In previous releases of JBoss EAP 6, CXF placed the `BinarySecurityToken` referenced by the EncryptedKey element after the EncryptedKey element when the WSS timestamp was not included in the SOAP message.
This could cause receivers that expect the `BinarySecurityToken` referenced by the EncryptedKey to be above the EncryptedKey element to fail as they had not processed the `BinarySecurityToken` when attempting to look it up while processing the EncryptedKey element.
This issue has been resolved by moving the BinarySecurityToken higher in the SOAP message. Now `EncryptedKey` elements always reference `BinarySecurityTokens` that have already been found while parsing the SOAP message.
See component upgrade https://bugzilla.redhat.com/show_bug.cgi?id=1153972#c2 for explanation of why the upgrade was reverted and this BZ is set back to ASSIGNED
Verified on 6.4.0.DR10