I am wondering

... if anyone has actually ever used Axis 1(.4) and ws-security! Today we discovered yet another "feature" of Axis which render some client requests invalid though they are actually ok.

It is the "extra feature" of checking the order of actions (given by "action" parameter to WSDoAllReceiver) which causes my headaches this time. If you have no control of the clients from which you receive requests, they may produce XML in which the signature and timestamp may be in "random" order, but axis expects them to come in the order as specified by the "action" parameter. There is not apparent reason why this extra check is done and it does not give any extra security..

Oh well - back to the editor...