CXF caches tokens in the security runtime in the following circumstances:
- When the IssuedTokenInterceptorProvider is invoked to obtain an Issued token from an STS.
- When the STSTokenValidator is used to validate a received UsernameToken, BinarySecurityToken or SAML Assertion to an STS.
- When the SecureConversation protocol is used.
- When the WS-Trust SPNEGO protocol is used.
- When tokens are obtained from a Kerberos KDC.
In each of these use-cases, the retrieved token is cached to prevent repeated remote calls to obtain the desired security token. There is no built-in support as yet to cache tokens in the WS-Security layer to prevent repeat validation. Of course this could be easily done by wrapping the existing validators with a custom caching solution.