Yes - you can use a security policy that only consists of a SAML Token (without a security binding). For example see the "DoubleItBearerPolicy" here:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl?view=markup This activates the SamlTokenInterceptor which does not do any checking of the Subject Confirmation. Colm. On Tue, Nov 27, 2012 at 2:22 PM, andreas_triebel <[email protected]>wrote: > Hi > > A message with SV confirmation method is rejected by CXF if the SOAP body > is > not signed (which is good I think). > My question: Is it possible to convince CXF to accept such a message? > I know this would break the idea of a subject confirmation method, but I > need to know if it's possible in CXF. > > Thanks > -Andreas > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Question-about-Sender-Vouches-and-Body-Signature-tp5719215.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
