I have decided to pull shared secrets from the feature list of the first production release of WS-Security support.
My list of reasons are the following:
Multiple request/respsonse messages reuse the same key providing a larger sampling of data which improves the likelyhood of a plaintext attack
No association between identity and the encrypted data, thus improving the likelyhood of a forged message, or a key replacement attack
No gaurantee on the strength of the key. Since a symmetric key is nothing more than a block of bytes, a broken tool using a broken random number generator could have generated a predictable key, or worse it could be something like all zeros.
Lack of tools. Java's keytool doesn't let you store keys, so to store them we would have to provide you with yet another keytool.
Feel free to vote on JBWS-286 if you would like to see us add this. Please also add your reasons as to why you would like to have it. (i.e. compatibility with XYZ).