Hi all CXF delegates all the incoming security token processing down to WSS4J which requires the SAAJ interceptor due to the requirement of a dom tree.
If you don't use a SAML token as a signing or encryption token (holder-of-key) you can validate the soap header and its signature without creating a dom tree or only for the saml token itself. If you use a username token you don't have to pass it down to WSS4J. Further, the STS client could be used to validate the UsernameToken against an STS. If you use a binary security token which is not used as a signing or encryption token (x509) then you can process this in a steaming manner. What are your thoughts and ideas on that? Thanks Oli
