The Ehcache TokenStore implementation (org.apache.cxf.ws.security.tokenstore. EHCacheTokenStore) is evicting wrong elements from the token store. It’s happening very randomly in a heavy multi-thread application but at some point is trying to get a DerivedKeyToken (added before sending request to the server) that was evicted before the response was returned.
I actually see the issue in the Ehcache Element implementation (http://jira.terracotta.org/jira/browse/EHC-1065) because the constructor of class Element that the CXF EHCacheTokenStore implementation is using is not setting ‘lastAccessTime’ in the constructor. As lastAccessTime is being zero by default, all the DerivedKeyToken elements in the token store have lastAccessTime=0 and there is a possibility that a wrong element is evicted because the default ehcache LRU policy uses the ‘lastAccessTime’ to perform eviction.
I reported the issue to EHcache already although I haven’t received answer from them. In the meantime, would you consider to update EHCacheTokenStore to use a more suitable Element constructor that allows setting ‘lastAccessTime’ properly?