String
WSS Module Reference - Mule 4
WSS Module v1.0 enables you to process and validate an inbound SOAP request against a given Web Service Security (WSS) extension configuration.
Configurations
Inbound
Parameters
Name | Type | Description | Default Value | Required |
---|---|---|---|---|
Name |
String |
The name for this configuration. Connectors reference the configuration with this name. |
x |
|
Actor |
|
|||
Extract Security Header |
Boolean |
false |
|
|
Validate Username Token |
|
|||
Validate Signature |
|
|||
Decrypt Message |
|
|||
Validate Timestamp |
|
|||
Validate SAML Assertion |
|
|||
Expiration Policy |
Configures the minimum amount of time that a dynamic configuration instance can remain idle before the runtime considers it eligible for expiration. This does not mean that the platform will expire the instance at the exact moment that it becomes eligible. The runtime will actually purge the instances when it sees it fit. |
|
Operations
Validate WSS
<wss:validate-wss>
Parameters
Name | Type | Description | Default Value | Required |
---|---|---|---|---|
Configuration |
String |
The name of the configuration to use. |
x |
|
Request |
Binary |
#[payload] |
|
|
Version |
Enumeration, one of:
|
SOAP_12 |
|
|
Output Mime Type |
String |
The mime type of the payload that this operation outputs. |
|
|
Output Encoding |
String |
The encoding of the payload that this operation outputs. |
|
|
Streaming Strategy |
|
Configure if repeatable streams should be used and their behavior |
|
|
Target Variable |
String |
The name of a variable on which the operation's output will be placed |
|
|
Target Value |
String |
An expression that will be evaluated against the operation's output and the outcome of that expression will be stored in the target variable |
#[payload] |
|
Apply WSS
<wss:apply-wss>
Parameters
Name | Type | Description | Default Value | Required |
---|---|---|---|---|
Configuration |
String |
The name of the configuration to use. |
x |
|
Response |
Binary |
#[payload] |
|
|
Version |
Enumeration, one of:
|
SOAP_12 |
|
|
Output Mime Type |
String |
The mime type of the payload that this operation outputs. |
|
|
Output Encoding |
String |
The encoding of the payload that this operation outputs. |
|
|
Streaming Strategy |
|
Configure if repeatable streams should be used and their behavior |
|
|
Target Variable |
String |
The name of a variable on which the operation's output will be placed |
|
|
Target Value |
String |
An expression that will be evaluated against the operation's output and the outcome of that expression will be stored in the target variable |
#[payload] |
|
Types
Verify Username Token Config
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Authenticate User Config |
One of: |
Specific type for the authentication configuration. See AuthenticateUserConfig sub-types. |
x |
|
Time To Live |
Number |
The time difference between creation and expiry time in seconds in the UsernameToken Created element. |
30 |
|
Check Nonce |
Boolean |
Whether to check the Nonce Element in the UsernameToken. A Nonce is a random value that the sender creates to include in each UsernameToken that it sends. Only checked if included. |
true |
Verify Signature Config
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Truststore Config |
TrustStore configuration used for validating the signature. |
x |
||
Issuer Pattern |
String |
Certificate Issuer pattern. |
||
Subject Pattern |
String |
Certificate Subject pattern. |
Trust Store Configuration
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Path |
String |
x |
||
Password |
String |
x |
||
Type |
String |
jks |
Decryption Config
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Keystore Config |
KeyStore configuration used for decryption. |
x |
Key Store Configuration
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Path |
String |
x |
||
Password |
String |
x |
||
Alias |
String |
|||
Key Password |
String |
|||
Type |
String |
jks |
Verify Timestamp Config
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Time To Live |
Number |
The time within which the Timestamp element is valid. The default is 5 minutes. |
300 |
|
Skew Time |
Number |
The time difference between server and client. The default is 60 seconds. |
60 |
|
Time Unit |
Enumeration, one of:
|
Time unit to be used in the timeToLive configuration. |
SECONDS |
|
Strict |
Boolean |
If set to true then validates if the timestamp contains an expires element and the semantics are expired. |
true |
|
Require Expires Header |
Boolean |
Whether timestamp Expires header is required. |
true |
|
Precision In Milliseconds |
Boolean |
If set to true then use timestamps with milliseconds, otherwise omit the milliseconds. |
true |
Verify Saml Config
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Saml Version |
Enumeration, one of:
|
SAML Version. |
SAML10 |
|
Time To Live |
Number |
The time in seconds within which a SAML Assertion is valid, if it does not contain a NotOnOrAfter Condition. The default is 30 minutes. |
1800 |
|
Skew Time |
Number |
The time difference between server and client. The default is 60 seconds. |
60 |
|
Time Unit |
Enumeration, one of:
|
Time unit to be used in the timeToLive and skewTime configuration. |
SECONDS |
|
Require Standard Subject Confirmation Method |
Boolean |
If set, at least one of the standard Subject Confirmation Methods in SamlConfirmationMethod must be present in the assertion (Bearer / SenderVouches / HolderOfKey). |
false |
|
Require Bearer Signature |
Boolean |
If set, an Assertion with a Bearer Subject Confirmation Method must be signed. |
false |
|
Validate Signature Against Profile |
Boolean |
Whether to validate the signature of the Assertion (if it exists) against the relevant profile. Default is true. |
false |
|
Required Subject Confirmation Method |
Enumeration, one of:
|
If set, the value must appear as one of the Subject Confirmation Methods SamlConfirmationMethod. |
Expiration Policy
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Max Idle Time |
Number |
A scalar time value for the maximum amount of time a dynamic configuration instance should be allowed to be idle before it’s considered eligible for expiration |
||
Time Unit |
Enumeration, one of:
|
A time unit that qualifies the maxIdleTime attribute |
Repeatable In Memory Stream
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Initial Buffer Size |
Number |
This is the amount of memory that will be allocated in order to consume the stream and provide random access to it. If the stream contains more data than can be fit into this buffer, then it will be expanded by according to the bufferSizeIncrement attribute, with an upper limit of maxInMemorySize. |
||
Buffer Size Increment |
Number |
This is by how much will be buffer size by expanded if it exceeds its initial size. Setting a value of zero or lower will mean that the buffer should not expand, meaning that a STREAM_MAXIMUM_SIZE_EXCEEDED error will be raised when the buffer gets full. |
||
Max Buffer Size |
Number |
This is the maximum amount of memory that will be used. If more than that is used then a STREAM_MAXIMUM_SIZE_EXCEEDED error will be raised. A value lower or equal to zero means no limit. |
||
Buffer Unit |
Enumeration, one of:
|
The unit in which all these attributes are expressed |
Repeatable File Store Stream
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
In Memory Size |
Number |
Defines the maximum memory that the stream should use to keep data in memory. If more than that is consumed then it will start to buffer the content on disk. |
||
Buffer Unit |
Enumeration, one of:
|
The unit in which maxInMemorySize is expressed |
Signature Config
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Key Identifier |
Enumeration, one of:
|
The key identifier type to use for signature. See SignatureKeyIdentifierConstants |
ISSUER_SERIAL |
|
Algorithm |
Enumeration, one of:
|
The signature algorithm to use. The default is set by the data in the certificate. See SignatureAlgorithmConstants |
||
Digest Algorithm |
Enumeration, one of:
|
The signature digest algorithm to use. See SignatureDigestAlgorithmConstants |
SHA1 |
|
C14n Algorithm |
Enumeration, one of:
|
Defines which signature c14n (canonicalization) algorithm to use. See SignatureC14nAlgorithmConstants |
ExclusiveXMLCanonicalization_1_0 |
|
Keystore Config |
KeyStore configuration used for signing. |
x |
||
Wss Parts |
Array of Wss Part |
Lists of parts to be encrypted. If any part is specified, the SOAP Body will be encrypted. |
Wss Part
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Encode |
Enumeration, one of:
|
CONTENT |
||
Namespace |
String |
x |
||
Localname |
String |
x |
Encryption Config
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Encryption Key Identifier |
Enumeration, one of:
|
The key identifier type to use for encryption. |
ISSUER_SERIAL |
|
Encryption Sym Algorithm |
Enumeration, one of:
|
The symmetric encryption algorithm to use. |
AES_128 |
|
Encryption Key Transport Algorithm |
Enumeration, one of:
|
The algorithm used to encrypt the generated symmetric key. |
KEYTRANSPORT_RSAOAEP |
|
Encryption Digest Algorithm |
Enumeration, one of:
|
The encryption digest algorithm to use with the key transport algorithm. |
SHA1 |
|
Keystore Config |
KeyStore configuration used for encryption. |
|||
Wss Parts |
Array of Wss Part |
Lists of parts to be encrypted. If any part is specified, the SOAP Body will be encrypted. |
Credentials Config
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Username |
String |
Username. |
x |
|
Password |
String |
Password. |
x |
LDAP Config
Field | Type | Description | Default Value | Required |
---|---|---|---|---|
Provider Url |
String |
LDAP Server URL. |
x |
|
User Dn |
String |
User that will authenticate to the directory. |
x |
|
Password |
String |
Credentials to use for getting authenticated contexts. |
x |
|
Search Base |
String |
The search base defines the starting point for the search in the directory tree. |
x |
|
Search Filter |
String |
Filters can be used to restrict the numbers of users or groups that are permitted to access an application. |
x |
|
Search In Subtree |
Boolean |
Whether to search in subtree. |
false |