I'd like to use CXF STS in an X.509 authentication based scenario. What I don't understand right now is how it does proof-of-possession. I mean anyone can present a certificate to the STS - it does not mean that she has the private key.
How does this work in CXF?