Contact Us 1-800-596-4880

WSS Module Reference - Mule 4

WSS Module v1.1 enables you to process and validate an inbound SOAP request against a given Web Service Security (WSS) extension configuration.

Configurations


Inbound

Parameters

Name Type Description Default Value Required

Name

String

The name for this configuration. Connectors reference the configuration with this name.

x 

Actor

String

 

Extract Security Header

Boolean

false

 

Validate Username Token

 

Validate Signature

 

Decrypt Message

 

Validate Timestamp

 

Validate SAML Assertion

 

Expiration Policy

Configures the minimum amount of time that a dynamic configuration instance can remain idle before the runtime considers it eligible for expiration. This does not mean that the platform will expire the instance at the exact moment that it becomes eligible. The runtime will actually purge the instances when it sees it fit.

 

Associated Operations


Outbound

Parameters

Name Type Description Default Value Required

Name

String

The name for this configuration. Connectors reference the configuration with this name.

x 

Signature Configuration

 

Encryption Configuration

 

Timestamp Configuration

 

'Must Understand' Attribute

Boolean

false

 

Associated Operations

Operations

Validate WSS

<wss:validate-wss>

Parameters

Name Type Description Default Value Required

Configuration

String

The name of the configuration to use.

x 

Request

Binary

#[payload]

 

Version

Enumeration, one of:

  • SOAP_11

  • SOAP_12

SOAP_12

 

Output Mime Type

String

The mime type of the payload that this operation outputs.

 

Output Encoding

String

The encoding of the payload that this operation outputs.

 

Streaming Strategy

Configure if repeatable streams should be used and their behaviour

 

Target Variable

String

The name of a variable on which the operation's output will be placed

 

Target Value

String

An expression that will be evaluated against the operation's output and the outcome of that expression will be stored in the target variable

#[payload]

 

Output

Type

Binary

For Configurations.

Throws

  • WSS:MISSING_CERTIFICATE  

  • WSS:SECURITY_APPLYING  

  • WSS:SECURITY_VALIDATING  

Apply WSS

<wss:apply-wss>

Parameters

Name Type Description Default Value Required

Configuration

String

The name of the configuration to use.

x 

Response

Binary

#[payload]

 

Version

Enumeration, one of:

  • SOAP_11

  • SOAP_12

SOAP_12

 

Output Mime Type

String

The mime type of the payload that this operation outputs.

 

Output Encoding

String

The encoding of the payload that this operation outputs.

 

Streaming Strategy

Configure if repeatable streams should be used and their behaviour

 

Target Variable

String

The name of a variable on which the operation's output will be placed

 

Target Value

String

An expression that will be evaluated against the operation's output and the outcome of that expression will be stored in the target variable

#[payload]

 

Output

Type

Binary

For Configurations.

Throws

  • WSS:MISSING_CERTIFICATE  

  • WSS:SECURITY_APPLYING  

  • WSS:SECURITY_VALIDATING  

Types

Verify Username Token Config

Field Type Description Default Value Required

Authenticate User Config

Specific type for the authentication configuration. See AuthenticateUserConfig sub-types.

x

Time To Live

Number

The time difference between creation and expiry time in seconds in the UsernameToken Created element.

30

Check Nonce

Boolean

Whether to check the Nonce Element in the UsernameToken. A Nonce is a random value that the sender creates to include in each UsernameToken that it sends. Only checked if included.

true

Verify Signature Config

Field Type Description Default Value Required

Truststore Config

TrustStore configuration used for validating the signature.

x

Issuer Pattern

String

Certificate Issuer pattern.

Subject Pattern

String

Certificate Subject pattern.

Trust Store Configuration

Field Type Description Default Value Required

Path

String

x

Password

String

x

Type

String

jks

Decryption Config

Field Type Description Default Value Required

Keystore Config

KeyStore configuration used for decryption.

x

Key Store Configuration

Field Type Description Default Value Required

Path

String

x

Password

String

x

Alias

String

Key Password

String

Type

String

jks

Verify Timestamp Config

Field Type Description Default Value Required

Time To Live

Number

The time within which the Timestamp element is valid. The default is 5 minutes.

300

Skew Time

Number

The time difference between server and client. The default is 60 seconds.

60

Time Unit

Enumeration, one of:

  • NANOSECONDS

  • MICROSECONDS

  • MILLISECONDS

  • SECONDS

  • MINUTES

  • HOURS

  • DAYS

Time unit to be used in the timeToLive configuration.

SECONDS

Strict

Boolean

If set to true then validates if the timestamp contains an expires element and the semantics are expired.

true

Require Expires Header

Boolean

Whether timestamp Expires header is required.

true

Precision In Milliseconds

Boolean

If set to true then use timestamps with milliseconds, otherwise omit the milliseconds.

true

Verify Saml Config

Field Type Description Default Value Required

Saml Version

Enumeration, one of:

  • SAML10

  • SAML11

  • SAML20

SAML Version.

SAML10

Time To Live

Number

The time in seconds within which a SAML Assertion is valid, if it does not contain a NotOnOrAfter Condition. The default is 30 minutes.

1800

Skew Time

Number

The time difference between server and client. The default is 60 seconds.

60

Time Unit

Enumeration, one of:

  • NANOSECONDS

  • MICROSECONDS

  • MILLISECONDS

  • SECONDS

  • MINUTES

  • HOURS

  • DAYS

Time unit to be used in the timeToLive and skewTime configuration.

SECONDS

Require Standard Subject Confirmation Method

Boolean

If set, at least one of the standard Subject Confirmation Methods in SamlConfirmationMethod must be present in the assertion (Bearer / SenderVouches / HolderOfKey).

false

Require Bearer Signature

Boolean

If set, an Assertion with a Bearer Subject Confirmation Method must be signed.

false

Validate Signature Against Profile

Boolean

Whether to validate the signature of the Assertion (if it exists) against the relevant profile. Default is true.

false

Required Subject Confirmation Method

Enumeration, one of:

  • BEARER

  • HOLDER_OF_KEY

  • SENDER_VOUCHES

If set, the value must appear as one of the Subject Confirmation Methods SamlConfirmationMethod.

Expiration Policy

Field Type Description Default Value Required

Max Idle Time

Number

A scalar time value for the maximum amount of time a dynamic configuration instance should be allowed to be idle before it’s considered eligible for expiration

Time Unit

Enumeration, one of:

  • NANOSECONDS

  • MICROSECONDS

  • MILLISECONDS

  • SECONDS

  • MINUTES

  • HOURS

  • DAYS

A time unit that qualifies the maxIdleTime attribute

Repeatable In Memory Stream

Field Type Description Default Value Required

Initial Buffer Size

Number

This is the amount of memory that will be allocated in order to consume the stream and provide random access to it. If the stream contains more data than can be fit into this buffer, then it will be expanded by according to the bufferSizeIncrement attribute, with an upper limit of maxInMemorySize.

Buffer Size Increment

Number

This is by how much will be buffer size by expanded if it exceeds its initial size. Setting a value of zero or lower will mean that the buffer should not expand, meaning that a STREAM_MAXIMUM_SIZE_EXCEEDED error will be raised when the buffer gets full.

Max Buffer Size

Number

This is the maximum amount of memory that will be used. If more than that is used then a STREAM_MAXIMUM_SIZE_EXCEEDED error will be raised. A value lower or equal to zero means no limit.

Buffer Unit

Enumeration, one of:

  • BYTE

  • KB

  • MB

  • GB

The unit in which all these attributes are expressed

Repeatable File Store Stream

Field Type Description Default Value Required

In Memory Size

Number

Defines the maximum memory that the stream should use to keep data in memory. If more than that is consumed then it will start to buffer the content on disk.

Buffer Unit

Enumeration, one of:

  • BYTE

  • KB

  • MB

  • GB

The unit in which maxInMemorySize is expressed

Signature Config

Field Type Description Default Value Required

Key Identifier

Enumeration, one of:

  • ISSUER_SERIAL

  • DIRECT_REFERENCE

  • X509_KEY_IDENTIFIER

  • THUMBPRINT

  • SKI_KEY_IDENTIFIER

  • KEY_VALUE

The key identifier type to use for signature. See SignatureKeyIdentifierConstants

ISSUER_SERIAL

Algorithm

Enumeration, one of:

  • RSAwithSHA256

  • ECDSAwithSHA256

  • DSAwithSHA1

  • RSAwithSHA1

  • RSAwithSHA224

  • RSAwithSHA384

  • RSAwithSHA512

  • ECDSAwithSHA1

  • ECDSAwithSHA224

  • ECDSAwithSHA384

  • ECDSAwithSHA512

  • DSAwithSHA256

The signature algorithm to use. The default is set by the data in the certificate. See SignatureAlgorithmConstants

Digest Algorithm

Enumeration, one of:

  • SHA1

  • SHA256

  • SHA224

  • SHA384

  • SHA512

The signature digest algorithm to use. See SignatureDigestAlgorithmConstants

SHA1

C14n Algorithm

Enumeration, one of:

  • CanonicalXML_1_0

  • CanonicalXML_1_1

  • ExclusiveXMLCanonicalization_1_0

Defines which signature c14n (canonicalization) algorithm to use. See SignatureC14nAlgorithmConstants

ExclusiveXMLCanonicalization_1_0

Keystore Config

KeyStore configuration used for signing.

x

Wss Parts

Array of Wss Part

Lists of parts to be encrypted. If any part is specified, the SOAP Body will be encrypted.

Wss Part

Field Type Description Default Value Required

Encode

Enumeration, one of:

  • ELEMENT

  • CONTENT

CONTENT

Namespace

String

x

Localname

String

x

Encryption Config

Field Type Description Default Value Required

Encryption Key Identifier

Enumeration, one of:

  • ISSUER_SERIAL

  • DIRECT_REFERENCE

  • X509_KEY_IDENTIFIER

  • THUMBPRINT

  • SKI_KEY_IDENTIFIER

  • ENCRYPTED_KEY_SHA1

  • EMBEDDED_KEY_NAME

The key identifier type to use for encryption.

ISSUER_SERIAL

Encryption Sym Algorithm

Enumeration, one of:

  • TRIPLE_DES

  • AES_128

  • AES_256

  • AES_192

  • AES_128_GCM

  • AES_192_GCM

  • AES_256_GCM

The symmetric encryption algorithm to use.

AES_128

Encryption Key Transport Algorithm

Enumeration, one of:

  • KEYTRANSPORT_RSA15

  • KEYTRANSPORT_RSAOAEP

  • KEYTRANSPORT_RSAOAEP_XENC11

The algorithm used to encrypt the generated symmetric key.

KEYTRANSPORT_RSAOAEP

Encryption Digest Algorithm

Enumeration, one of:

  • SHA1

  • SHA256

  • SHA384

  • SHA512

The encryption digest algorithm to use with the key transport algorithm.

SHA1

Keystore Config

KeyStore configuration used for encryption.

Wss Parts

Array of Wss Part

Lists of parts to be encrypted. If any part is specified, the SOAP Body will be encrypted.

Timestamp Config

Field Type Description Default Value Required

Time To Live

Number

The time within which the Timestamp element is valid. The default is 5 minutes.

300

Time Unit

Enumeration, one of:

  • NANOSECONDS

  • MICROSECONDS

  • MILLISECONDS

  • SECONDS

  • MINUTES

  • HOURS

  • DAYS

Time unit to be used in the timeToLive configuration.

SECONDS

Precision In Milliseconds

Boolean

If set to true then use timestamps with milliseconds, otherwise omit the milliseconds.

true

Credentials Config

Field Type Description Default Value Required

Username

String

Username.

x

Password

String

Password.

x

LDAP Config

Field Type Description Default Value Required

Provider Url

String

LDAP Server URL.

x

User Dn

String

User that will authenticate to the directory.

x

Password

String

Credentials to use for getting authenticated contexts.

x

Search Base

String

The search base defines the starting point for the search in the directory tree.

x

Search Filter

String

Filters can be used to restrict the numbers of users or groups that are permitted to access an application.

x

Search In Subtree

Boolean

Whether to search in subtree.

false

View on GitHub