Ok, I've done some more investigation and realized that my question is really a bit deeper than what I originally thought. I apologize in advance for the lengthy post. In this large, legacy CXF 2.3 / WSS4J 1.5 based code that I have, the intent is to add a SAML Assertion to a message as a signed supporting token. The way this worked previously is that the code would dynamically change the signature parts from the spring configuration:
from: {Element}{...}Body; STRTransform; {Element}{...}Timestamp; {Element}{...}Action; {Element}{...}To; {Element}{...}MessageID; {Element}{...}ReplyTo To: {Element}{...}Body; Token; {Element}{...}Timestamp; {Element}{...}Action; {Element}{...}To; {Element}{...}MessageID; {Element}{...}ReplyTo; Assertion The addReferencesToSign() would then later scan for Assertion, and add the appropriate references, like so: public void addReferencesToSign(@SuppressWarnings("rawtypes") Vector references, WSSecHeader secHeader) throws WSSecurityException { final Vector<Object> unalteredReferences = new Vector<Object>(); try { for (int part = 0; part < references.size(); part++) { final WSEncryptionPart encPart = (WSEncryptionPart) references.get(part); final String elemName = encPart.getName(); if (elemName != null && "Assertion".equals(elemName)) { final Transforms transforms = new Transforms(document); Element ctx = createSTRParameter(document); transforms.addTransform(STRTransform.implementedTransformURI, ctx); sig.addDocument("#" + this.assertionSecRefUri, transforms, this.getDigestAlgo()); } else { unalteredReferences.add(encPart); } } } super.addReferencesToSign(unalteredReferences, secHeader); } Moving on to CXF 2.7 / WSS4J 1.6, I have two problems: Token is no longer a keyword you can use in signature parts, and transforms & references are added to signatures in a completely different way. I think I've fixed the latter problem, with code like this: public List<javax.xml.crypto.dsig.Reference> addReferencesToSign( @SuppressWarnings("rawtypes") List<WSEncryptionPart> references, WSSecHeader secHeader) throws WSSecurityException { List<javax.xml.crypto.dsig.Reference> referenceList = new ArrayList<javax.xml.crypto.dsig.Reference>(); Transform transform = null; try { for (int part = 0; part < references.size(); part++) { final WSEncryptionPart encPart = (WSEncryptionPart) references.get(part); final String elemName = encPart.getName(); if (elemName != null && "Assertion".equals(elemName)) { Element ctx = createSTRParameter(document); XMLStructure structure = new DOMStructure(ctx); transform = signatureFactory.newTransform(STRTransform.TRANSFORM_URI, structure); DigestMethod digestMethod = signatureFactory.newDigestMethod(this.getDigestAlgo(), null); javax.xml.crypto.dsig.Reference reference = signatureFactory.newReference("#" + this.assertionSecRefUri, digestMethod, Collections.singletonList(transform), null, null); referenceList.add(reference); } } } referenceList.addAll( super.addReferencesToSign(references, secHeader) ); return referenceList; } Which may or may not work, but at least doesn't throw anything at the moment. The removal of Token, on the other hand, is still causing me some trouble. In general, I've replaced Token with {Element}{...}BinarySecurityToken, and that's worked and everything is happy. In this case, I get an exception that the signature can't be done because BinarySecurityToken isn't found: Caused by: org.apache.ws.security.WSSecurityException: Signature creation failed (Cannot setup signature data structure) at org.apache.ws.security.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:191) at org.apache.ws.security.message.WSSecSignature.addReferencesToSign(WSSecSignature.java:411) at gov.faa.swim.ssri.wss.wss4j.saml.SupportingSamlTokenSignedAction$WSSecSamlSupportingTokenSignature.addReferencesToSign(SupportingSamlTokenSignedAction.java:268) at gov.faa.swim.ssri.wss.wss4j.saml.SupportingSamlTokenSignedAction$WSSecSamlSupportingTokenSignature.build(SupportingSamlTokenSignedAction.java:156) at gov.faa.swim.ssri.wss.wss4j.saml.SupportingSamlTokenSignedAction.execute(SupportingSamlTokenSignedAction.java:110) ... 47 more Caused by: org.apache.ws.security.WSSecurityException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd, BinarySecurityToken) at org.apache.ws.security.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:160) That leads me to believe that Token was a bit smarter keyword in the past, and I need to replace it with something smarter in the present to add the SAML Assertion as a signed supporting token. Which leads me to my questions: 1) How do I modify the Token in signature parts to end up with the SAML Assertion as a signed supporting token in my SOAP message? 2) Is it necessary in CXF 2.7 / WSS4J 1.6 to customize addReferencesToSign() to end up with a signed supporting token, or is there an easier / better way to go about it? Thanx, Stephen W. Chappell