Ok, sorry for spamming this list as I keep replying to myself, but removing the LoggingInInterceptor didn't help as I had thought. This looks like it may be an actual problem in the CXF implementation of WSS4JInterceptor. On the handleMessage() method, this line:
SOAPMessage doc = getSOAPMessage(msg); Downloads the entire attachments to disk. And only afterwards are the security headers processed with these lines: Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPPart(), actor); List<WSSecurityEngineResult> wsResult = engine.processSecurityHeader(elem, reqData); Ideally, shouldn't the headers be validated before the attachment is downloaded? -- View this message in context: http://cxf.547215.n5.nabble.com/WSS4J-Timestamp-expiring-before-large-file-transfer-finishes-tp5717348p5717373.html Sent from the cxf-user mailing list archive at Nabble.com.
