In our use case, we don't use any validation, just securement. This used to work in previous Spring WS versions that depend on WSS4J 1.x, without setting the validationActions property. However when upgrading to Spring WS 2.3.0 and WSS4J 2.x our XML configuration fails because of the following two issues:
a) NullPointerException in validateMessage() because validationActionsVector is not initialized. This field is only initialized if setValidationActions() is invoked, which should not be necessary if validation is not required. NoSecurity should be configured by default.
b) After configuring validationActions="NoSecurity" our configuration still caused failures (Wss4jSecurityValidationException("No WS-Security header found")), as validation was being attempted anyway. This is due to validationActionsVector being initialized as an empty list by WSSecurityUtil.decodeAction("NoSecurity"). Thus the validationActionsVector.contains(WSConstants.NO_SECURITY) check in validateMessage() fails. An empty vector should be interpreted as no validation required, even if validateRequest or validateResponse are true (which are the defaults)
We resolved this by setting the following properties, which should not be required for our use case: