Hi, introduced with cxf-2.7.13, the STSClient configuration property "ws-security.sts.token.imminent-expiry-value" should make the STS client renew tokens some time before their actual expiry - in order to be on the safe side.
Not finding any examples on where to configure this, I assumed it should be configured as one of the STS client properties like seen below. However CXF does not change its behavior, and continues to use tokens until the last millisecond before their expiry, occasionally having them expire in-flight instead. I also tried moving the configuration property up one level directly below the jaxws:client's jaxws:properties, but this also did not alter the STS client behavior. Am I doing this all wrong? Any help is much appreciated. Regards, Andreas Vallen <jaxws:client xmlns:abc="http://service.abc.net/"; id="ABCService" serviceName="abc:ABCServiceService" endpointName="abc:ABCServicePort" address="${abc.service.address}" serviceClass="net.abc.soap.ecs.ABCService" wsdlLocation="WEB-INF/abcservice.wsdl"> <jaxws:properties> <entry key="dataFormat" value="POJO"/> <entry key="ws-security.sts.client"> <bean class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg ref="cxf"/> <property name="wsdlLocation" value="${unify.sts.url}/fediz-idp-sts/REALMA/STSServiceTransport?wsdl"/> <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/> <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/> <property name="actAs" ref="delegationCallbackHandler"/> <property name="enableAppliesTo" value="true"/> <property name="properties"> <map> <!-- find documentation for the following properties here: http://cxf.apache.org/docs/ws-securitypolicy.html --> <!-- The value in seconds within which a token is considered to be expired by the client, i.e. it is considered to be expired if it will expire in a time less than the value specified by this tag. This will be set to 10 by default in CXF-3.0.2, until then we have to set it manually in order to prevent tokens from becoming invalid en-route to the service. See: - org.apache.cxf.ws.security.SecurityConstants#STS_TOKEN_IMMINENT_EXPIRY_VALUE - https://issues.apache.org/jira/browse/CXF-5975 --> <entry key="ws-security.sts.token.imminent-expiry-value" value="10"/> ...
