I have a working service configured in CXF that sends an outgoing signed
SAML token. While configuring a client interceptor (WSS4JInInerceptor in
CXF) I was getting some exceptions. I noticed that the interceptor calls
checkReceiverResults() in WSHandler.java and my actions were not matching
the wsResults in the vector. After further digging I found that in
SAMLTokenProcessor handleToken() the vector wsResults is added with

returnResults.add(
            0,
            new WSSecurityEngineResult(WSConstants.ST_UNSIGNED, assertion)
        );

Is there a reason why WSConstants.ST_SIGNED is not also used?


I ask because when I configured the client I used the corresponding action
WSHandlerConstants.SAML_TOKEN_SIGNED but this does not work and I had to
change it to WSHandlerConstants.SAML_TOKEN_UNSIGNED.  The CXF interceptor
has and ignore actions flag which by passes this check. Is it a ws-sec
specification violation not to check these results?

thanks