Further exploration and minimal code change seems to fix this issue: First, changing direction (pivotation) from out- to in-bound. | (...) | resMsg = getRemotingConnection().invoke(reqMsg, epInfo, false); | | msgContext = MessageContextJAXWS.processPivot(msgContext); | msgContext.setMessageAbstraction(resMsg); | | // Call the response handler chain, removing the fault type entry will not call handleFault for that chain | handlerPass = callResponseHandlerChain(portName, handlerType[2]); | (...) | With this, WS-Security Handler is called to decrypt the response message, but it result in an NPE. In class WSSecurityDispatcher, method handleInbound, I change string definition with null test. | (...) | OperationMetaData opMetaData = ctx.getOperationMetaData(); | if (opMetaData == null) | { | // Get the operation meta data from the soap message | // for the server side inbound message. | EndpointMetaData epMetaData = ctx.getEndpointMetaData(); | opMetaData = soapMessage.getOperationMetaData(epMetaData); | } | | String operation = opMetaData == null ? null : opMetaData.getQName().toString(); | String port = opMetaData == null ? null : opMetaData.getEndpointMetaData().getPortName().getLocalPart(); | | List<OperationDescription<RequireOperation>> operations = buildRequireOperations(config, operation, port); | (...) | It is working now, but I don't have sure if this is all, but it is almost good (I really like upstream fix). Thanks, View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4122863#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...