EhCache is now used by default to cache SecurityToken tokens for re-use, and for replay detection. It is possible to plug in other implementations by configuration.

The WS-Security module now supports replay detection of timestamps and UsernameToken nonces by default . The default caching time is 60 minutes.

The STS now issues SAML and SecurityContextToken tokens with a default lifetime of 30 minutes (they are also stored in the cache for this length of time).