WS-Security Properties




<true | false>

If true, login with certificates other than company certificates are allowed.

Default is false.


<true | false>

If true, only the signer certificate will be included in the generated BinarySecurityToken when signing/encrypting XML or SOAP – if set to false, the entire certificate chain (if present in the keystore it was loaded from) will be included within the BinarySecurityToken.

Default is true.


<List of .cer, .der or .p7b files containing certificates>

If specified, it will contain a list of certificates that can be used to encrypt request with – when a request is then encrypted using one of the certificates it can only be decrypted with the corresponding private key.

Default is empty.


<list of keystores, separated by comma or semicolon>

List of keystores to load – each name is used to load the wss.keystore.xxxx.* properties specified below.


<filename> - xxxx is replaced by the keystore name from the list in wss.keystores.

Filename of keystore (usually .pkcs12/.pfx or .jks) which contains public and private keys.


<password> - xxxx is replaced by the keystore name from the list in wss.keystores.

Password to open the keystore file.


<Name of provider> - xxxx is replaced by the keystore name from the list in wss.keystores.

Name of the keystore provider, use BC for BouncyCastle which is the default provider used in PP.

Default is BC


<Keystore type> - xxxx is replaced by the keystore name from the list in wss.keystores.

Keystore type, usually either JKS or PKCS12 – if using hardware token provider it could be e.g. "Luna"

Default is PKCS12


<List of usergroups>

List of user groups where the user doing the signing needs to have one of these groups in order to have access to the private key associated with the keystore.
This can be used to distinguish between who has access to signing SOAP / XML calls based on which user groups they have.
Note that if no list is specified, all users are allowed to sign using all private keys.

If wss.usergroups.xxxx (xxxx is an alias name) is configured, it will override the list of usergroups for the specific alias.

Note that you can by default protect all keys from a specific keystore by providing this entry, then you can change the groups required for specific aliases by using wss.suergroups.<alias>

Default is blank, which means no groups are required.


<List of usergroups>

xxxx is the alias of a private key within one of the configured keystores.

If this property is not specified for any given alias loaded from within the keystore, the wss.keystore.xxxx.usergroups property specifies which groups are requires, if any to access this key.

Any value for this property overrides what is set up for the keystore in wss.keystore.xxxx.usergroups

wss.usergroups. testkey=staff;owner – here, only members of staff or owner usergroups have access to the key.


<List of classnames, separated by comma or semicolon>

Contains a list of security providers that will be loaded and added to java's security provider list.



<Name of JCE provider>

Must be set to the name of the JCE provider, if the system default one is not used. To use Luna with XML signing, it must be set to LunaJCAProvider or crypto will be attempted in software (which will fail when using keys loaded from hardware).



<Number of seconds> - Default is 300 (5 minutes)

Lifetime of timestamp inserted in header, the Expires tag will be set to the current time + the number of seconds specified.



<Number of seconds> - Default is 60 (1 minute) - Requires v5.60

The number of seconds in "slack", meaning the number of seconds the timestamp may be out of sync with the current time when validating if it is valid. This is used both for created and expired timestamps in the incoming message.

Example: 300



Specify an audit log to be used for logging all incoming/outgoing XML/SOAP messages to. The audit log class must implement the interface dk.itp.portalprotect.wss.IAuditLog.


© Ceptor ApS. All Rights Reserved.