The first support for an STS in Apache CXF appeared in the 2.4.0 release with the addition of an STS provider framework in the WS-Security module. This is essentially an API that can be used to create your own STS implementation. As the STS implementation shipped in CXF 2.5 is based on this provider framework, it makes sense to examine it in more detail.
The SEI (Service Endpoint Interface) is available here. It contains the following methods that are relevant to the STS features discussed above:
RequestSecurityTokenResponseCollectionType issue(RequestSecurityTokenType request)- to issue a security token
RequestSecurityTokenResponseType issueSingle( RequestSecurityTokenType request)- to issue a security token that is not contained in a "Collection" wrapper (for legacy applications)
RequestSecurityTokenResponseType cancel(RequestSecurityTokenType request)- to cancel a security token
RequestSecurityTokenResponseType validate(RequestSecurityTokenType request)- to validate a security token
RequestSecurityTokenResponseType renew(RequestSecurityTokenType request)- to renew a security token
The SEI implementation handles each request by delegating it to a particular operation, which is just an interface that must be implemented by the provider framework implementation. Finally, a JAX-WS provider is available, which dispatches a request to the appropriate operation.