I've been assigned a piece of work to investigate and propose a fix for an intermittent and (apparently) non-replicable bug which is causing web service calls to fail with the following error:

Message does not conform to configured policy [ TimestampPolicy(S) AuthenticationTokenPolicy(S) ]:  No Security Header found

The application is the Spring based back end for an online public facing high traffic web site. The web services are accessed with a Axis2 1.4 client.

I think I've managed to track the issue down to a possible concurrency issue, but it doesn't seem to be tied to load exactly, the failure statistics don't support it (sometimes days with low load are worse than days with high load).

Anyway, all of client code for the web services is contained within a single class with a @Repository annotation. Classes in the wider application that need access to this WebServiceClient class have it declared at class scope with @Resource annotation where it is autowired in as required.

The problem as I see it is that in the WebServiceClient the stubs are declared at class scope like so:

private ValidationStub validationStub;
private CustInfoStub custInfoStub;

and are initialised in method scope when the web service is called

this.validationStub= new ValidationStub (this.url);
prepareStub(this.validationPort, username, password);

where the prepareStub method creates the security header and adds it as follows:

stub._getServiceClient().addHeader(element);

I think if I move the stubs from class scope to method scope it will solve the issue, like so:

ValidationStub validationStub = new ValidationStub(this.url);

Has anyone ran into a similar issue? I'm a bit concerned that making this change will have a performance impact.