The issue with application/octet stream is in how out client handles response. Clients (java and .NET) invoke a proper plug-in based on the MIME type, and we need to support at least 3 various MIME-types (ZIP, exe, pdf). We can make workaround by analyzing the file extension, but the main question is: is this the bug (both WS-Security and MTOM work great separately), or am I doing something wrong? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4172313#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...