.sts.disable-wsmex-call-using-epr-address | Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false". |
security.sts.token.crypto | A Crypto object to be used for the STS. See here for more information. |
security.sts.token.properties | The Crypto property configuration to use for the STS. See here for more information. |
security.sts.token.username | The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case. |
security.sts.token.act-as | The token to be sent to the STS in an "ActAs" field. See here for more information. |
security.sts.token.on-behalf-of | The token to be sent to the STS in an "OnBehalfOf" field. See here for more information. |
security.issue.after.failed.renew | Whether to call "Issue" if a token "Renew" fails. Some STSs do not support the renew binding. Defaults to "true". |
security.sts.token.imminent-expiry-value | The value in seconds within which a token is considered to be expired by the client, i.e. it is considered to be expired if it will expire in a time less than the value specified by this tag. The default value is "10" for CXF 3.0.2+, and "0" for CXF 2.7.13+. |
security.sts.token.cacher.impl CXF 3.1.11 | An implementation of the STSTokenCacher interface, if you want to plug in custom caching behaviour for STS clients. The default value is the DefaultSTSTokenCacher. |
security.sts.check.for.recursive.call CXF 3.3.3/3.2.10 | Check that we are not invoking on the STS using its own IssuedToken policy - in which case wewill end up with a recursive loop. This check might be a problem in the unlikely scenario that the remote endpoint has the same service / port QName as the STS, so this configuration flag allows to disable this check for that scenario. The default is "true". |
Backwards compatibility
Users of Apache CXF prior to 3.1.0 do not need to make any adjustment to their code or spring files. The older "ws-" prefix associated with the configuration tags above will continue to be accepted.