Your endpoint configuration looks fine to me. For example, here is a (non-STS) endpoint with a custom UsernameToken Validator:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/usernametoken/cxf-service.xml?view=markup Could you check what is happening when WSS4J hits the UsernameToken in the security header (UsernameTokenProcessor). What Validator instance is it loading to validate the token? Colm. On Thu, Apr 4, 2013 at 5:03 PM, geecxf <am...@ge.com> wrote: > Well I must be doing something wrong but I don't know what it is. Here is > what I have: > > <jaxws:endpoint id="transportSTS" > implementor="#transportSTSProviderBean" > address="https://localhost:${port}/SecurityTokenService/Transport" > wsdlLocation="wsdl/ws-trust-1.4-service.wsdl" > xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" > serviceName="ns1:SecurityTokenService" > endpointName="ns1:Transport_Port"> > <jaxws:properties> > <entry key="ws-security.ut.validator"> > <bean class="abc.def.CustomUsernameTokenValidator" /> > </entry> > </jaxws:properties> > </jaxws:endpoint> > > But this does not work. In fact when the STSClient calls the STS it > complains about there not being a CallbackHandler. If I add the callback > handler entry back to the properties in the debugger I can see that it is > not touching the CustomUsernameTokenValidator. Perhaps my endpoint > configuration is incorrect? Once again, I'm stuck. > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/DefaultSecurityTokenServiceProvider-does-not-use-CXF-UsernameTokenValidator-tp5725849p5725862.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com