We are using WSS4J 1.6.7 to enable SAML security for our webservice calls. Since there is some overhead with signing and validating the SAML assertions, we would like to cache tokens on both the client and the service provider. However, we would like to avoid using an STS since that would introduce a single point of failure in the organization. The problem is that all the code I have seen in WSS4J about caching (the TokenStore) seems to be closely related to setups using an STS. This code exists in STSClient, STSTokenValidator etc.
Is there a way to enable caching of tokens without writing too much custom code? We also have a question about re-sending of SAML assertions. Is there a way for the service provider to re-use the SAML token it receives from the client and use it in a new webservice call, where the service provider will act as a client to a second service provider? Best regards, Gunnar Gauslaa Bergem
