cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <>
Subject Security token processing without SAAJ dependency
Date Tue, 28 Sep 2010 19:00:27 GMT
Hi all

CXF delegates all the incoming security token processing down to WSS4J which requires the
SAAJ interceptor due to the requirement of a dom tree.

If you don't use a SAML token as a signing or encryption token (holder-of-key) you can validate
the soap header and its signature without creating a dom tree or only for the saml token itself.

If you use a username token you don't have to pass it down to WSS4J. Further, the STS client
could be used to validate the UsernameToken against an STS.

If you use a binary security token which is not used as a signing or encryption token (x509)
then you can process this in a steaming manner.

What are your thoughts and ideas on that?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message