Our WSS4J In/Out interceptors do not appear to be requiring UsernameTokens to have timestamps and nonces. From , lines 176-190, these are used to prevent replay attacks (i.e., an intruder just copying the entire soap header, encrypted or not, and reusing it for another request).
To fix this problem, this blog sample created a separate interceptor that will reject any UsernameToken that does not have both a timestamp and a nonce. Perhaps we should update our WSS4J in/out interceptors to require both of these, so external users don't need to do this.
A question though-
I'm unsure where the nonce-checking is being done-our WSS4J interceptors seem to be ignoring them, but perhaps WSS4J is doing the checking/validation that they are not being used more then once.