The unique identifier generator used in wss4j generates duplicate identifiers in a multi-threaded environment. The problem is because the getUUID() method is not synchronized, but internally modifies a number of variables (in particular the incrementingValue). If multiple threads call this simultaneously then the same identifier can be returned.
This causes a problem in Axis where this is used for encrypted key token identifiers, so if multiple threads are processing messages simultaneously it is possible for two different keys to have the same identifier. These keys then get placed in the same token store which obviously causes a problem.
This is the same problem as previously reported in
WSCOMMONS-201 with the UUIDGenerator in AXIOM (this class seems to have been originally copied from that one, but before the fix was applied). The fix is to simply make the UUIDGenerator.getUUID() method synchronized.