I am trying to understand what is WS-security and how it works. It uses another term STS & WS-Trust.
What is the difference between DOM-based (in-memory) and StAX-based (streaming) approach to WS-Security?
Apache CXF supports both DOM-based and StAX-based WS-Security implementations. By default it uses the DOM-based approach, but you can switch to use the StAX-based implementation by setting the JAX-WS property "ws-security.enable.streaming" to "true".
The DOM-based approach loads the entire message into memory before applying WS-Security processing. If you are doing complex manipulations of the SOAP message (signing + encrypting different parts etc.) then this is faster than the streaming approach. However, it uses a lot of memory. The streaming approach uses very little memory for large messages compared to the DOM approach, but can be slower to handle more complex tasks.