The client side exception shows that the JAXWS RI is being used, not the jbossws-cxf jaxws implementation. Are you properly enabling ws-security policy support in your client? The exception on server side basically means that the received message does not satifsy the ws-security policy in the endpoint wsdl contract.