Hi all, We're using code based on the CXF 2.4 STS provider framework. After upgrade to CXF 2.4.2, we're seeing bizarrely fluctuating namespace declarations on the RequestedSecurityToken element.
Usually (and with 2.4.1, always) we get this: <RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns4="http://www.w3.org/2005/08/addressing" xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"><RequestSecurityTokenResponse><TokenType>urn:oasis:names:tc:SAML:1.0:assertion</TokenType><RequestedSecurityToken><saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID= (snipped) However, now (with 2.4.2), we sometimes get this: <ns2:RequestSecurityTokenResponseCollection xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns5="http://www.w3.org/2005/08/addressing"><ns2:RequestSecurityTokenResponse><ns2:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</ns2:TokenType><ns2:RequestedSecurityToken><saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" (snipped) These are both valid, but we'd like to keep the namespace consistent in case there are users doing strange things. I believe the namespace binding comes from the org.apache.cxf.ws.security.sts.provider.model.package-info class. This appears to be correct and I can't find any conflicting versions. We're not using any 1.4 features (act as etc). Thanks for any help or ideas! Alistair