Looking at the commits that have gone into the AmberPoint patch I have found there is one issue that has yet to go upstream so I just need to run this past you to double check if this is a scenario we should be supporting. Basically the client has a handler defined that is encrypting the contents of the operation element. They have configured the endpoint with an ENDPOINT handler which decrypts the message. However the order of calls when a message is received is that the pre-handler-chain is called, then we call 'unbindRequestMessage' and call the endpoint handler chain and the 'post-handler-chain' - if the message was modified we call 'unbindRequestMessage' a second time. >From the AmberPoint perspective this is causing them a problem as the first call to 'unbindRequestMessage' is before they have decrypted the message. Our security implementation works by using a post handler on the client side and a pre handler on the endpoint side so this is called before the first 'unbindRequestMessage'. It does sound like our first call to 'unbindRequestMessage' should be after the endpoint handlers have been called as otherwise it severely restricts what the handlers configured using the standard descriptors can actually do but there may be a reason why you have set the order the way you have. https://na1.salesforce.com/500300000035WqW