Server Configuration—Web Service Attributes (Using the HTTP Binding Component)

Using the HTTP Binding Component

Server Configuration—Web Service Attributes

The Server Configuration web service attributes exposed by the HTTP Binding Component are configured from the WS Policy Attachment Configuration Editor.

Graphic shows the Server Configuration, WS Policy Attachment
Editor, as described in context.

The Server Configuration web service attributes include the following:

Attribute	Description	Value
Binding Settings
Optimize Transfer of Binary Data (MTOM)	Specifies whether the web service is configured to optimize messages that it transmits and decodes optimized messages that it receives.	Select the checkbox to enable.
Reliable Message Delivery	Specifies whether the service sends an acknowledgement to the clients for each message that is delivered, thus enabling clients to recognize message delivery failures and retransmit the message.	Select the checkbox to enable.
	Deliver Messages in Exact Order: Specifies whether the Reliable Messaging protocol ensures that the application messages for a given message sequence are delivered to the endpoint application in the order indicated by the message numbers. This option increases the time to process application message sequences and may result in slower of web service performance. Only enable this option when ordered delivery is required by the web service	Select the checkbox to enable.
	Flow Control: Specifies whether the Flow Control feature is enabled. It may be necessary to withhold messages from the application if ordered delivery is required and some preceding messages have not yet arrived. If the number of stored messages reaches the threshold specified in the Max Buffer Size setting, incoming messages belonging to the sequence are ignored.	Select the checkbox to enable.
	Maximum Flow Control Buffer Size: Specifies the number of messages that are buffered for a message sequence. 32 is the default setting.	32 is the default value.
	Inactivity Timeout (ms): Specifies in milliseconds, the time interval at which source or destination can terminate a message sequence due to inactivity. A web service endpoint will always terminate a sequence whose timeout has expired. To keep a sequence active, an inactive client sends a stand-alone message with an AckRequested header to act as a heartbeat when the end of the inactivity timeout interval approaches.	600,000 (milliseconds) is the default value.
Secure Service	Specifies whether web service security options are enabled for all of the operations of a web service.	Select the checkbox to enable.
Security Mechanism	Specifies the security mechanism used by the web service operation. The available security mechanisms are: Username Authentication with Symmetric Key Mutual Certificates Security Transport Security (SSL) Message Authentication over SSL SAML Authorization over SSL Endorsing Certificate SAML Sender Vouches with Certificates SAML Holder of Key STS Issued Token STS Issued Token with Service Certificate See the Configuring Security Mechanisms section for more information.	Select the security mechanism to be used by your application. Information about your selected mechanism and its additional requirements is displayed in the message box below your selection.
	Configure: The configuration button opens a configuration editor for the selected security mechanism.	See the Security Mechanisms section for more information about configuration properties.
	Use Development Defaults: Specifies whether to import certificates into the GlassFish keystore and truststore to be used immediately for development. The default certificates are imported in the correct format and a default user is created in the file realm, with username "wsitUser". For your project you will most likely choose to use your own certificates and user settings, but in a development environment you may find the defaults useful.	Check box Selected indicates that you are using the default certificates.
Keystore	Click the Keystore button to open the Keystore Configuration Editor. The editor specifies the following information: Location: Use the Browse button to specify the location and name of the keystore. Keystore Password: Specifies the password for the keystore file. If you are running under GlassFish, GlassFish's password is already entered. If you have changed the keystore's password from the default, you must specify the correct value in this field. Alias: Specifies the alias of the certificate in the specified keystore to be used for authentication. The Keystore alias for non-STS applications is `xws-security-client` for client-side, and `xws-security-server` for server-side configuration. The Keystore alias for STS applications is `xws-security-client` for both client-side and STS Configuration. Key Password: Specifies the password of the key within the keystore. By default, the key password uses the store password. Only specify a password in this field when the key password is different. Alias Selector Class: Specifies the selector class for aliases.	Configure the Keystore from the Keystore Configuration Editor.
Truststore	Click the Truststore button to open the Truststore Configuration Editor. The editor specifies the following information: Location: Use the Browse button to specify the location and file name of the truststore that stores the public key certificates of the CA and the client's public key certificate. Truststore Password: Specifies the password for the Truststore. If you are running under GlassFish, GlassFish's password is changeit. If you have changed the truststore's password from the default, you must specify the correct value in this field. Load Aliases: Clicking the Load Aliases button populates the Alias field with the aliases contained in the truststore file. The Location and Truststore Password fields must be specified correctly for this option to work. Certificate Selector: Specifies a String which specifies the identities of zero or more certificates. The specifiers can conform to X.509 naming conventions. A certificate selector can also use various shortcuts to match either subject alternative names, the filename, or even the issuer.	Configure the Truststore from the Truststore Configuration Editor.
Validators	Click the Validators button to open the Validator Configuration Editor. The editor specifies the following information: Username Validator: Specifies the validator class used to validate username and password on the server side. This option is only used by a web service. Note: When using the default Username Validator, make sure that the username and password of the client are registered with GlassFish (using Admin Console) if using GlassFish, or is included in the tomcat-users.xml file if using Tomcat. Timestamp Validator: Specifies the validator class to be used to check the token timestamp to determine whether the token has expired or is still valid. Certificate Validator: Specifies the validator class to be used to validate the certificate supplied by the client or the web service. SAML Validator: Specifies the validator class to be used to validate SAML token supplied by the client or the web service.	Configure the Validators from the Validator Configuration Editor.
Advanced (Advanced Security Options)	Click the Advanced button to open the Advanced Security Options Editor. The editor specifies the following information: Maximum Clock Skew (ms): Specifies the maximum difference allowed between the system clocks of the sender and recipient in milliseconds. Timestamp Freshness Limit (ms): Specifies the Timestamp Freshness Limit in milliseconds. Timestamps received with a creation time older than the Timestamp Freshness Limit period are rejected by the receiver. Use Default Certificate Revocation Mechanism: If this option is selected, the default revocation checking mechanism of the underlying PKIX service provider is used.	Configure the Advanced Security Options from the Advanced Security Options Editor.
Act as a Secure Token Service (STS)	Select the Act as a Secure Token Service checkbox and click the Configure button to open the STS Configuration Editor. The editor specifies the following information: Issuer: Specifies an identifier for the issuer for the issued token. This value can be any String that uniquely identifies the STS. Contract Implementation Class: Specifies the actual implementation class for the WSTrustContract interface that handles token issuance, validation, and so forth. Default value is `com.sun.xml.ws.trust.impl.IssueSamlTokenContractImpl` for issuing SAML assertions, or click Browse to select another contract implementation class. Lifetime Issued Tokens (ms): Specifies the life span of the token issued by the STS. The default value is 36000 ms. Encrypt Issued Key: Specifies whether the issued key is encrypted using the service certificate. Selected indicates yes. Encrypt Issued Token: Specifies whether the issued token is encrypted using the service certificate. Selected indicates yes. Service Providers: Specifies the Service Providers that have a trust relationship with the STS. Click Add to specify a a new provider. Providers can be listed using the following protocols: Provider Endpoint URI: Specifies the endpoint URI of the service provider. Certificate Alias: Specifies the alias of the certificate of the service provider in the keystore. Token Type: Specifies the type of token the service provider requires. Key Type: Specifies the type of key the service provider requires: public key or symmetric key.	Configure the STS Configuration Options from the STS Configuration Editor.
Allow TCP Transport	Specifies whether the service supports TCP and HTTP message transport. TCP enhances performance for smaller messages by eliminating the overhead of sending messages over HTTP protocol.	Select the checkbox to enable.
Disable Fast Infoset	Specifies whether Fast Infoset is enables for faster parsing, faster serializing, and creating smaller document sizes, compared with equivalent XML Documents. When this option is selected, the Web service will not process incoming messages or produce outgoing messages encoded using Fast Infoset.	Select the checkbox to enable.
Operation Settings
Transactions	Specifies the level at which transactions are secured.
Input Message Settings
Authentication Token	Specifies which supporting token will be used to sign and/or encrypt the specified message parts. Options include Username, X509, SAML, Issued, or None.	Username
	Signed: Specifies that the authentication token must be a signed, supporting token. A signed supporting token is also signed by the primary message signature.	Select the checkbox to enable.
	Endorsed: Specifies that the authentication token must be endorsed. With an endorsing supporting token, the key represented by the token is used to endorse/sign the primary message signature.	Select the checkbox to enable.
	Message Parts: Specifies the message parts that must be signed and/or encrypted. Click the Message Parts button to open the Message Parts dialog box. From the Message Parts dialog box you can specify the following options for message parts or elements: Sign: Specifies that the message part requires a digital signature for integrity protection. Encrypt: Specifies that the message part requires encryption for confidentiality. Require: Specifies that the message part is required for a message. The Message Parts dialog box also includes the following buttons: Add Body: Adds a row for the message body (this is only necessary if a row has been removed). Add Header: adds a row for either a specific SOAP header part or for all SOAP header parts (this is only necessary if the SOAP header row in question has been deleted). Add XPath: adds rows that enable you to specify signature and/or encryption for an XPath expression or a URI which indicates the version of XPath to use. The Required field is selected by default. Only one XPath element is allowed. Remove: removes a selected row.	Sign
Output Message Settings
Message Parts	Specifies the message parts that must be signed and/or encrypted. Click the Message Parts button to open the Message Parts dialog box. See Message Parts under Input Message above for more information.