Apache XML Security 1.4.0 has major problems with signed and encrypted messages containing international characters (e. g. payloads containing Czech/Slovak UTF-8-encoded characters. This renders WSS4J support unusable. Version 1.4.1 fixes these problems. See XML Security bugzilla for more details, https://issues.apache.org/bugzilla/show_bug.cgi?id=41462.
(Note that there is already a newer version 1.4.2, however I have encountered major problems with computation of digest of request messages.)